holding that employees lacked standing to bring claims where an unknown hacker had penetrated their company's payroll system firewall because it was "not known whether the hacker read, copied, or understood" the system's information and no evidence suggested past or future misuse of employee data or that the "intrusion was intentional or malicious"Summary of this case from Steven v. Carlos Lopez & Assocs.
Alan S. Pralgever, Esq. (Argued), Greenbaum, Rowe, Smith & Davis LLP, Roseland, NJ, for Appellants. Steven J. Wells, Esq. (Argued), Bryan C. Keane, Esq., Dorsey & Whitney LLP, Minneapolis, MN, for Appellee.
Alan S. Pralgever, Esq. (Argued), Greenbaum, Rowe, Smith & Davis LLP, Roseland, NJ, for Appellants. Steven J. Wells, Esq. (Argued), Bryan C. Keane, Esq., Dorsey & Whitney LLP, Minneapolis, MN, for Appellee.
Before: SLOVITER, GREENAWAY, JR. and ALDISERT, Circuit Judges.
OPINION OF THE COURT
ALDISERT, Circuit Judge.
Kathy Reilly and Patricia Pluemacher, individually and on behalf of all others similarly situated, appeal from an order of the United States District Court for the District of New Jersey, which granted Ceridian Corporation's motion to dismiss for lack of standing, and alternatively, failure to state a claim. Appellants contend that (1) they have standing to bring their claims in federal court, and (2) they stated a claim that adequately alleged cognizable damage, injury, and ascertainable loss. We hold that Appellants lack standing and do not reach the merits of the substantive issue. We will therefore affirm.
Ceridian is a payroll processing firm with its principal place of business in Bloomington, Minnesota. To process its commercial business customers' payrolls, Ceridian collects information about its customers' employees. This information may include employees' names, addresses, social security numbers, dates of birth, and bank account information.
Reilly and Pluemacher were employees of the Brach Eichler law firm, a Ceridian customer, until September 2003. Ceridian entered into contracts with Appellants' employer and the employers of the proposed class members to provide payroll processing services.
On or about December 22, 2009, Ceridian suffered a security breach. An unknown hacker infiltrated Ceridian's Powerpay system and potentially gained access to personal and financial information belonging to Appellants and approximately 27,000 employees at 1,900 companies. It is not known whether the hacker read, copied, or understood the data.
Working with law enforcement and professional investigators, Ceridian determined what information the hacker may have accessed. On about January 29, 2010, Ceridian sent letters to the potential identity theft victims, informing them of the breach: “[S]ome of your personal information ... may have been illegally accessed by an unauthorized hacker.... [T]he information accessed included your first name, last name, social security number and, in several cases, birth date and/or the bank account that is used for direct deposit.” App. 00039. Ceridian arranged to provide the potentially affected individuals with one year of free credit monitoring and identity theft protection. Individuals had until April 30, 2010, to enroll in the free program, and Ceridian included instructions on how to do so within its letter.
On October 7, 2010, Appellants filed a complaint against Ceridian, on behalf of themselves and all others similarly situated, in the United States District Court for the District of New Jersey. Appellants alleged that they: (1) have an increased risk of identity theft, (2) incurred costs to monitor their credit activity, and (3) suffered from emotional distress.
Appellants' proposed class consists of all persons whose personal and financial information was contained in the Ceridian Powerpay System and was stolen or otherwise misplaced as a result of the breach.
On December 15, 2010, Ceridian filed a motion to dismiss pursuant to Rules 12(b)(1) and 12(b)(6), Federal Rules of Civil Procedure, for lack of standing and failure to state a claim. On February 22, 2011, the District Court granted Ceridian's motion, holding that Appellants lacked Article III standing. The Court further held that, assuming Appellants had standing, they nonetheless failed to adequately allege the damage, injury, and ascertainable loss elements of their claims. Appellants timely filed their Notice of Appeal on March 18, 2011.
We have jurisdiction to review the District Court's final judgment pursuant to 28 U.S.C. § 1291. But “[a]bsent Article III standing, a federal court does not have subject matter jurisdiction to address a plaintiff's claims, and they must be dismissed.” Taliaferro v. Darby Twp. Zoning Bd., 458 F.3d 181, 188 (3d Cir.2006). Hence, we exercise plenary review over the District Court's jurisdictional determinations, see Graden v. Conexant Sys. Inc., 496 F.3d 291, 294 n. 2 (3d Cir.2007), “review[ing] only whether the allegations on the face of the complaint, taken as true, allege facts sufficient to invoke the jurisdiction of the district court,” Common Cause of Penn. v. Pennsylvania, 558 F.3d 249, 257 (3d Cir.2009). We also review de novo a district court's grant of a motion to dismiss for failure to state a claim under Rule 12(b)(6). See Vallies v. Sky Bank, 432 F.3d 493, 494 (3d Cir.2006).
Because the District Court dismissed Appellants' claims pursuant to Rules 12(b)(1) and 12(b)(6), we accept as true all well-pleaded allegations and construe the complaint in the light most favorable to the non-moving party. See Lewis v. Atlas Van Lines, Inc., 542 F.3d 403, 405 (3d Cir.2008).
Appellants' allegations of hypothetical, future injury do not establish standing under Article III. For the following reasons we will therefore affirm the District Court's dismissal.
Article III limits our jurisdiction to actual “cases or controversies.” U.S. Const. art. III, § 2. One element of this “bedrock requirement” is that plaintiffs “must establish that they have standing to sue.” Raines v. Byrd, 521 U.S. 811, 818, 117 S.Ct. 2312, 138 L.Ed.2d 849 (1997). It is the plaintiffs' burden, at the pleading stage, to establish standing. See Lujan v. Defenders of Wildlife, 504 U.S. 555, 561, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992); Storino v. Borough of Point Pleasant Beach, 322 F.3d 293, 296 (3d Cir.2003). Although “general factual allegations of injury resulting from the defendant's conduct may suffice,” Lujan, 504 U.S. at 561, 112 S.Ct. 2130, the complaint must still “clearly and specifically set forth facts sufficient to satisfy” Article III. Whitmore v. Arkansas, 495 U.S. 149, 155, 110 S.Ct. 1717, 109 L.Ed.2d 135 (1990).
“[T]he question of standing is whether the litigant is entitled to have the court decide the merits of the dispute or of particular issues.” Elk Grove Unified Sch. Dist. v. Newdow, 542 U.S. 1, 11, 124 S.Ct. 2301, 159 L.Ed.2d 98 (2004). Standing implicates both constitutional and prudential limitations on the jurisdiction of federal courts. See Storino, 322 F.3d at 296. Constitutional standing requires an “injury-in-fact, which is an invasion of a legally protected interest that is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical.” Danvers Motor Co. v. Ford Motor Co., 432 F.3d 286, 290–291 (3d Cir.2005) (citing Lujan, 504 U.S. at 560–561, 112 S.Ct. 2130). An injury-in-fact “must be concrete in both a qualitative and temporal sense. The complainant must allege an injury to himself that is ‘distinct and palpable,’ as distinguished from merely ‘abstract,’ and the alleged harm must be actual or imminent, not ‘conjectural’ or ‘hypothetical.’ ” Whitmore, 495 U.S. at 155, 110 S.Ct. 1717 (internal citations omitted).
Allegations of “possible future injury” are not sufficient to satisfy Article III. Whitmore, 495 U.S. at 158, 110 S.Ct. 1717; see also Lujan, 504 U.S. at 564 n. 2, 112 S.Ct. 2130 (stating that allegations of a future harm at some indefinite time cannot be an “actual or imminent injury”). Instead, “[a] threatened injury must be ‘certainly impending,’ ” Whitmore, 495 U.S. at 158, 110 S.Ct. 1717 (internal citation omitted), and “proceed with a high degree of immediacy, so as to reduce the possibility of deciding a case in which no injury would have occurred at all,” Lujan, 504 U.S. at 564 n. 2, 112 S.Ct. 2130; Whitmore, 495 U.S. at 155, 110 S.Ct. 1717 (explaining that the imminence requirement “ensures that courts do not entertain suits based on speculative or hypothetical harms”). A plaintiff therefore lacks standing if his “injury” stems from an indefinite risk of future harms inflicted by unknown third parties. See Lujan, 504 U.S. at 564, 112 S.Ct. 2130.
We conclude that Appellants' allegations of hypothetical, future injury are insufficient to establish standing. Appellants' contentions rely on speculation that the hacker: (1) read, copied, and understood their personal information; (2) intends to commit future criminal acts by misusing the information; and (3) is able to use such information to the detriment of Appellants by making unauthorized transactions in Appellants' names. Unless and until these conjectures come true, Appellants have not suffered any injury; there has been no misuse of the information, and thus, no harm.
The Supreme Court has consistently dismissed cases for lack of standing when the alleged future harm is neither imminent nor certainly impending. For example, the Lujan Court addressed whether plaintiffs had standing when seeking to enjoin the funding of activities that threatened certain species' habitats. The Court held that plaintiffs' claim that they would visit the project sites “some day” did not meet the requirement that their injury be “imminent.” 504 U.S. at 564 n. 2, 112 S.Ct. 2130 (“[W]e are at a loss to see how, as a factual matter, the standard can be met by respondents' mere profession of an intent, some day, to return.”). Appellants' allegations here are even more speculative than those at issue in Lujan. There, the acts necessary to make the injury “imminent” were within plaintiffs' own control, because all plaintiffs needed to do was travel to the site to see the alleged destruction of wildlife take place. Yet, notwithstanding their stated intent to travel to the site at some point in the future—which the Court had no reason to doubt—their harm was not imminent enough to confer standing. See id. Here, Appellants' alleged increased risk of future injury is even more attenuated, because it is dependent on entirely speculative, future actions of an unknown third-party.
The requirement that an injury be “certainly impending” is best illustrated by City of Los Angeles v. Lyons, 461 U.S. 95, 103 S.Ct. 1660, 75 L.Ed.2d 675 (1983). There, the Court held that a plaintiff lacked standing to enjoin the Los Angeles Police Department from using a controversial chokehold technique on arrestees. See Lyons, 461 U.S. at 105–106, 103 S.Ct. 1660. Although the plaintiff had already once been subjected to this maneuver, the future harm he sought to enjoin depended on the police again arresting and choking him. See id. at 105, 103 S.Ct. 1660. Unlike the plaintiff in Lyons, Appellants in this case have yet to suffer any harm, and their alleged increased risk of future injury is nothing more than speculation. As such, the alleged injury is not “certainly impending.” Lujan, 504 U.S. at 564 n. 2, 112 S.Ct. 2130.
Our Court, too, has refused to confer standing when plaintiffs fail to allege an imminent injury-in-fact. For example, although the plaintiffs in Storino contended that a municipal ordinance would eventually result in a commercially undesirable zoning change, we held that the allegation of future economic damage was too conjectural and insufficient to meet the “injury in fact” requirement. See 322 F.3d at 298. As we stated in that case, “one cannot describe how the [plaintiffs] will be injured without beginning the explanation with the word ‘if.’ The prospective damages, described by the [plaintiffs] as certain, are, in reality, conjectural.” Id. at 297–298. Similarly, we cannot now describe how Appellants will be injured in this case without beginning our explanation with the word “if”: if the hacker read, copied, and understood the hacked information, and if the hacker attempts to use the information, and if he does so successfully, only then will Appellants have suffered an injury.
In this increasingly digitized world, a number of courts have had occasion to decide whether the “risk of future harm” posed by data security breaches confers standing on persons whose information may have been accessed. Most courts have held that such plaintiffs lack standing because the harm is too speculative. See Amburgy v. Express Scripts, Inc., 671 F.Supp.2d 1046, 1051–1053 (E.D.Mo.2009); see also Key v. DSW Inc., 454 F.Supp.2d 684, 690 (S.D.Ohio 2006). We agree with the holdings in those cases. Here, no evidence suggests that the data has been—or will ever be—misused. The present test is actuality, not hypothetical speculations concerning the possibility of future injury. Appellants' allegations of an increased risk of identity theft resulting from a security breach are therefore insufficient to secure standing. See Whitmore, 495 U.S. at 158, 110 S.Ct. 1717 (“[A]llegations of possible future injury do not satisfy the requirements of Art. III.”).
Principally relying on Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir.2007), Appellants contend that an increased risk of identity theft is itself a harm sufficient to confer standing. In Pisciotta, plaintiffs brought a class action against a bank after its website had been hacked, alleging that the bank failed to adequately secure the personal information it solicited (such as names, addresses, birthdates, and social security numbers) when consumers applied for banking services on its website. The named plaintiffs did not allege “any completed direct financial loss to their accounts” nor that they “ already had been the victim of identity theft as a result of the breach.” Id. at 632. The court, nonetheless, held that plaintiffs had standing, concluding, without explanation, that the “injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant's actions.” Id. at 634.
Appellants rely as well on Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir.2010), in which the Court of Appeals for the Ninth Circuit conferred standing under circumstances much different from those present here. There, plaintiffs' “names, addresses, and social security numbers were stored on a laptop that was stolen from Starbucks.” Id. at 1140. The court concluded that plaintiffs met the standing requirement through their allegations of “a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data.” Id. at 1143. Appellants here contend that we should follow Pisciotta and Krottner and hold that the “credible threat of real and immediate harm” stemming from the security breach of Ceridian's Powerpay system satisfies the standing requirement. Id.
But these cases have little persuasive value here; in Pisciotta and Krottner, the threatened harms were significantly more “imminent” and “certainly impending” than the alleged harm here. In Pisciotta, there was evidence that “the [hacker's] intrusion was sophisticated, intentional and malicious.” 499 F.3d at 632. In Krottner, someone attempted to open a bank account with a plaintiff's information following the physical theft of the laptop. See 628 F.3d at 1142. Here, there is no evidence that the intrusion was intentional or malicious. Appellants have alleged no misuse, and therefore, no injury. Indeed, no identifiable taking occurred; all that is known is that a firewall was penetrated. Appellants' string of hypothetical injuries do not meet the requirement of an “actual or imminent” injury.
The bank closed the account before any financial loss occurred.
Neither Pisciotta nor Krottner, moreover, discussed the constitutional standing requirements and how they apply to generalized data theft situations. Indeed, the Pisciotta court did not mention—let alone discuss—the requirement that a threatened injury must be “imminent” and “certainly impending” to confer standing. See 499 F.3d at 634. Instead of making a determination as to whether the alleged injury was “certainly impending,” both courts simply analogized data-security-breach situations to defective-medical-device, toxic-substance-exposure, or environmental-injury cases. See id.; see also Krottner, 628 F.3d at 1142–1143.
Still, Appellants urge us to adopt those courts' skimpy rationale for three reasons. First, Appellants here expended monies on credit monitoring and insurance to protect their safety, just as plaintiffs in defective-medical-device and toxic-substance-exposure cases expend monies on medical monitoring. See Sutton v. St. Jude Med. S.C., Inc., 419 F.3d 568, 570–575 (6th Cir.2005). Second, members of this putative class may very well have suffered emotional distress from the incident, which also represents a bodily injury, just as plaintiffs in the medical-device and toxic-tort cases have suffered physical injuries. See In re Paoli R.R. Yard PCB Litig., 916 F.2d 829, 850 (3d Cir.1990) (explaining that “courts have begun to recognize claims like medical monitoring, which can allow plaintiffs some relief even absent present manifestations of physical injury” and that “in the toxic tort context, courts have allowed plaintiffs to recover for emotional distress suffered because of the fear of contracting a toxic exposure disease”). Third, injury to one's identity is extraordinarily unique and money may not even compensate one for the injuries sustained, just as environmental injury is unique and monetary compensation may not adequately return plaintiffs to their original position. See Cent. Delta Water Agency v. United States, 306 F.3d 938, 950 (9th Cir.2002) (holding that “monetary compensation may well not adequately return plaintiffs to their original position” because harms to the environment “are frequently difficult or impossible to remedy”). Based on these analogies, Appellants contend they have established standing here. These analogies do not persuade us, because defective-medical-device and toxic-substance-exposure cases confer standing based on two important factors not present in data breach cases.
First, in those cases, an injury has undoubtedly occurred. In medical-device cases, a defective device has been implanted into the human body with a quantifiable risk of failure. See Sutton, 419 F.3d at 574. Similarly, exposure to a toxic substance causes injury; cells are damaged and a disease mechanism has been introduced. See In re Paoli R.R. Yard PCB Litig., 916 F.2d at 851, 851–852 (explaining that “persons exposed to toxic chemicals emanating from the landfill have an increased risk of invisible genetic damage and a present cause of action for their injury” because “in a toxic age, significant harm can be done to an individual by a tortfeasor, notwithstanding latent manifestation of that harm”). Hence, the damage has been done; we just cannot yet quantify how it will manifest itself.
In data breach cases where no misuse is alleged, however, there has been no injury—indeed, no change in the status quo. Here, Appellants' credit card statements are exactly the same today as they would have been had Ceridian's database never been hacked. Moreover, there is no quantifiable risk of damage in the future. See id. at 852 (“As a proximate result of exposure [to the toxic substance], plaintiff suffers a significantly increased risk of contracting a serious latent disease.”). Any damages that may occur here are entirely speculative and dependent on the skill and intent of the hacker.
Second, standing in medical-device and toxic-tort cases hinges on human health concerns. See Sutton, 419 F.3d at 575. Courts resist strictly applying the “actual injury” test when the future harm involves human suffering or premature death. See id. As the Sutton court explained, “there is something to be said for disease prevention, as opposed to disease treatment. Waiting for a plaintiff to suffer physical injury before allowing any redress whatsoever is both overly harsh and economically inefficient.” Id. The deceased, after all, have little use for compensation. This case implicates none of these concerns. The hacker did not change or injure Appellants' bodies; any harm that may occur—if all of Appellants' stated fears are actually realized—may be redressed in due time through money damages after the harm occurs with no fear that litigants will be dead or disabled from the onset of the injury. See Key, 454 F.Supp.2d at 690 (“[T]hose [medical monitoring] cases not only act as a narrow exception to the general rule of courts rejecting standing based on increased risk of future harm, but are also factually distinguishable from the present case [of a data security breach].”).
An analogy to environmental injury cases fails as well. As the Court of Appeals for the Ninth Circuit explained in Central Delta Water Agency, standing is unique in the environmental context because monetary compensation may not adequately return plaintiffs to their original position. See id. at 950 (“The extinction of a species, the destruction of a wilderness habitat, or the fouling of air and water are harms that are frequently difficult or impossible to remedy [by monetary compensation].”). In a data breach case, however, there is no reason to believe that monetary compensation will not return plaintiffs to their original position completely— if the hacked information is actually read, copied, understood, and misused to a plaintiff's detriment. To the contrary, unlike priceless “mountains majesty,” the thing feared lost here is simple cash, which is easily and precisely compensable with a monetary award. We therefore decline to analogize this case to those cases in the medical device, toxic tort or environmental injury contexts.
Finally, we conclude that Appellants' alleged time and money expenditures to monitor their financial information do not establish standing, because costs incurred to watch for a speculative chain of future events based on hypothetical future criminal acts are no more “actual” injuries than the alleged “increased risk of injury” which forms the basis for Appellants' claims. See Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp.2d 1, 8 (D.D.C.2007) (“[T]he ‘lost data’ cases ... clearly reject the theory that a plaintiff is entitled to reimbursement for credit monitoring services or for time and money spent monitoring his or her credit.”). That a plaintiff has willingly incurred costs to protect against an alleged increased risk of identity theft is not enough to demonstrate a “concrete and particularized” or “actual or imminent” injury. Id.; see also Amburgy, 671 F.Supp.2d at 1053 (holding plaintiff lacked standing even though he allegedly spent time and money to protect himself from risk of future injury); Hammond v. Bank of N.Y. Mellon Corp., No. 08–6060, 2010 WL 2643307, at *4, *7 (S.D.N.Y. June 25, 2010) (noting that plaintiffs' “out-of-pocket expenses incurred to proactively safeguard and/or repair their credit” and the “expense of comprehensive credit monitoring” did not confer standing); Allison v. Aetna, Inc., No. 09–2560, 2010 WL 3719243, at *5 n. 7 (E.D.Pa. Mar. 9, 2010) (rejecting claims for time and money spent on credit monitoring due to a perceived risk of harm as the basis for an injury in fact).
Although Appellants have incurred expenses to monitor their accounts and “to protect their personal and financial information from imminent misuse and/or identity theft,” App. 00021, they have not done so as a result of any actual injury (e.g. because their private information was misused or their identities stolen). Rather, they prophylactically spent money to ease fears of future third-party criminality. Such misuse is only speculative—not imminent. The claim that they incurred expenses in anticipation of future harm, therefore, is not sufficient to confer standing.
The District Court correctly held that Appellants failed to plead specific facts demonstrating they have standing to bring this suit under Article III, because Appellants' allegations of an increased risk of identity theft as a result of the security breach are hypothetical, future injuries, and are therefore insufficient to establish standing. For the reasons set forth, we will AFFIRM the District Court's order granting Ceridian's motion to dismiss.