In Reilly v. Ceridian Corp., — F.3d —-, 2011 WL 6144191 (3rd Cir. 2011), the Court of Appeals for the Third Circuit held that fear of identity theft is not a compensable loss conferring Article III standing litigants in federal court. The case arose from the following facts. Ceridian is a payroll processing firm. To process its commercial business customers’ payrolls, Ceridian collects information about its customers’ employees. This information may include employees’ names, addresses, social security numbers, dates of birth, and bank account information. Plaintiffs were employees of the Brach Eichler law firm, a Ceridian customer, until September 2003. Ceridian entered into contracts with Appellants’ employer and the employers of the proposed class members to provide payroll processing services. On December 22, 2009, Ceridian suffered a security breach. An unknown hacker infiltrated Ceridian’s Powerpay system and potentially gained access to personal and financial information belonging to Appellants and approximately 27,000 employees at 1,900 companies. It is not known whether the hacker read, copied, or understood the data. Working with law enforcement and professional investigators, Ceridian determined what information the hacker may have accessed. On about January 29, 2010, Ceridian sent letters to the potential identity theft victims, informing them of the breach: “[S]ome of your personal information … may have been illegally accessed by an unauthorized hacker …. [T]he information accessed included your first name, last name, social security number and, in several cases, birth date and/or the bank account that is used for direct deposit.” Ceridian arranged to provide the potentially affected individuals with one year of free credit monitoring and identity theft protection. Individuals had until April 30, 2010, to enroll in the free program, and Ceridian included instructions on how to do so within its letter.
The Plaintiffs filed a class action alleging that they: (1) have an increased risk of identity theft, (2) incurred costs to monitor their credit activity, and (3) suffered from emotional distress. The Court of Appeals found no Article III standing, explaining:
We conclude that Appellants’ allegations of hypothetical, future injury are insufficient to establish standing. Appellants’ contentions rely on speculation that the hacker: (1) read, copied, and understood their personal information; (2) intends to commit future criminal acts by misusing the information; and (3) is able to use such information to the detriment of Appellants by making unauthorized transactions in Appellants’ names. Unless and until these conjectures come true, Appellants have not suffered any injury; there has been no misuse of the information, and thus, no harm. ¶ . . . In this increasingly digitized world, a number of courts have had occasion to decide whether the “risk of future harm” posed by data security breaches confers standing on persons whose information may have been accessed. Most courts have held that such plaintiffs lack standing because the harm is too speculative. See Amburgy v. Express Scripts, Inc., 671 F.Supp.2d 1046, 1051–1053 (E.D.Mo.2009); see also Key v. DSW Inc., 454 F.Supp.2d 684, 690 (S.D.Ohio 2006). We agree with the holdings in those cases. Here, no evidence suggests that the data has been—or will ever be—misused. The present test is actuality, not hypothetical speculations concerning the possibility of future injury. Appellants’ allegations of an increased risk of identity theft resulting from a security breach are therefore insufficient to secure standing. See Whitmore, 495 U.S. at 158 (“[A]llegations of possible future injury do not satisfy the requirements of Art. III.”).