Ceridian is a payroll processing firm. To process its commercial business customers' payrolls, Ceridian collects information about its customers' employees. This information may include employees' names, addresses, social security numbers, dates of birth, and bank account information.
Reilly and Pluemacher were employees of the Brach Eichler law firm, a Ceridian customer, until September 2003. Ceridian entered into contracts with Appellants' employer and the employers of the proposed class members to provide payroll processing services.
On or about December 22, 2009, Ceridian suffered a security breach. An unknown hacker infiltrated Ceridian's Powerpay system and potentially gained access to personal and financial information belonging to Appellants and approximately 27,000 employees at 1,900 companies.
On October 7, 2010, Appellants filed a complaint against Ceridian, on behalf of themselves and all others similarly situated. Appellants alleged that they: (1) have an increased risk of identity theft, (2) incurred costs to monitor their credit activity, and (3) suffered from emotional distress.
Ceridian filed a motion to dismiss pursuant to Rules 12(b)(1) and 12(b)(6) for lack of standing and failure to state a claim. The District Court granted Ceridian's motion, holding that Appellants lacked Article III standing. Reilly and Pluemacher appealed.
The Third Circuit Court of Appeals concluded that Appellants' allegations of hypothetical, future injury did not establish standing under Article III.
Article III limits courts' jurisdiction to actual cases or controversies. One element of this bedrock requirement is that plaintiffs must establish that they have standing to sue. It is the plaintiffs' burden, at the pleading stage, to establish standing. Although general factual allegations of injury resulting from the defendant's conduct may suffice, the complaint must still clearly and specifically set forth facts sufficient to satisfy Article III.
The question of standing is whether the litigant is entitled to have the court decide the merits of teh dispute or of particular issues. Constitutional standing requires an injury-in-fact, which is an invasion of a legally protected interest that is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical. An injury-in-fact must be concrete in both a qualitative and temporal sense. The complainant must allege an injury to himself that is distinct and palpable, as distinguished from merely abstract, and the alleged harm must be actual or imminent, not conjectural or hypothetical.
Allegations of possible future injury are not sufficient to satisfy Article III. Instead, a threatened injury must be "certainly impending," and proceed with a high degree of immediacy, so as to reduce the possibility of deciding a case in which no injury would have occurred at all. A plaintiff therefore lacks standing if his injury stems from an indefinite risk of future harms inflicted by unknown third parties.
In this increasingly digitized work, a number of courts have had occasion to decide whether the "risk of future harm" posed by data security breaches confers standing on persons whose information may have been accessed. Most courts have held that such plaintiffs lack standing because the harm is too speculative. The Third Circuit agreed with the holdings in those cases. Here, no evidence suggests that the data has been - or will be - misused. The present test is actuality, not hypothetical speculations concerning the possibility of future injury. Appellants' allegations of an increased risk of identity theft resulting from a security breach are therefore insufficient to secure standing.