Storm v. Paytime, Inc., 90 F. Supp. 3d 359

Paytime, a national payroll processor, experienced an April 7, 2014 security breach that was discovered April 30; Paytime later notified affected persons and offered 12 months of free credit monitoring.
Plaintiffs are current/former employees of Paytime clients whose personal data (names, SSNs, bank account data, DOBs, addresses) were allegedly accessed by unknown third parties; plaintiffs seek class treatment (≈233,000 persons).
Plaintiffs allege increased and imminent risk of identity theft, out‑of‑pocket/time costs to monitor/protect accounts, and some specific harms (e.g., Wilkinson’s temporary suspension of security clearance and increased commute expenses).
Paytime moved to dismiss under Fed. R. Civ. P. 12(b)(1) and 12(b)(6), arguing lack of Article III standing; the Court considered a facial 12(b)(1) challenge.
The court applied the Third Circuit’s data‑breach standing rule from Reilly: plaintiffs must allege actual misuse of the data or that misuse is certainly impending; generalized increased risk is insufficient.
The court dismissed the consolidated actions without prejudice for lack of standing, concluding plaintiffs pleaded neither actual misuse nor a certainly impending misuse of their data.

Issue	Plaintiff's Argument	Defendant's Argument	Held
Article III standing (injury in fact from data breach)	Breach and unauthorized access create a concrete, imminent injury (increased risk of identity theft; costs to protect themselves).	Allegations of access/"misappropriation" without any actual misuse are speculative and do not show an actual or certainly impending injury.	Dismissed for lack of standing; speculative risk is insufficient.
Alleged actual damages (Wilkinson’s lost time/commute expense)	Wilkinson incurred concrete, compensable costs when his clearance was suspended and he worked at a different site.	Preventive or precautionary costs taken in reaction to a non‑certain risk cannot manufacture Article III standing.	Dismissed: Wilkinson’s costs were precautionary and do not establish standing absent misuse.
Privacy injury from unauthorized access	Unauthorized access to confidential data itself injures privacy interests.	Plaintiffs do not allege the hacker viewed, read, or used the data; mere access without proof of exposure or misuse does not establish a privacy invasion for standing.	Dismissed: no allegation that hacker viewed/read/used data; privacy injury not shown.
Remedyability / redressability (implicit)	Injunctive relief and damages could redress alleged risks and costs.	Without an actual injury or certainly impending misuse, courts lack a case or controversy to redress.	Court did not reach merits; lack of standing defeated jurisdiction.

Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (in data‑breach suits plaintiffs must allege actual misuse of data or that misuse is certainly impending to establish Article III injury)
Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013) (threatened injuries must be certainly impending; costs incurred to guard against speculative harms do not confer standing)
Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (foundational Article III standing principles: injury in fact, causation, redressability)
Whitmore v. Arkansas, 495 U.S. 149 (1990) (injury must be concrete and imminent; allegations of possible future injury are insufficient)
Allen v. Wright, 468 U.S. 737 (1984) (standing focuses on whether plaintiff is the proper party to bring the suit; injury must be fairly traceable to defendant)
In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14 (D.D.C. 2014) (declining to find standing where post‑breach misuse was not alleged)