The Case Of The Pathetic Payroll Company, The Hacker Who Accessed Payroll Records, And The Victims Who Can’t Do Much About It

Identity theft is a major problem. A criminal steals sensitive personal information and uses it to obtain loans, credit cards and drivers’ licenses. The victims are left with unpaid bills, traffic fines and ruined credit ratings.

Kathy R. and Patricia P. worked for a law firm in Roseland. The law firm uses a large payroll company. The payroll company collects sensitive information about each employee.  This includes Social Security numbers, dates of birth, and bank account numbers.

In December 2009, an unknown hacker infiltrated the payroll company’s computer system. The hacker gained access to the information of 27,000 employees, at 1,900 companies. Five weeks later, the payroll company notified the employees.

The payroll company did offer some “compensation.” The “compensation” consisted of free credit monitoring and identity theft protection, for one year.

No employee, as far as anyone knows, suffered any actual identity theft. If the hacker stole any information, he or she apparently has not yet used it. Nonetheless, the employees have suffered the mental anguish of knowing that they might suffer identity theft at any time. They also must pay for credit monitoring and identity theft protection after the first year.

Kathy and Patricia sued the payroll company in federal court. They tried to recover money damages.  However, a federal judge dismissed the case, without letting a jury hear it. The Third Circuit Court of Appeals recently upheld the judge’s ruling.

The basis of the ruling is the United States Constitution. Article III of the Constitution limits the federal courts to deciding actual “cases or controversies.” Courts have interpreted this provision to require that victims must have suffered actual harm, and not just a threat of future harm.

According to the court here, any harm suffered by Kathy and Patricia was just “potential future harm.” Therefore, they could not sue in federal court.

In my opinion, the court got it wrong. The mental anguish that Kathy and Patricia have suffered is not imaginary or unreasonable. Likewise, the dollars that they are paying for credit monitoring and identity theft protection are real dollars, not “future” dollars.

This ruling lets the payroll company off the hook. The company was clearly careless with its security. The next thing you know, we’ll see large financial companies engaging in risky behavior, which will ruin our economy. And no one will be held accountable. We wouldn’t want that to happen, now would we?