Privacy Case of the Week Newsletter Issue #1-2012
Todd Ruback January 5th, 2012
Privacy Case of the Week Newsletter
Issue #1-2012
January 5, 2012
Todd B. Ruback, Esq., CIPP/US, CIPP/IT
This issue of the Privacy Case of the Week Newsletter features a precedential case in the Third Circuit, Reilly v. Ceridian Corporation, No. 11-1738 (3rd Cir., December 12, 2011), a class action data breach case,in which the 3rd Circuit Court of Appeals affirmed an order of US District Court for the District of New Jersey granting the Defendant’s motion to dismiss for lack of standing and failure to state a claim. In following the growing trend among numerous Federal courts, the Court of Appeals held that the Appellants lacked standing and did not reach the merits of a substantive issue. (For some such cases see, Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1051-1053(E.D. Mo. 2009), Key v. DSW, Inc., 454 F. Supp 2d 684, 690 (S.D. Ohio 2006)).
Ceridian is a payroll processing company based in Minnesota. They collect personal information about employees of their customers in order to issue payroll checks and withhold taxes. The Appellants were employees of a law firm, which was a customer of Ceridian. In 2009 Ceridian suffered a security breach when an unknown computer hacker gained access to the Appellants’ personal information, as well as the personal information of approximately 27,000 other employees of Ceridian customers. Ceridian performed an investigation of the security breach and as a result sent notification letters to the individuals whose personal information may have been accessed. In 2010 the Appellants filed a lawsuit against Ceridian in the US District Court for the District of New Jersey alleging that they had an increased risk of identity theft, had incurred costs to monitor their credit activity and had suffered emotional distress. Ceridian soon after filed a motion to dismiss for lack of standing and failure to state a claim. The District Court granted the motion to dismiss, holding that the Appellants lacked Article III standing under the US Constitution, and further held that even if the Appellants had standing, they nonetheless failed to adequately allege the damages, injury and ascertainable loss elements to their claim. Appellants appealed.
The Court of Appeals, in agreeing with the District Court, held that allegations of hypothetical, possible future injury did not establish standing (injury-in-fact) under Article III of the US Constitution. As part of its analysis the Court of Appeals stated that ‘Constitutional standing requires an “injury-in-fact, which is an invasion of a legally protected interested that is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical.” Danvers Motor Co. v. Ford Motor Co., 432 F.3rd 286, 290-291 (3rd Cir. 2005) (citing Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992).’ The Court of Appeals further stated that the “Appellants’ contentions rely on speculation that the hacker: (1) read, copied, and understood their personal information; (2) intends to commit future criminal acts by misusing the information; and(3) is able to use such information to the detriment of Appellants by making unauthorized transactions in Appellants’ names. Unless and until these conjectures come true, Appellants have not suffered any injury; there has been no misuse of the information, and thus no harm.”
Appellants, in trying to convince the court to go against the growing trend of dismissal for lack of standing in class action breach litigation, relied principally on Piscotta v. Old National Bancorp, 499 F.3rd 629 (7th Cir. 2007) and Krottner v. Starbucks Corp., 628 F. 3rd 1139 (9th Cir. 2010), whereby those courts conferred standing. Here, however, the Court of Appeals found those cases had little persuasive value.
In both Pisciotta and Krottner the threatened harms were significantly more imminent and certainly impending. In distinguishing those two cases from Ceridian the Court of Appeals stated that ‘In Pisciotta there was evidence that “the [hacker’s] intrusion was sophisticated, intentional and malicious. 499 F. 3rd at 632. In Krottner, someone attempted to open a bank account with a plaintiff’s information following the physical theft of the laptop. See 628 F.3rd at 1142. Here, there is no evidence that the intrusion was intentional or malicious. Appellants have alleged no misuse, and therefore, no injury. Indeed, no identifiable taking occurred; all that is known is that a firewall was penetrated. Appellants’ string of hypothetical injuries do not meet the requirement of an “actual or imminent” injury.” ‘
DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, PC (www.dbnjlaw.com ) is a full service law firm in New Jersey which provides a broad range of legal services, including the representation of clients in privacy matters. For additional information about the matters in this bulletin or in the firm’s Privacy and Technology Law Group, please contact Todd B. Ruback, Esq., CIPP, CIPP/IT.
Todd B. Ruback, Esq., CIPP, CIPP/IT is chair of the Privacy and Technology Law Group at the law firm of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, P.C. He is also chairman of the Privacy Special Committee of the New Jersey State Bar Association. He represents insurance carriers as a data breach attorney, providing incident response services and defense litigation. He also performs privacy audits to determine the gaps and maturity of a company’s privacy processes, as well as implements privacy best practices. He can be reached at 908-757-7800 x196 or by email at truback@newjerseylaw.net.
The information contained in this blog is intended solely for informational purposes; it is a advertising publication of DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis, Lehrer & Flaum P.C.This publication is intended to alert recipients of developments in the law and is not intended to provide legal counsel, advice or opinion on any specific facts or circumstances. The contents are intended as general information only. You are urged to consult a member of this firm or your own attorney concerning your particular situation and any specific legal questions you might have.
- Insurance Law , NJ Business , Privacy Law , Technology Law , Uncategorized
- Comments Off