Reilly Ex Rel. Pluemacher v. Ceridian Corp.

                                       PRECEDENTIAL

       UNITED STATES COURT OF APPEALS
            FOR THE THIRD CIRCUIT
                 _____________

                     No. 11-1738
                    _____________

 KATHY REILLY, individually and on behalf of all others
similarly situated; PATRICIA PLUEMACHER, individually
        and on behalf of all others similarly situated,

                                Appellants

                           v.

             CERIDIAN CORPORATION

                      __________

     On Appeal from the United States District Court
             for the District of New Jersey
         (D.C. Civil Action No. 2-10-cv-05142)
          District Judge: Hon. Jose L. Linares

                      __________

                Argued October 27, 2011

Before: SLOVITER, GREENAWAY, JR. and ALDISERT,
                  Circuit Judges.




                           1
                 (Filed December 12, 2011)

Alan S. Pralgever, Esq. (Argued)
Greenbaum, Rowe, Smith & Davis LLP
75 Livingston Avenue, Suite 301
Roseland, NJ 07068
      Counsel for Appellants

Steven J. Wells, Esq.(Argued)
Bryan C. Keane, Esq.
Dorsey & Whitney LLP
50 South Sixth Street, Suite 1500
Minneapolis, MN 55402
      Counsel for Appellee

                         __________

                 OPINION OF THE COURT
                       __________

ALDISERT, Circuit Judge.

        Kathy Reilly and Patricia Pluemacher, individually and
on behalf of all others similarly situated, appeal from an order
of the United States District Court for the District of New
Jersey, which granted Ceridian Corporation‟s motion to dis-
miss for lack of standing, and alternatively, failure to state a
claim. Appellants contend that (1) they have standing to bring
their claims in federal court, and (2) they stated a claim that
adequately alleged cognizable damage, injury, and ascertain-
able loss. We hold that Appellants lack standing and do not
reach the merits of the substantive issue. We will therefore
affirm.




                               2
                              I.

                              A.

       Ceridian is a payroll processing firm with its principal
place of business in Bloomington, Minnesota. To process its
commercial business customers‟ payrolls, Ceridian collects
information about its customers‟ employees. This information
may include employees‟ names, addresses, social security
numbers, dates of birth, and bank account information.

       Reilly and Pluemacher were employees of the Brach
Eichler law firm, a Ceridian customer, until September 2003.
Ceridian entered into contracts with Appellants‟ employer
and the employers of the proposed class members to provide
payroll processing services.

       On or about December 22, 2009, Ceridian suffered a
security breach. An unknown hacker infiltrated Ceridian‟s
Powerpay system and potentially gained access to personal
and financial information belonging to Appellants and ap-
proximately 27,000 employees at 1,900 companies. It is not
known whether the hacker read, copied, or understood the
data.

        Working with law enforcement and professional inves-
tigators, Ceridian determined what information the hacker
may have accessed. On about January 29, 2010, Ceridian sent
letters to the potential identity theft victims, informing them
of the breach: “[S]ome of your personal information . . . may
have been illegally accessed by an unauthorized hacker . . . .
[T]he information accessed included your first name, last
name, social security number and, in several cases, birth date
and/or the bank account that is used for direct deposit.” App.




                              3
00039. Ceridian arranged to provide the potentially affected
individuals with one year of free credit monitoring and identi-
ty theft protection. Individuals had until April 30, 2010, to
enroll in the free program, and Ceridian included instructions
on how to do so within its letter.

                              B.

        On October 7, 2010, Appellants filed a complaint
against Ceridian, on behalf of themselves and all others simi-
larly situated, in the United States District Court for the Dis-
trict of New Jersey.1 Appellants alleged that they: (1) have an
increased risk of identity theft, (2) incurred costs to monitor
their credit activity, and (3) suffered from emotional distress.

       On December 15, 2010, Ceridian filed a motion to
dismiss pursuant to Rules 12(b)(1) and 12(b)(6), Federal
Rules of Civil Procedure, for lack of standing and failure to
state a claim. On February 22, 2011, the District Court
granted Ceridian‟s motion, holding that Appellants lacked
Article III standing. The Court further held that, assuming
Appellants had standing, they nonetheless failed to
adequately allege the damage, injury, and ascertainable loss
elements of their claims. Appellants timely filed their Notice
of Appeal on March 18, 2011.




1
  Appellants‟ proposed class consists of all persons whose
personal and financial information was contained in the
Ceridian Powerpay System and was stolen or otherwise mis-
placed as a result of the breach.




                               4
                              II.

        We have jurisdiction to review the District Court‟s
final judgment pursuant to 28 U.S.C. § 1291. But “[a]bsent
Article III standing, a federal court does not have subject mat-
ter jurisdiction to address a plaintiff‟s claims, and they must
be dismissed.” Taliaferro v. Darby Twp. Zoning Bd., 458
F.3d 181, 188 (3d Cir. 2006). Hence, we exercise plenary
review over the District Court‟s jurisdictional determinations,
see Graden v. Conexant Sys. Inc., 496 F.3d 291, 294 n.2 (3d
Cir. 2007), “review[ing] only whether the allegations on the
face of the complaint, taken as true, allege facts sufficient to
invoke the jurisdiction of the district court,” Common Cause
of Penn. v. Pennsylvania, 558 F.3d 249, 257 (3d Cir. 2009).
We also review de novo a district court‟s grant of a motion to
dismiss for failure to state a claim under Rule 12(b)(6). See
Vallies v. Sky Bank, 432 F.3d 493, 494 (3d Cir. 2006).

        Because the District Court dismissed Appellants‟
claims pursuant to Rules 12(b)(1) and 12(b)(6), we accept as
true all well-pleaded allegations and construe the complaint in
the light most favorable to the non-moving party. See Lewis
v. Atlas Van Lines, Inc., 542 F.3d 403, 405 (3d Cir. 2008).

                              III.

       Appellants‟ allegations of hypothetical, future injury
do not establish standing under Article III. For the following
reasons we will therefore affirm the District Court‟s
dismissal.




                               5
                               A.

       Article III limits our jurisdiction to actual “cases or
controversies.” U.S. Const. art. III, § 2. One element of this
“bedrock requirement” is that plaintiffs “must establish that
they have standing to sue.” Raines v. Byrd, 521 U.S. 811, 818
(1997). It is the plaintiffs‟ burden, at the pleading stage, to
establish standing. See Lujan v. Defenders of Wildlife, 504
U.S. 555, 561 (1992); Storino v. Borough of Point Pleasant
Beach, 322 F.3d 293, 296 (3d Cir. 2003). Although “general
factual allegations of injury resulting from the defendant‟s
conduct may suffice,” Lujan, 504 U.S. at 561, the complaint
must still “clearly and specifically set forth facts sufficient to
satisfy” Article III. Whitmore v. Arkansas, 495 U.S. 149, 155
(1990).

        “[T]he question of standing is whether the litigant is
entitled to have the court decide the merits of the dispute or of
particular issues.” Elk Grove Unified Sch. Dist. v. Newdow,
542 U.S. 1, 11 (2004). Standing implicates both constitutional
and prudential limitations on the jurisdiction of federal courts.
See Storino, 322 F.3d at 296. Constitutional standing requires
an “injury-in-fact, which is an invasion of a legally protected
interest that is (a) concrete and particularized, and (b) actual
or imminent, not conjectural or hypothetical.” Danvers Motor
Co. v. Ford Motor Co., 432 F.3d 286, 290-291 (3d Cir. 2005)
(citing Lujan, 504 U.S. at 560-561). An injury-in-fact “must
be concrete in both a qualitative and temporal sense. The
complainant must allege an injury to himself that is „distinct
and palpable,‟ as distinguished from merely „abstract,‟ and
the alleged harm must be actual or imminent, not „conjectur-
al‟ or „hypothetical.‟” Whitmore, 495 U.S. at 155 (internal
citations omitted).




                                6
        Allegations of “possible future injury” are not
sufficient to satisfy Article III. Whitmore, 495 U.S. at 158;
see also Lujan, 504 U.S. at 564 n.2 (stating that allegations of
a future harm at some indefinite time cannot be an “actual or
imminent injury”). Instead, “[a] threatened injury must be
„certainly impending,‟” Whitmore, 495 U.S. at 158 (internal
citation omitted), and “proceed with a high degree of
immediacy, so as to reduce the possibility of deciding a case
in which no injury would have occurred at all,” Lujan, 504
U.S. at 564 n.2; Whitmore, 495 U.S. at 122 (explaining that
the imminence requirement “ensures that courts do not
entertain suits based on speculative or hypothetical harms”).
A plaintiff therefore lacks standing if his “injury” stems from
an indefinite risk of future harms inflicted by unknown third
parties. See Lujan, 504 U.S. at 564.

                               B.

        We conclude that Appellants‟ allegations of hypotheti-
cal, future injury are insufficient to establish standing. Appel-
lants‟ contentions rely on speculation that the hacker: (1)
read, copied, and understood their personal information; (2)
intends to commit future criminal acts by misusing the infor-
mation; and (3) is able to use such information to the detri-
ment of Appellants by making unauthorized transactions in
Appellants‟ names. Unless and until these conjectures come
true, Appellants have not suffered any injury; there has been
no misuse of the information, and thus, no harm.

       The Supreme Court has consistently dismissed cases
for lack of standing when the alleged future harm is neither
imminent nor certainly impending. For example, the Lujan




                               7
Court addressed whether plaintiffs had standing when seeking
to enjoin the funding of activities that threatened certain
species‟ habitats. The Court held that plaintiffs‟ claim that
they would visit the project sites “some day” did not meet the
requirement that their injury be “imminent.” 504 U.S. at 564
n.2 (“[W]e are at a loss to see how, as a factual matter, the
standard can be met by respondents‟ mere profession of an
intent, some day, to return.”). Appellants‟ allegations here
are even more speculative than those at issue in Lujan. There,
the acts necessary to make the injury “imminent” were within
plaintiffs‟ own control, because all plaintiffs needed to do
was travel to the site to see the alleged destruction of wildlife
take place. Yet, notwithstanding their stated intent to travel to
the site at some point in the future—which the Court had no
reason to doubt—their harm was not imminent enough to
confer standing. See id. Here, Appellants‟ alleged increased
risk of future injury is even more attenuated, because it is
dependent on entirely speculative, future actions of an un-
known third-party.

       The requirement that an injury be “certainly impend-
ing” is best illustrated by City of Los Angeles v. Lyons, 461
U.S. 95 (1983). There, the Court held that a plaintiff lacked
standing to enjoin the Los Angeles Police Department from
using a controversial chokehold technique on arrestees. See
Lyons, 461 U.S. at 105-106. Although the plaintiff had
already once been subjected to this maneuver, the future harm
he sought to enjoin depended on the police again arresting
and choking him. See id. at 105. Unlike the plaintiff in Lyons,
Appellants in this case have yet to suffer any harm, and their
alleged increased risk of future injury is nothing more than
speculation. As such, the alleged injury is not “certainly
impending.” Lujan, 504 U.S. at 564 n.2.




                               8
        Our Court, too, has refused to confer standing when
plaintiffs fail to allege an imminent injury-in-fact. For
example, although the plaintiffs in Storino contended that a
municipal ordinance would eventually result in a commercial-
ly undesirable zoning change, we held that the allegation of
future economic damage was too conjectural and insufficient
to meet the “injury in fact” requirement. See 322 F.3d at 298.
As we stated in that case, “one cannot describe how the
[plaintiffs] will be injured without beginning the explanation
with the word „if.‟ The prospective damages, described by the
[plaintiffs] as certain, are, in reality, conjectural.” Id. at 297-
298. Similarly, we cannot now describe how Appellants will
be injured in this case without beginning our explanation with
the word “if”: if the hacker read, copied, and understood the
hacked information, and if the hacker attempts to use the
information, and if he does so successfully, only then will
Appellants have suffered an injury.

                                C.

       In this increasingly digitized world, a number of courts
have had occasion to decide whether the “risk of future harm”
posed by data security breaches confers standing on persons
whose information may have been accessed. Most courts have
held that such plaintiffs lack standing because the harm is too
speculative. See Amburgy v. Express Scripts, Inc., 671 F.
Supp. 2d 1046, 1051-1053 (E.D. Mo. 2009); see also Key v.
DSW Inc., 454 F. Supp. 2d 684, 690 (S.D. Ohio 2006). We
agree with the holdings in those cases. Here, no evidence
suggests that the data has been—or will ever be—misused.
The present test is actuality, not hypothetical speculations
concerning the possibility of future injury. Appellants‟ allega-




                                9
tions of an increased risk of identity theft resulting from a
security breach are therefore insufficient to secure standing.
See Whitmore, 495 U.S. at 158 (“[A]llegations of possible
future injury do not satisfy the requirements of Art. III.”).

        Principally relying on Pisciotta v. Old National
Bancorp, 499 F.3d 629 (7th Cir. 2007), Appellants contend
that an increased risk of identity theft is itself a harm
sufficient to confer standing. In Pisciotta, plaintiffs brought a
class action against a bank after its website had been hacked,
alleging that the bank failed to adequately secure the personal
information it solicited (such as names, addresses, birthdates,
and social security numbers) when consumers applied for
banking services on its website. The named plaintiffs did not
allege “any completed direct financial loss to their accounts”
nor that they “already had been the victim of identity theft as
a result of the breach.” Id. at 632. The court, nonetheless, held
that plaintiffs had standing, concluding, without explanation,
that the “injury-in-fact requirement can be satisfied by a
threat of future harm or by an act which harms the plaintiff
only by increasing the risk of future harm that the plaintiff
would have otherwise faced, absent the defendant‟s actions.”
Id. at 634.

       Appellants rely as well on Krottner v. Starbucks Corp.,
628 F.3d 1139 (9th Cir. 2010), in which the Court of Appeals
for the Ninth Circuit conferred standing under circumstances
much different from those present here. There, plaintiffs‟
“names, addresses, and social security numbers were stored
on a laptop that was stolen from Starbucks.” Id. at 1140. The
court concluded that plaintiffs met the standing requirement
through their allegations of “a credible threat of real and
immediate harm stemming from the theft of a laptop contain-




                               10
ing their unencrypted personal data.” Id. at 1143. Appellants
here contend that we should follow Pisciotta and Krottner and
hold that the “credible threat of real and immediate harm”
stemming from the security breach of Ceridian‟s Powerpay
system satisfies the standing requirement. Id.

       But these cases have little persuasive value here; in
Pisciotta and Krottner, the threatened harms were
significantly more “imminent” and “certainly impending”
than the alleged harm here. In Pisciotta, there was evidence
that “the [hacker‟s] intrusion was sophisticated, intentional
and malicious.” 499 F.3d at 632. In Krottner, someone
attempted to open a bank account with a plaintiff‟s informa-
tion following the physical theft of the laptop.2 See 628 F.3d
at 1142. Here, there is no evidence that the intrusion was
intentional or malicious. Appellants have alleged no misuse,
and therefore, no injury. Indeed, no identifiable taking
occurred; all that is known is that a firewall was penetrated.
Appellants‟ string of hypothetical injuries do not meet the
requirement of an “actual or imminent” injury.

                             D.

       Neither Pisciotta nor Krottner, moreover, discussed the
constitutional standing requirements and how they apply to
generalized data theft situations. Indeed, the Pisciotta court
did not mention—let alone discuss—the requirement that a
threatened injury must be “imminent” and “certainly impend-
ing” to confer standing. See 499 F.3d at 634. Instead of
making a determination as to whether the alleged injury was

2
  The bank closed the account before any financial loss oc-
curred.




                             11
“certainly impending,” both courts simply analogized data-
security-breach situations to defective-medical-device, toxic-
substance-exposure, or environmental-injury cases. See id.;
see also Krottner, 628 F.3d at 1142-1143.

        Still, Appellants urge us to adopt those courts‟ skimpy
rationale for three reasons. First, Appellants here expended
monies on credit monitoring and insurance to protect their
safety, just as plaintiffs in defective-medical-device and
toxic-substance-exposure cases expend monies on medical
monitoring. See Sutton v. St. Jude Med. S.C., Inc., 419 F.3d
568, 570-575 (6th Cir. 2005). Second, members of this
putative class may very well have suffered emotional distress
from the incident, which also represents a bodily injury, just
as plaintiffs in the medical-device and toxic-tort cases have
suffered physical injuries. See In re Paoli R.R. Yard PCB Li-
tig., 916 F.2d 829, 850 (3d Cir. 1990) (explaining that “courts
have begun to recognize claims like medical monitoring,
which can allow plaintiffs some relief even absent present
manifestations of physical injury” and that “in the toxic tort
context, courts have allowed plaintiffs to recover for
emotional distress suffered because of the fear of contracting
a toxic exposure disease”). Third, injury to one‟s identity is
extraordinarily unique and money may not even compensate
one for the injuries sustained, just as environmental injury is
unique and monetary compensation may not adequately
return plaintiffs to their original position. See Cent. Delta Wa-
ter Agency v. United States, 306 F.3d 938, 950 (9th Cir.
2002) (holding that “monetary compensation may well not
adequately return plaintiffs to their original position” because
harms to the environment “are frequently difficult or imposs-
ible to remedy”). Based on these analogies, Appellants
contend they have established standing here. These analogies




                               12
do not persuade us, because defective-medical-device and
toxic-substance-exposure cases confer standing based on two
important factors not present in data breach cases.

        First, in those cases, an injury has undoubtedly
occurred. In medical-device cases, a defective device has
been implanted into the human body with a quantifiable risk
of failure. See Sutton, 419 F.3d at 574. Similarly, exposure to
a toxic substance causes injury; cells are damaged and a
disease mechanism has been introduced. See In re Paoli R.R.
Yard PCB Litig., 916 F.2d at 851, 851-852 (explaining that
“persons exposed to toxic chemicals emanating from the
landfill have an increased risk of invisible genetic damage
and a present cause of action for their injury” because “in a
toxic age, significant harm can be done to an individual by a
tortfeasor, notwithstanding latent manifestation of that
harm”). Hence, the damage has been done; we just cannot yet
quantify how it will manifest itself.

       In data breach cases where no misuse is alleged,
however, there has been no injury—indeed, no change in the
status quo. Here, Appellants‟ credit card statements are
exactly the same today as they would have been had
Ceridian‟s database never been hacked. Moreover, there is no
quantifiable risk of damage in the future. See id. at 852 (“As a
proximate result of exposure [to the toxic substance], plaintiff
suffers a significantly increased risk of contracting a serious
latent disease.”). Any damages that may occur here are
entirely speculative and dependent on the skill and intent of
the hacker.

       Second, standing in medical-device and toxic-tort
cases hinges on human health concerns. See Sutton, 419 F.3d




                              13
at 575. Courts resist strictly applying the “actual injury” test
when the future harm involves human suffering or premature
death. See id. As the Sutton court explained, “there is
something to be said for disease prevention, as opposed to
disease treatment. Waiting for a plaintiff to suffer physical
injury before allowing any redress whatsoever is both overly
harsh and economically inefficient.” Id. The deceased, after
all, have little use for compensation. This case implicates
none of these concerns. The hacker did not change or injure
Appellants‟ bodies; any harm that may occur—if all of
Appellants‟ stated fears are actually realized—may be re-
dressed in due time through money damages after the harm
occurs with no fear that litigants will be dead or disabled from
the onset of the injury. See Key, 454 F. Supp. 2d at 690
(“[T]hose [medical monitoring] cases not only act as a narrow
exception to the general rule of courts rejecting standing
based on increased risk of future harm, but are also factually
distinguishable from the present case [of a data security
breach].”).

        An analogy to environmental injury cases fails as well.
As the Court of Appeals for the Ninth Circuit explained in
Central Delta Water Agency, standing is unique in the
environmental context because monetary compensation may
not adequately return plaintiffs to their original position. See
id. at 950 (“The extinction of a species, the destruction of a
wilderness habitat, or the fouling of air and water are harms
that are frequently difficult or impossible to remedy [by
monetary compensation].”). In a data breach case, however,
there is no reason to believe that monetary compensation will
not return plaintiffs to their original position completely—if
the hacked information is actually read, copied, understood,
and misused to a plaintiff‟s detriment. To the contrary, unlike




                              14
priceless “mountains majesty,” the thing feared lost here is
simple cash, which is easily and precisely compensable with a
monetary award. We therefore decline to analogize this case
to those cases in the medical device, toxic tort or environmen-
tal injury contexts.

                                 E.

        Finally, we conclude that Appellants‟ alleged time and
money expenditures to monitor their financial information do
not establish standing, because costs incurred to watch for a
speculative chain of future events based on hypothetical
future criminal acts are no more “actual” injuries than the
alleged “increased risk of injury” which forms the basis for
Appellants‟ claims. See Randolph v. ING Life Ins. & Annuity
Co., 486 F. Supp. 2d 1, 8 (D.D.C. 2007) (“[T]he „lost data‟
cases . . . clearly reject the theory that a plaintiff is entitled to
reimbursement for credit monitoring services or for time and
money spent monitoring his or her credit.”). That a plaintiff
has willingly incurred costs to protect against an alleged
increased risk of identity theft is not enough to demonstrate a
“concrete and particularized” or “actual or imminent” injury.
Id.; see also Amburgy, 671 F. Supp. 2d at 1053 (holding
plaintiff lacked standing even though he allegedly spent time
and money to protect himself from risk of future injury);
Hammond v. Bank of N.Y. Mellon Corp., No. 08-6060, 2010
WL 2643307, at *4, *7 (S.D.N.Y. June 25, 2010) (noting that
plaintiffs‟ “out-of-pocket expenses incurred to proactively
safeguard and/or repair their credit” and the “expense of
comprehensive credit monitoring” did not confer standing);
Allison v. Aetna, Inc., No. 09-2560, 2010 WL 3719243, at *5
n.7 (E.D. Pa. Mar. 9, 2010) (rejecting claims for time and




                                 15
money spent on credit monitoring due to a perceived risk of
harm as the basis for an injury in fact).

       Although Appellants have incurred expenses to moni-
tor their accounts and “to protect their personal and financial
information from imminent misuse and/or identity theft,”
App. 00021, they have not done so as a result of any actual
injury (e.g. because their private information was misused or
their identities stolen). Rather, they prophylactically spent
money to ease fears of future third-party criminality. Such
misuse is only speculative—not imminent. The claim that
they incurred expenses in anticipation of future harm,
therefore, is not sufficient to confer standing.

                              IV.

       The District Court correctly held that Appellants failed
to plead specific facts demonstrating they have standing to
bring this suit under Article III, because Appellants‟
allegations of an increased risk of identity theft as a result of
the security breach are hypothetical, future injuries, and are
therefore insufficient to establish standing. For the reasons set
forth, we will AFFIRM the District Court‟s order granting
Ceridian‟s motion to dismiss.




                               16