CASE: REILLY V. CERIDIAN CORPORATION 664 F.3d 38 (3rd Cir. 2011)

CASE: REILLY V. CERIDIAN CORPORATION 664 F.3d 38 (3rd Cir. 2011)

FACTS: Ceridian is a payroll processing firm established in Minnesota.  In its course of business, Ceridian collects information about its customers’ employees including such items as employees’ name, addresses, social security numbers, dates of birth, and bank account information.  Appellants Kathy Reilly and Patricia Pluemacher were employees of Brach Eichler law firm, which contracted Ceridian to perform its payroll processing services. Ceridian suffered a security breach where hackers infiltrated Ceridian’s system and potentially gained access to personal and financial information belonging to the Appellants.  It is not known if the hackers read, copied or understood the data.  Ceridian informed the potential identity theft victims of the breach.

In order to establish standing, a party has to demonstrate (1) injury in fact, (2) injury is concrete and particularized, and (3) actual or imminent, not conjectural or hypothetical.

ISSUE: Does the Appellants have standing to sue Ceridian for data breach?

HOLDING: No.  Appellants’ allegations of hypothetical future injury do not establish standing.

RULE: Appellants must demonstrate an actual or imminent, not conjectural or hypothetical, injury for the courts to have jurisdiction.

ANALYSIS: Aldisert, CJ. The Court held that Article III of the Constitution limits its jurisdiction to actual “cases or controversies.”  Appellants allegations are based on hypothetical future injury that relies  the hacker (1) read, copied, and understood their personal information; (2) intends to commit future criminal acts by misusing the information; and (3) is able to use such information to the detriment of Appellants by making unauthorized transactions in Appellants’ names.