Reilly Ex Rel. Pluemacher v. Ceridian Corp.
2011 U.S. App. LEXIS 24561
| 3rd Cir. | 2011Background
- Ceridian suffered a December 22, 2009 data breach exposing personal/financial information of ~27,000 individuals across ~1,900 companies.
- Reilly and Pluemacher sued on behalf of themselves and others similarly situated for increased identity theft risk, monitoring costs, and emotional distress.
- Ceridian moved to dismiss on standing and failure to state a claim; the district court dismissed for lack of standing.
- Ceridian sent breach notification on January 29, 2010 offering one year of credit monitoring and identity theft protection.
- Plaintiffs alleged future, hypothetical injuries from possible misuse of hacked data; district court held they lacked standing; Third Circuit affirmed.
- Court clarified standing requires actual or imminent, not conjectural, injury; alleged future harms were not sufficiently imminent or certain.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether plaintiffs have Article III standing to sue. | Reilly/Pluemacher allege increased risk of harm and costs. | Ceridian asserts no concrete, imminent injury; harm is speculative. | No standing; injuries were hypothetical and not imminent. |
| Whether alleged increased risk of identity theft constitutes injury-in-fact. | Increased risk from data breach is an injury. | Risk alone is not an injury without actual misuse. | Risk alone does not satisfy injury-in-fact. |
| Whether costs of credit monitoring confer standing. | Monitoring costs show injury. | Costs from monitoring speculative; not due to actual harm. | Monitoring costs do not establish standing. |
| Whether Pisciotta/Krottner justify standing in data breach cases. | Credible threat of harm supports standing. | Those cases are distinguishable; no imminent harm here. | Distinguishable; they do not control here. |
Key Cases Cited
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (U.S. Supreme Court (1992)) (injury must be concrete and imminent)
- Whitmore v. Arkansas, 495 U.S. 149 (U.S. Supreme Court (1999)) (allegations of possible future injury do not satisfy Art. III)
- City of Los Angeles v. Lyons, 461 U.S. 95 (U.S. Supreme Court (1983)) (injury must be certainly impending)
- Storino v. Borough of Point Pleasant Beach, 322 F.3d 293 (3d Cir. 2003) (future damages too conjectural to confer standing)
- Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007) (threatened injury allowed in some contexts but here insufficient)
- Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (credible threat not controlling where harms are not imminent)
- Amburgy v. Express Scripts, Inc., 671 F.Supp.2d 1046 (E.D. Mo. 2009) (data breach standing limited when no actual misuse)
- Key v. DSW Inc., 454 F.Supp.2d 684 (S.D. Ohio 2006) (standing in data breach context requires actual injury)
- Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp.2d 1 (D.D.C. 2007) (out-of-pocket monitoring costs did not confer standing)
- In re Paoli R.R. Yard PCB Litig., 916 F.2d 829 (3d Cir. 1990) (toxic-tort/medical monitoring analogies not controlling here)
- Sutton v. St. Jude Med. S.C., Inc., 419 F.3d 568 (6th Cir. 2005) (monetary/monitoring damages in medical contexts; distinguishable)