Privacy & Information Security Law Blog

On December 12, 2011, the United States Court of Appeals for the Third Circuit affirmed a decision that employees of Ceridian Corporation's (“Ceridian's") customers did not have standing to sue Ceridian after the payroll processing firm suffered a data breach.

In December 2009, a hacker may have gained access to personal and financial information of Ceridian’s customers, including names, addresses, Social Security numbers, dates of birth and bank account information. Although it is not known if the hacker read, copied or understood the data, Ceridian sent notification letters to affected individuals informing them of the breach and offering to provide one year of complimentary credit monitoring and identity theft protection.

The appellants, who were employees of a law firm that was a former customer of Ceridian, filed a complaint alleging that, as a result of the breach, they experienced an increased risk of identity theft, incurred costs to monitor credit activity and suffered emotional distress. The U.S. District Court for the District of New Jersey granted Ceridian’s motion to dismiss for lack of standing and failure to state a claim.

On the appeal, the Third Circuit affirmed the dismissal, agreeing with the district court that “allegations of a hypothetical, future injury do not establish standing under Article III.” The court noted that the appellants relied on speculation that the hacker: (1) read, copied and understood their personal information; (2) intends to commit future criminal acts by misusing the information; and (3) is able to use such information to the detriment of appellants by making unauthorized transactions. According to the court, “[u]nless and until these conjectures come true, Appellants have not suffered any injury; there has been no misuse of the information, and thus, no harm.”

In support of its conclusion, the Third Circuit cited cases that were dismissed because the alleged future harm was deemed “neither imminent nor certainly impending,” distinguishing decisions in Pisciotta v. Old National Bancorp and Krottner v. Starbucks in which there was evidence that the threatened harms were significantly more “imminent” and “certainly impending.” The court also held that the appellants’ analogies to defective medical device, toxic substance and environmental injury cases were not valid on several grounds, including because such cases involve an actual physical injury, hinge on human health concerns and cannot necessarily be remedied by monetary compensation.

In May 2011, we reported on Ceridian's settlement with the Federal Trade Commission over charges the FTC filed against Ceridian in connection with the 2009 breach. As part of the resulting consent order, Ceridian is prohibited from making misleading claims regarding its privacy practices and is required to maintain a comprehensive information security program.