It seems that in such a technologically dependent society, where digital information is everywhere, unauthorized access to computer databases (commonly referred to as “hacking”) is an all too common occurrence. However, as the recent Third Circuit decision in Reilly v. Ceridian Corp. illustrates, a company’s security breach that results in the exposure of hundreds of individuals’ personal information does not necessarily result in an automatic “harm” worthy of compensation.
In Reilly v. Ceridian Corp., Ceridian Corporation was a payroll processing firm. In order to process its customers’ payrolls, Ceridian collected personal information of its customers’ employees, which in some instances included an employee’s name, address, social security number, date of birth, and bank account information. One of Ceridian’s customers was the Brach Eichler law firm, where the plaintiffs, Kathy Reilly and Patricia Pluemacher, were both employed. On December 22, 2009, disaster struck when an unknown hacker infiltrated Ceridian’s records systems. While it is unknown whether the hacker read, copied, or understood the data he or she had access to, it was clear that the hacker potentially gained access to the personal and financial information of approximately 27,000 employees, including Reilly and Pluemacher. Ceridian contacted the potential victims to inform them of the situation, but for Reilly and Pluemacher, contact from Ceridian was simply not enough. Reilly and Pluemacher filed a claim in the United States District Court for the District of New Jersey on behalf of all of Ceridian’s potential victims. Reilly and Pluemacher claimed that the security breach made them susceptible to an increased risk of identity theft, and required their additional time and money to monitor their credit activity. The District Court, however, granted Ceridian’s motion to dismiss, stating that Reilly, Pluemacher, and the other potential victims’ claims did not have standing for failing to address a “case of controversy.” The Court of Appeals for the Third Circuit affirmed.
The Third Circuit agreed that the potential victims failed to establish adequate standing under Article III of the Constitution to bring their claim to federal court. Article III limits federal courts to only hear actual “cases or controversies” that might arise. Part of that requirement is a showing of “injury-in-fact,” or what the Supreme Court described in Danvers Motor Co. v. Ford Motor Co. as an invasion of a legally protected interest that is (1) concrete and particularized, and (2) actual or imminent, not conjectural or hypothetical. The Third Circuit felt that the potential victims’ allegations were too speculative. In order for the potential victims’ claim to adequately have standing, the court would have to assume that the hacker had actually read, copied or understood the personal information, had intended to commit future criminal acts by misusing the information, and had the capabilities of making unauthorized transactions with that information. Without these facts, no harm was suffered and, thus, no claim existed.
The court went on to dismiss Reilly and Pluemacher’s argument that security breaches were similar to other “defective-medical-device” or “toxic-substance-exposure” claims. First, with defective-medical-device claims, where a medical device has been implanted into a body with a quantifiable potential of failure, the damage is apparent when a risky medical device is implanted, but the “quantifiable” damage has just not yet occurred. This is not so with security breach, where the potential victim’s information is the same today as it was when the breach occurred. Second, defective-medical-device or toxic-substance-exposure cases deal with human health concerns. In the Third Circuit’s eyes, physical injury is of a greater concern than digital injury.
The Third Circuit did not affirm the district court without first acknowledging the novel concerns security breaches present in an increasingly digitized world. Some courts, like the Seventh Circuit in Pisciotta v. Old National Bancorp, have held that an increased risk of identity theft is itself a harm sufficient to confer standing. In Pisciotta, plaintiffs were granted standing after a bank’s website had been hacked, even though no direct financial loss or identity theft had occurred. The Ninth Circuit in Krittner v. Starbucks Corp., in somewhat different circumstances, also held that a credible threat of real, immediate harm occurred when a laptop containing personal information was stolen from a Starbucks. However, the Third Circuit refused to extend such justification to the potential victims of Ceridian.
While no actual injury was found for the Reilly and Pluemacher, the case is not always the same for victims of security breaches. If you believe that an injury was the result of a security breach, you should consult with a lawyer, as you might be entitled to compensation.
If you have been injured, call the Berniard Law Firm at 504-521-6000 and speak with an attorney who can help you apply the most effective trial strategy to your case and obtain the recovery you deserve.