Standing should not stop data breach suit, civil liberties group says

May 20, 2016

REUTERS/Pawel Kopczynski   Consumers whose personal information was accessed in a cyberattack should not have to show someone stole their identities or ruined their credit to have standing to sue the hacked company, according to a friend-of-the-court brief filed in a federal appeals court.

Washington-based Electronic Privacy Information Center, or EPIC, asks the 3rd U.S. Circuit Court of Appeals to allow a class action against national payroll firm Paytime Inc. to move forward.

About a year ago, U.S. District Judge John E. Jones III of the Middle District of Pennsylvania dismissed two consolidated lawsuits against Paytime, finding the plaintiffs never showed they had standing to sue in federal court.

EPIC, a public interest group focused on privacy and civil liberties issues, says the 3rd Circuit should reverse this holding.

The plaintiffs met this procedural hurdle when they alleged the data breach caused them an “injury in fact,” EPIC argues.

They did not have to prove downstream consequences of the hack and that they had their identities stolen or their credit damaged to show they had standing, the brief says.

“Raising standing barriers to legitimate claims will only allow the continued escalation of identity theft in the United States,” EPIC says in its brief, arguing litigation is an important avenue for the victims to seek redress against companies with lax data security measures.

Article III standing

Paytime offers payroll processing services nationwide to various companies. It collects personal and financial information from thousands of people, including their full legal names, addresses, bank information, Social Security numbers and dates of birth, according to Judge Jones’ order.

Unknown hackers accessed Paytime’s network April 7, 2014. The company discovered the security breach about three weeks later and did not begin informing affected people until May 12, 2014, the judge said.

The affected individuals — current and former employees of companies that used the payroll processing service — sued Paytime for negligence, breach of contract, and violations of Pennsylvania’s unfair-trade-practices and consumer protection laws in two lawsuits.

Paytime moved to dismiss both cases, arguing Daniel B. Storm and the other plaintiffs had no standing to sue in federal court. Judge Jones agreed with the company.

Article III of the U.S. Constitution required the plaintiffs to allege the data breach at Paytime caused them actual or imminent injuries, but they never claimed any definite or “certainly impending” misuse of the hacked data, Judge Jones said.

Instead, they maintained the data breach increased their risk of identity theft and fraud and caused them to spend time monitoring their bank and financial accounts, he said.

“Allegations of increased risk of identity theft are insufficient to allege a harm,” Judge Jones wrote, supporting his decision with binding 3rd Circuit precedent, Reilly v. Ceridan Corp., 664 F.3d 38 (3d Cir. 2011).

The plaintiffs could not move forward on behalf of a proposed class of more than 200,000 people whose financial information was allegedly compromised in the breach, the judge ruled.

Storm and other class plaintiffs filed a notice of appeal with the 3rd Circuit in November.

Recent Corporate Data BreachesRecent data breaches and Reilly

“This court could not have known when it issued its decision in Reilly that data breaches and identity theft would be one of the leading sources of harm to American consumers,” EPIC argues in its brief supporting the appeal and reversal of Judge Jones’ decision.

More than 17 million Americans had their identities stolen in 2014, costing consumers more than $15 billion, EPIC’s brief says, citing statistics from the Department of Justice.

In 2015 the Federal Trade Commission reported receiving almost 500,000 complaints from consumers about identity theft, a 47 percent increase from the previous year, the brief says.

The courts must hold accountable companies that collect personal and financial information, but fail to adopt reasonable data protection measures, EPIC says.

“Many data breaches are avoidable; companies that collect and store sensitive information are in the best position to take the reasonable measures necessary to protect the data,” the amicus brief says.

While Judge Jones required a showing of actual or imminent harm, the harm from data breaches may go unnoticed for years, but may have long-term consequences for consumers, especially if hackers have accessed Social Security numbers or medical information, EPIC says.

“Courts have now recognized that individuals whose personal information was stolen need not prove damages before they get through the courthouse door,” the brief says, citing a recent decision from the 7th Circuit, Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015).

Companies also should minimize the data they collect, implement industry-standard cybersecurity practices and build cultures emphasizing security, EPIC argues.

“Without the appropriate allocation of liability, there is little reason for a company to invest in prevention and mitigation,” the brief says.

Storm et al. v. Paytime Inc., No. 15-3690, amicus brief filed (3d Cir. Apr. 18, 2016).