Bolster Data Breach Claim by Actual Misuse: Rules Pennsylvania District Court

Recently, in two consolidated cases of Storm v. Paytime, Inc. and Holt v. Paytime Harrisburg, Inc., 14-cv-1138, 2015 U.S. Dist. LEXIS 31286, the District Court of Pennsylvania dismissed the class action that was brought forward in context of data breach/misuse. The ruling comes to support companies that have suffered third-party data breaches claim in its very initial stage. The class action was for the breach of data protection against Paytime Inc. which is a national payroll processing services company with clients throughout the United States. The plaintiffs claimed that over 233,000 Paytime Inc. clients faced the risk of identity fraud because an unknown third party hacker breached Payroll’s computer systems, accessing confidential personal and financial information.

Case Summary –

On June 13, 2014, Daniel Storm, along with other purported class plaintiffs, filed an action under Federal Rule of Civil Procedure 23 against Paytime, Inc., asserting negligence and breach of contract claims (Storm) for alleged injury as the result of a data breach to Paytime’s computer systems on April 7, 2014. Paytime Inc. entered into contracts with the Storm plaintiff’s former and concurrent employers for payroll processing.By the nature of the contract, Paytime Inc. possessed with the plaintiffs’ confidential personal and financial information. As a result of the data breach, the plaintiffs alleged that third-party hackers gained access to the confidential personal and financial informationthat was submitted to Paytime through the plaintiff’s employers. A few days later, on June 27, 2014, Barbara Holt, along with other purported class plaintiffs, also filed an action against Paytime Inc., alleging breach of contract and claims under Pennsylvania’s Unfair Trade Practices and Consumer Protection Law (Holt) for the same data breach. On February 18, 2015, the abovementioned two cases were consolidated. Subsequently, Paytime moved to dismiss both cases.In dismissing the actions, Judge John E. Jones held that the plaintiffs had not plead specific facts suggesting that they have legal standing to pursue the class actions over the data breach.

The Court’s Findings –

While deciding this case, the District Court for the Middle District of Pennsylvania, relied heavily on the prior judgment by the United States Court of Appeals for the Third Circuit in the case of Reilly v. Ceridian Corp., 664 F.3d 38, (2011). Judge John E. Jones ruled that the plaintiffs needed to show personal injury that was fairly traceable to the defendant’s allegedly unlawful conduct [and that could] be redressed by the requested relief. More specifically, that injury must be ‘actual’ or ‘imminent,’ not ‘conjectural’ or ‘hypothetical’. Likewise in the context of data breaches, the Third Circuit in Reilly Case held that, “in the event of a data breach, a plaintiff does not suffer a harm, and thus does not have standing to sue, unless [the] plaintiff alleges actual ‘misuse’ of the [plaintiff’s] information, or that such misuse is imminent. The court did not find either alleged injury compelling — seeing no factual distinction between the Paytime plaintiffs and the Reilly plaintiffs. Further the Court opined that despite the data breach, the plaintiffs were unable to allege that they suffered any actual injury as result of the data breach — such as their bank accounts being accessed, credit cards being opened in their names or Social Security numbers being used to impersonate them and therefore the case lacks standing in their claim. Although the judge expressed sympathy for the victims of data theft but on parallel lines stated that[1]“[W]hen a data breach occurs, especially one intentionally done by a hacker, it is not unreasonable for the victims to feel that a wrong has clearly been committed. But has there been an actionable harm that is cognizable in federal court?” The plaintiffs alleged that, as a result of the data breach, they and the proposed class members “are at an increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.”

Overall, contemplating the entire case, it is very clear that Paytime Inc. decision, enlisting the previous decided cases draws its opinion that the plaintiff(s) must show that the information which was acquired maliciously was actually misused. The court concluded that it would be overzealous and unduly burdensome to subject companies to claims by thousands of customers based upon the mere possibility that identity theft could occur as a result of the breach. Although the consolidated cases were dismissed, Judge Jones noted that any plaintiff will be free to bring a suit once a clear injury can be pled as a result of the data breach and quoted that[2]“Courts cannot be in the business of prognosticating whether a particular hacker was sophisticated or malicious enough to be able to successfully read and manipulate the data and engage in identity theft.”


[2] Ibid. F.N. 1

Leave a Reply