Opinion
Civil Action 2:23-cv-524
10-17-2023
KELLY MCGOWAN, Plaintiff v. CORE CASHLESS, LLC, Defendant.
ECF No. 27
Horan District Judge
REPORT AND RECOMMENDATION
LISA PUPO LENIHAN UNITED STATES MAGISTRATE JUDGE
I. RECOMMENDATION
It is respectfully recommended that Defendant's Motion to Dismiss First Amended Complaint Pursuant to Rule 12(b)(1) be granted and that Defendant's Motion to Dismiss First Amended Complaint Pursuant to Rule 12(b)(6) be denied as moot.
II. REPORT
A. Factual Allegations and Procedural History
Plaintiff Kelley McGowan has brought this class action against Defendant CORE Cashless, LLC (“CORE” or “Defendant”) for its failure to properly secure and safeguard Plaintiff's and Class Members' personally identifiable information (“PII”) stored within Defendant's information network. CORE provides a variety of cashless payment solutions including credit card kiosks, card readers, and online credit card processing and terminals for various businesses. First Am. Compl. (“FAC”) at ¶1, ECF No. 25. CORE is a limited liability company located in Overland Park, Kansas, whose sole member and owner resides in Overland Park, Kansas. Id. at ¶¶ 26-27.
Plaintiff was at all relevant times a resident and citizen of Pennsylvania and a victim of the Data Breach referenced below. Id. at ¶ 15. Plaintiff is a consumer of one of CORE's clients, Waldameer Park, Inc. (“Waldameer”) which operates an amusement park in Erie, Pennsylvania. Id. at ¶ 16. Plaintiff made a payment through Waldameer's online payment portal which was powered, maintained, and operated by CORE, and in so doing, provided CORE with her PII and financial information. Id. at ¶¶ 16-17.
On July 28, 2022, CORE was notified by the Secret Service that it had identified card numbers for sale on the Dark Web whose common purchase point was CORE. Id. at ¶ 45. CORE then conducted an internal investigation and ultimately determined that on or around January 29, 2022, an unknown and unauthorized third party gained access to the web payment portals of CORE's clients by activating a previously deactivated administrator account, gaining backdoor access, and installing tools to capture the text imputed into such payment portals (the “Data Breach”). Id. at ¶¶ 4, 9, 47. The web payment portals of approximately 45 of CORE's clients were affected by the Data Breach, including at least two Pennsylvania companies. Id. at ¶ 47.
The tools used by the unknown and unauthorized third party to access and steal payment card account information entered by customers of CORE's clients, such as Plaintiff, are commonly called digital skimmers. FAC at ¶ 48.
In the course of the Data Breach, the unknown and unauthorized third party captured Plaintiff's and the Class Members' sensitive data including but not limited to names, addresses, email addresses, phone numbers, and payment card information. Id. at ¶¶ 5, 50. Plaintiff did not learn of the Data Breach until nearly one year after it occurred when she received a notification email from CORE on December 30, 2022 informing her that it “became aware of a compromise to its environment, which may have resulted in the inadvertent exposure of sensitive information of individuals who processed their payment card through websites of certain [of Defendant]'s clients.” Id. at ¶¶ 20, 52. In addition, CORE directed Plaintiff and the Class Members to take various mitigation steps, such as monitoring their accounts and reporting any suspicious activity or misuse of their personal information. Id. at ¶ 56.
Following the notice from CORE of the Data Breach, Plaintiff spent time dealing with the consequences of the Data Breach, which included and continues to include time spent: (1) verifying the legitimacy and impact of the Data Breach, (2) exploring credit monitoring and identity theft insurance options, (3) self-monitoring her accounts with heightened scrutiny, and (4) seeking legal counsel regarding her options for remedying and/or mitigating the effects of the Data Breach. Id. at ¶ 21. As a result of the Data Breach, Plaintiff contends that she suffered actual injury in the form of damages to and diminution in the value of her PII. Id. at ¶ 22. In addition, she claims to have experienced increased anxiety, a loss of privacy, and a substantially increased risk of identity theft and fraud. Id. at ¶ 23.
On behalf of herself and a class of similarly situated individuals whose PII and financial information was exposed in the Data Breach, Plaintiff commenced this lawsuit on March 24, 2023. ECF No. 1. CORE moved to dismiss the Class Action Complaint on May 25, 2023 (ECF No. 20), and Plaintiff filed the First Amended Class Action Complaint on June 15, 2023 (ECF No. 25). Plaintiff's FAC alleges common law claims for negligence, negligence per se, breach of implied contract, and unjust enrichment. CORE filed the pending Motion to Dismiss First Amended Complaint (ECF No. 27) on June 28, 2023. In response, Plaintiff filed Brief in Opposition (ECF No. 29) to which CORE filed a Reply Brief (ECF No. 30). The pending motion is now ripe for review.
B. Legal Standards-Motion to Dismiss
1. Lack of Standing Under Rule 12(b)(1)
A motion to dismiss predicated on a lack of standing presents a jurisdictional matter and thus is “properly brought pursuant to Rule 12(b)(1).” Ballentine v. United States, 486 F.3d 806, 810 (3d Cir. 2007). Two types of challenges to the court's subject matter jurisdiction can be asserted under Rule 12(b)(1)-facial or factual. In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 632 (3d Cir. 2017) (citing Davis v. Wells Fargo, 824 F.3d 333, 346 (3d Cir. 2016)). “[A] facial attack ‘contests the sufficiency of the pleadings, . . . whereas a factual attack concerns the actual failure of a [plaintiff's] claims to comport [factually] with the jurisdictional prerequisites.'” The Constitution Party of Pa. v. Aichele, 757 F.3d 347, 358 (3d Cir. 2014)(internal citations omitted). Here Defendant appears to be bringing a facial challenge to Plaintiff's standing.
“In reviewing a facial attack, ‘the court must only consider the allegations of the complaint and documents referenced therein and attached thereto, in the light most favorable to the plaintiff.'” Id. (quoting In re Schering Plough Corp. Intron/Temodar Consumer Class Action, 678 F.3d 235, 243 (3d Cir. 2012) (other citation omitted). Thus, a facial challenge requires the court to apply the same legal standard it would apply in ruling on a motion to dismiss under Rule 12(b)(6). Id. (citing In re Schering Plough Corp., supra). As such, “'[t]o survive a motion to dismiss [for lack of standing], a complaint must contain sufficient factual matter' that would establish standing if accepted as true.” In re Horizon Healthcare Servs., 846 F.3d at 633 (quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009), citing Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). At the pleading stage, the plaintiff bears the burden of establishing that she has standing to sue. Reilly v. Ceridian Corp., 664 F.3d 38, 41 (3d Cir. 2011)(citing Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992); Storino v. Borough of Point Pleasant Beach, 322 F.3d 293, 296 (3d Cir. 2003)). See also Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016) (The burden of establishing federal subject matter jurisdiction rests with the party asserting its existence.).
2. Failure to State a Claim Under Rule 12(b)(6)
In the event the Court determines that Plaintiff possesses standing to bring her claims, Defendant has moved to dismiss Plaintiff's claims for negligence, negligence per se, breach of implied contract, and unjust enrichment for failure to state a claim pursuant to Rule 12(b)(6). The United States Court of Appeals for the Third Circuit summarized the standard to be applied in deciding motions to dismiss filed pursuant to Rule 12(b)(6):
Under the “notice pleading” standard embodied in Rule 8 of the Federal Rules of Civil Procedure, a plaintiff must come forward with “a short and plain statement of the claim showing that the pleader is entitled to relief.” As explicated in Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009), a claimant must state a “plausible” claim for relief, and “[a] claim has facial plausibility when the pleaded factual content allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Although “[f]actual allegations must be enough to raise a right to relief above the speculative level,” Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 555 (2007), a plaintiff “need only put forth allegations that raise a reasonable expectation that discovery will reveal evidence of the necessary element.” Fowler, 578 F.3d at 213 (quotation marks and citations omitted); see also Covington v. Int'l Ass'n of Approved Basketball Officials, 710 F.3d 114, 117-18 (3d Cir. 2013).Thompson v. Real Estate Mortg. Network, 748 F.3d 142, 147 (3d Cir. 2014).
C. Analysis
1. Article III Standing
The Third Circuit has summarized the legal principles governing standing to sue under
Article III:
In order to have Article III standing to sue, a plaintiff bears the burden of establishing “(1) [an] injury-in-fact ... that is (a) concrete and particularized, and (b) actual or imminent, not conjectural or
hypothetical; (2) a causal connection between the injury and the conduct complained of; and (3) [a likelihood] ... that the injury will be redressed by a favorable decision.” When, as in this case, prospective relief is sought, the plaintiff must show that he is “likely to suffer future injury” from the defendant's conduct. In the class action context, that requirement must be satisfied by at least one named plaintiff. The threat of injury must be “sufficiently real and immediate,” and, as a result of the immediacy requirement, “[p]ast exposure to illegal conduct does not in itself show a present case or controversy regarding injunctive relief if unaccompanied by any continuing, present adverse effects.”McNair v. Synapse Grp. Inc., 672 F.3d 213, 223 (3d Cir. 2012) (brackets and ellipses in original; citations and parentheticals omitted); Lujan, 504 U.S. at 560-61 (citations omitted). In In Re Horizon Healthcare, the Court of Appeals noted that “[t]he requirements for standing do not change in the class action context. ‘[N]amed plaintiffs who represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.'” 846 F.3d at 634 (quoting Lewis v. Casey, 518 U.S. 343, 357 (1996) (citation and internal quotation marks omitted)).
Here CORE appears to be challenging only the first element of Article III standing-whether Plaintiff suffered an injury in fact. In Spokeo, the Supreme Court provided guidance as to what constitutes a concrete injury--“[a] ‘concrete' injury must be ‘de facto'; that is, it must actually exist . . . we have meant to convey the usual meaning of the term-‘real,' and not ‘abstract'”; the injury can be either tangible or intangible. 578 U.S. at 340 (citations omitted). The Spokeo Court set forth two tests for determining whether an intangible harm constitutes an injury in fact. The first test asks “whether an alleged intangible harm is closely related to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” Id. at 341 (citation omitted); see also In Re Horizon Healthcare, 846 F.3d at 637 (citing Spokeo, supra). The second test looks to whether Congress has identified a particular intangible harm that meets minimum Article III requirements, Spokeo, 578 U.S. at 341, i.e., where “Congress has expressed an intent to make an injury redressable[,]” In re Horizon Healthcare, 846 F.3d at 637.
With regard to the “actual” or imminent” element of the injury in fact test, the Court of Appeals has opined:
“A harm is ‘actual or imminent' rather than ‘conjectural or hypothetical' where it is presently or actually occurring, or is sufficiently imminent.... [P]laintiffs relying on claims of imminent harm must demonstrate that they face a realistic danger of sustaining a direct injury from the conduct of which they complain.” Blunt v. Lower Merion Sch. Dist., 767 F.3d 247, 278 (3d Cir. 2014) (citation omitted). “Allegations of possible future injury do not satisfy the requirements of Art. III. A threatened injury must be ‘certainly impending' to constitute injury in fact.” Whitmore v. Arkansas, 495 U.S. 149, 158, 110 S.Ct. 1717, 109 L.Ed.2d 135 (1990) (citation omitted). And a party seeking equitable relief for a prospective injury, like Sherwin-Williams here, must show a “likelihood of substantial and immediate irreparable injury” to establish standing. O'Shea v. Littleton, 414 U.S. 488, 502, 94 S.Ct. 669, 38 L.Ed.2d 674 (1974).Sherwin-Williams Co. v. Cnty. of Del., 968 F.3d 264, 269 (3d Cir. 2020). Thus, “[a]n allegation of future injury may suffice if the threatened injury is ‘certainly impending,' or there is a ‘‘substantial risk' that the harm will occur.'” Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014)(quoting Clapper v. Anmesty Int'l USA, 568 U.S. 398, 414 n.5 (2013)).
At least in the situation (not present here) where the plaintiff has alleged a violation of a federal law that recognizes a particular intangible harm and creates a private cause of action, both the concrete and actual elements of the injury in fact test will usually be satisfied. Such harm is concrete because Congress has expressed an intent to make the injury redressable and provided a private cause of action, and it is actual because the harm has already occurred based on the alleged violation of the statute and therefore is not speculative, i.e., based on a future injury.
Here Plaintiff's FAC does not allege a violation of any federal statute but rather alleges common law tort and contract claims. Therefore, she has not established an injury in fact under the second test articulated by the Spokeo Court. As to whether Plaintiff has established an injury in fact under the traditional harm test, neither party directly addresses whether standing exists under this test. While Plaintiff cites case law generally for the proposition that American courts have recognized traditional common law harms such as reputational harms, disclosure of private information, and intrusion of seclusion, she makes no argument as to how this traditional harm test applies to her case. See ECF No. 29 at 11-12. CORE does not address the traditional harm test at all. Thus, neither party appears to address the “concrete” element of the injury in fact test but rather proceeds to the “actual” or “imminent” requirement. As such, the Court turns to the parties' arguments on this element.
The Court notes that the Court of Appeals in Clemens v. ExecuPharm, Inc., 48 F.4th 146 (3d Cir. 2022) opined as to when an injury would be concrete in the data breach context. Specifically, the Clemens Court held, following the guidance of the Supreme Court in TransUnion LLC v. Ramirez, 594 U.S., 141 S.Ct. 2190 (2021), “that in the data breach context, where the asserted theory of injury is a substantial risk of identity theft or fraud, a plaintiff suing for damages can satisfy concreteness as long as he alleges that the exposure to that substantial risk caused additional, currently felt concrete harms. For example, if the plaintiff's knowledge of the substantial risk of identity theft causes him to presently experience emotional distress or spend money on mitigation measures like credit monitoring services, the plaintiff has alleged a concrete injury.” 48 F.4th at 155-56. However, Plaintiff must first establish that she faces a substantial risk of identity theft or fraud.
In support of its argument that Plaintiff lacks Article III standing, CORE argues that allegations of possible future injury at the hands of unknown third parties are insufficient to establish standing under Article III, citing in support Lujan, 504 U.S. at 564, and Whitmore, 495 U.S. at 158. Specifically, CORE submits that Plaintiff's allegations do not plausibly show a concrete injury that is actual or imminent. Def's. Br. in Supp. at 6, ECF No. 28. In the context of an alleged data breach, CORE submits that the Court of Appeals has held that “a plaintiff does not suffer a harm, and thus does not have standing to sue, unless plaintiff alleges actual ‘misuse' of the information [that was accessed and taken as part of the data incident], or that such misuse is imminent.” Storm v. Paytime, Inc., 90 F.Supp.3d 359, 365 (M.D.Pa. 2015)(citing Reilly, 664 F.3d at 42). CORE contends that in the FAC, Plaintiff does not allege that her identity has been stolen as a result of the January 2022 incident nor does she allege that she has been the victim of fraud. ECF No. 28 at 8. In addition, Core submits that Plaintiff has not alleged that her bank account(s) have been accessed or that she has experienced any unauthorized or fraudulent charges on her credit card accounts or any other specific out of pocket loss. Id.
Moreover, CORE contends that the FAC is devoid of any facts to support that Plaintiff faces an imminent risk of future harm as a result of the data breach that occurred approximately eighteen (18) months ago. Id. Rather, CORE submits that Plaintiff makes various conclusory assertions that she has suffered or will suffer “an actual, imminent and certainly impending injury arising from the substantially increased risk of fraud, identity theft, and misuse resulting from her [personal information] . . . being placed in the hands of unauthorized third-party cyber criminals.” Id. (quoting FAC, ¶ 24). CORE argues that federal courts have regularly rejected such speculative allegations or possible future injury as a basis for standing, citing in support TransUnion LLC v. Ramirez, 594 U.S., 141 S.Ct. 2190, 2211 (2021), Sherwin-Williams Co., 968 F.3d at 269, and Reilly, 664 F.3d at 43.
CORE submits that the case at bar is most analogous to the Court of Appeals decision in Reilly, which presents an insurmountable hurdle for Plaintiff, rather than the Court of Appeals more recent decision in Clemens v. ExecuPharm Inc., 48 F.4th 146 (3d Cir. 2022), upon which Plaintiff relies in opposing CORE's motion to dismiss for lack of standing. Thus, an examination of the facts and holdings in each case is warranted.
In Reilly, the defendant Ceridian provided payroll processing services to various commercial business customers including the employer of the named plaintiffs. 664 F.3d at 40. To process its customers' payrolls, Ceridian collected employee information including employees' names, addresses, social security numbers, dates of birth, and bank account information. Id. Ceridian suffered a security breach by an unknown hacker who infiltrated its system and potentially gained access to personal and financial information belonging to 27,000 employees at 1,900 companies. It was not known whether the hacker read, copied, or understood the data. Id. Five weeks later, Ceridian sent letters to the potential identity theft victims informing them of the breach and arranged to provide the potentially affected individuals with one year of free credit monitoring and identify theft protection. Id. Approximately eight months later, plaintiffs filed a class action lawsuit against Ceridian alleging various claims, including negligence and breach of contract, related to an increased risk of identity theft, costs to monitor their credit activity, as well as a claim for emotional distress. Id. Ceridian moved to dismiss the lawsuit for lack of standing under Rule 12(b)(1) which the district court granted. Id. at 41.
On appeal, the Third Circuit held that the plaintiffs' allegations of hypothetical, future injury did not establish standing under Article III. The Court of Appeals opined:
Allegations of “possible future injury” are not sufficient to satisfy Article III. Whitmore, 495 U.S. at 158, 110 S.Ct. 1717; see also Lujan, 504 U.S. at 564 n. 2, 112 S.Ct. 2130 (stating that allegations of a future harm at some indefinite time cannot be an “actual or imminent injury”). Instead, “[a] threatened injury must be ‘certainly impending,' ” Whitmore, 495 U.S. at 158, 110 S.Ct. 1717 (internal citation omitted), and “proceed with a high degree of immediacy, so as to reduce the possibility of deciding a case in which no injury would have occurred at all,” Lujan, 504 U.S. at 564 n. 2, 112 S.Ct. 2130; Whitmore, 495 U.S. at 155, 110 S.Ct. 1717 (explaining that the imminence requirement “ensures that courts do not entertain suits based on speculative or hypothetical harms”). A plaintiff therefore lacks standing if his “injury” stems from an indefinite risk of future harms inflicted by unknown third parties. See Lujan, 504 U.S. at 564, 112 S.Ct. 2130.Id. at 42. In concluding that the plaintiffs' allegations of hypothetical future injury were insufficient to establish standing, the Court of Appeals reasoned that:
[Plaintiffs'] contentions rely on speculation that the hacker: (1) read, copied, and understood their personal information; (2) intends to commit future criminal acts by misusing the information; and (3) is able to use such information to the detriment of [plaintiffs] by making unauthorized transactions in [plaintiffs]' names. Unless and until these conjectures come true, [plaintiffs] have not suffered any injury; there has been no misuse of the information, and thus, no harm.Id. The Court of Appeals further reasoned that there was no evidence to suggest that the data had been or would ever be misused. Id. at 43. The Court of Appeals went on to hold that “[t]he present test is actuality, not hypothetical speculations about future injury [and therefore plaintiffs'] allegations of an increased risk of identity theft resulting from a security breach are . . . insufficient to secure standing.” Id. (citing Whitmore, 495 U.S. at 158).
In addition, the Reilly Court concluded that:
[Plaintiffs]' alleged time and money expenditures to monitor their financial information do not establish standing, because costs incurred to watch for a speculative chain of future events based on hypothetical future criminal acts are no more “actual” injuries than the alleged “increased risk of injury” which forms the basis for Appellants' claims. See Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp.2d 1, 8 (D.D.C.2007) (“[T]he ‘lost data' cases ... clearly reject the theory that a plaintiff is entitled to reimbursement for credit monitoring services or for time and money spent monitoring his or her credit.”). That a plaintiff has willingly incurred costs to protect against an alleged increased risk of identity theft is not enough to demonstrate a “concrete and particularized” or “actual or imminent” injury. Id.; see also Amburgy, 671 F.Supp.2d at 1053 (holding plaintiff lacked standing even though he allegedly spent time and money to protect himself from risk of future injury); Hammond v. Bank of N.Y. Mellon Corp., No. 08-6060, 2010 WL 2643307, at *4, *7 (S.D.N.Y. June 25, 2010) (noting that plaintiffs' “out-of-pocket expenses incurred to proactively safeguard and/or repair their credit” and the “expense of comprehensive credit monitoring” did not confer standing); Allison v. Aetna, Inc., No. 09-2560, 2010 WL 3719243, at *5 n. 7 (E.D.Pa. Mar. 9, 2010) (rejecting claims for time and money spent on credit monitoring due to a perceived risk of harm as the basis for an injury in fact).
Although [plaintiffs] have incurred expenses to monitor their accounts and “to protect their personal and financial information from imminent misuse and/or identity theft,” App. 00021, they have not done so as a result of any actual injury (e.g. because their private information was misused or their identities stolen). Rather, they prophylactically spent money to ease fears of future third-party criminality. Such misuse is only speculative-not imminent. The claim that they incurred expenses in anticipation of future harm, therefore, is not sufficient to confer standing.Id. at 46 (emphasis in original).
In a more recent data breach case, Clemens v. ExecuPharm Inc., 48 F.4th 146 (3d Cir. 2022), the Court of Appeals held that a plaintiff's risk of injury was sufficiently imminent to constitute an injury in fact for purposes of standing. The plaintiff in that case was a former employee of the defendant, ExecuPharm. As a condition of her employment, the plaintiff was required to provide ExecuPharm with sensitive personal and financial data, in exchange for which ExecuPharm agreed to take appropriate measures to protect the confidentiality and security of that information. Id. After plaintiff left her employment with ExecuPharm, a known hacking group accessed ExecuPharm's servers through a phishing attack stealing sensitive information of current and former employees including plaintiff. Id. The information stolen included social security numbers, dates of birth, full names, home addresses, taxpayer identification numbers, banking information, credit card numbers, driver's license numbers, sensitive tax forms, and passport numbers. Id. In addition to infiltrating the data, the hacker installed malware to encrypt the data stored on ExecuPharm's servers and then held the decryption tools for ransom, threatening to release the information to the Dark Web if the ransom was not paid. Id. The hackers ultimately carried out their threat and posted the data on the Dark Web. Id. An Israeli-based intelligence firm confirmed that the hackers made available for download at least one archive of data pertaining to ExecuPharm, including sensitive employee information. Id. In the same month as the breach as well as the following month, ExecuPharm provided periodic updates to current and former employees to inform them of the breach and encourage them to take precautionary measures. Id. at 150-51.
To mitigate potential harm, the plaintiff in Clemens immediately took various actions to monitor her financial records and credit reports for unauthorized activity, including enrolling in ExecuPharm's complimentary one-year credit monitoring services and purchasing credit monitoring services for herself and her family. Id. at 151. As a result of the breach, the plaintiff alleged that she sustained the risk of identity theft and fraud as well as the investment of time and money to mitigate potential harm. Id. Plaintiff filed a class action lawsuit against ExecuPharm asserting, inter alia, claims for negligence, negligence per se, and breach of implied contract. Id. ExecuPharm filed a motion to dismiss which the district court granted for lack of standing, based on the Court of Appeals decision in Reilly. The district court concluded that plaintiff's risk of future harm was not imminent but speculative because she had not yet experienced actual identity theft or fraud. Id.
On appeal, the Third Circuit reversed, concluding that the plaintiff's injury was sufficiently imminent to constitute an injury in fact for Article III standing purposes. The Court of Appeals focused on the “imminent” element in the disjunctive “actual or imminent” requirement, noting the significance of the disjunctive terminology, which indicated that a plaintiff does not have to wait until he or she has actually sustained the anticipated harm in order to file suit but can do so when the risk of harm becomes imminent. Id. at 152. The Clemens Court noted that “[t]his is especially important in the data breach context where the disclosure of the data may cause future harm as opposed to currently felt harm.” Id. The Clemens Court then discussed what type of future harm qualifies as imminent:
[A]llegations of future injury “suffice if the threatened injury is ‘certainly impending' or there is a ‘substantial risk' that the harm will occur.” Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158, 134 S.Ct. 2334, 189 L.Ed.2d 246 (2014) (quoting Clapper v. Amnesty Int'l USA, 568 U.S. 398, 414 n.5, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013)). A substantial risk *153 means a “‘realistic danger of sustaining a direct injury.'” Pennell v. City of San Jose, 485 U.S. 1, 8, 108 S.Ct. 849, 99 L.Ed.2d 1 (1988) (quoting Babbitt v. United Farm Workers Nat'l Union, 442 U.S. 289, 298, 99 S.Ct. 2301, 60 L.Ed.2d 895 (1979)). While plaintiffs are not required “to demonstrate that it is literally certain that the harms they identify will come about,” a “possible future injury”-even one with an “objectively reasonable likelihood” of occurring-is not sufficient. Clapper, 568 U.S. at 409-10, 414 n.5, 133 S.Ct. 1138 (emphasis omitted).
Id. at 152-53. The Court of Appeals further opined that “[c]onsistent with Susan B. Anthony List, that an injury will occur in the future is not fatal to standing . . . [b]ut where the future injury is also hypothetical, there can be no imminence and therefore no injury-in-fact.” Id. at 153 (internal citation omitted). It was on this basis that the Court distinguished its decision in Reilly-“[b]ecause the plaintiffs in Reilly alleged a future, hypothetical risk of identity theft or fraud, we concluded that they had not suffered an injury-in-fact. Specifically, the risk was ‘dependent on entirely speculative, future actions of an unknown third-party.'” Id. (quoting Reilly, 664 F.3d at 42). The Clemens Court further noted that in Reilly, it could not “describe how the [Appellants] will be injured ... without beginning our explanation with the word ‘if': if the hacker read, copied, and understood the hacked information, and if the hacker attempts to use the information, and if he does so successfully.” Id. (quoting Reilly, 664 F.3d at 43) (internal quotation marks omitted). Thus, the Clemens Court clarified its holding in Reilly: Reilly requires consideration of whether an injury is present versus future, and imminent versus hypothetical.
In determining whether an injury is imminent, i.e., poses a substantial risk of harm, as opposed to hypothetical in the data breach context, the Clemens Court focused on several factors relied upon by other courts. These non-exhaustive factors, which serve as useful guideposts with no single factor being dispositive, include: (1) whether the data breach was intentional; (2) whether the data was misused; (3) and the nature of the information accessed through the data breach and whether it is the type of information that would subject a plaintiff to a risk of identity theft. Id. at 153-54 (citations omitted). Examples of misuse include “where a laptop with personal unencrypted data was stolen and the plaintiff alleged that someone attempted to open a bank account in his name”, or where the “plaintiff alleged that personal data had ‘already been stolen' and that 9,200 people had ‘incurred fraudulent charges'.” Id. at 154 (citations omitted). With regard to the third factor, the Clemens Court noted that “disclosure of social security numbers, birth dates, and names is more likely to create a risk of identity theft or fraud . . . [while] the disclosure of financial information alone, without corresponding personal information, is insufficient.” Id. (internal citations omitted). With these precepts in mind, the Clemens Court proceeded to analyze whether the plaintiff had pled sufficient facts to establish standing as to each claim she was asserting. Id. at 156.
The Clemens Court noted in dicta that misuse is not necessarily required, citing a Seventh Circuit casePisciotta v. Old Nat'l Bancorp., 499 F.3d 629, 634 (7th Cir. 2007). However, in Reilly, the Court of Appeals distinguished Pisciotta finding it had little persuasive value as the threatened harms in Pisciotta were “significantly more ‘imminent' and ‘certainly impending' than the alleged harm in Reilly. 664 F.3d at 44. The Reilly Court explicitly stated that “[i]n data breach cases where no misuse is alleged, however, there has been no injury-indeed, no change in the status quo.” Id. at 45.
With regard to the plaintiff's contract claims, the Clemens Court found that the alleged injury in fact was far more imminent than the future injury alleged in Reilly. Id. The Clemens Court found that while Reilly “involved an unknown hacker who potentially gained access to sensitive information,” in Clemens a known hacker group accessed ExecuPharm's sensitive information. Id. (emphasis in original). The Clemens Court further found that the known hacker group was a sophisticated ransomware group that was notorious for encrypting companies' internal data and placing a text file that contained a message demanding ransom. Id. at 157. The Court of Appeals further noted that these types of attacks were particularly threatening because there are no known decryption tools for the hackers' ransomware. Id. Moreover, the Clemens Court found that unlike in Reilly where the injury depended upon a string of hypotheticals coming to fruition, in Clemens the hackers had already published plaintiff's data on the Dark Web, and the Court of Appeals reasonably assumed that the people to visit the Dark Web, especially those accessing the hackers' posts, do so with nefarious intent thus exposing the plaintiff to a substantial risk of identity theft or fraud by virtue of her personal information being made available on underground websites. Id. In summary, the Clemens Court concluded that the hackers “intentionally gained access to and misused the data,” and that combination of financial and personal information obtained was the type of data that could be used to commit identity theft or fraud. Id. (emphasis in original). Thus, the Clemens Court held that “[t]ogether, these factors show that [plaintiff] has alleged a ‘substantial risk' that the harm will occur sufficient to establish an ‘imminent' injury.” Id. (citations and internal quotation marks omitted).
The Clemens Court went on to hold that the plaintiff's “injury is concrete because it is sufficiently analogous to harms long recognized at common law like the ‘disclosure of private information.'” Id. (citing TransUnion LLC, 141 S.Ct. at 2204). The Court of Appeals further found that the plaintiff had alleged several additional concrete harms that she had already experienced as a result of the substantial risk of identity theft or fraud-her emotion distress and related therapy costs, and the time and money involved in mitigating the effects of the data breach. Id. at 158. As to the plaintiff's tort claims of negligence and negligence per se, the Clemens Court found that they had the same factual genesis as the contract claims, and plaintiff sufficiently alleged a harm that was concrete and imminent for the same reasons as those delineated with regard to contract claims. Id. 158-59. The Clemens Court thus concluded that the plaintiff had sufficiently asserted standing to bring her tort claims. Id. at 159.
Plaintiff herein argues that her case is more closely analogous to Clemens and the three factors identified by the Clemens Court-intentionality, misuse, and sensitivity of the data-all weigh in favor of establishing standing. ECF No. 29 at 14. As to the first factor- intentionality-Plaintiff argues that her allegations demonstrate that the Data Breach was an intentional criminal act. She points to paragraphs 47-48 in the FAC where she alleges that an unauthorized third-party gained access to the web payment portals of CORE's clients by activating a previously deactivated administrator account and installing a digital skimmer tool to capture the text inputted into online payment portals. Plaintiff submits that this demonstrates that the Data Breach was a targeted attack as opposed to a meandering hacker to stumbled across sensitive data.
In the Court's view, all cyber-attacks involve some degree of intentional conduct just by the very nature of the attack. In Reilly as in the case at bar, the infiltration of Defendants' data processing systems was committed by an unknown hacker. At one end of the “intentionality” spectrum is the situation in Reilly where it was unknown whether the hacker read, copied or understood the data. At the other end of the “intentionality” spectrum is the situation in Clemens where a known hacking group accessed the defendant's servers through a phishing attack, installed malware to encrypt the data stored on the defendant's servers, and then held the decryption tools for ransom, threatened to release the information to the Dark Web if the ransom was not paid and did indeed carry out their threat. The Court finds that the case at bar falls more towards the Reilly end of the spectrum. Simply put, Plaintiff does not allege the same type of malicious and sophisticated intent that existed in Clemens.
With regard to the second factor, Plaintiff argues that cybercriminals began misusing the data by offering payment card information for sale on the Dark Web and in support, refers to the allegation that the Secret Service had identified payment card numbers for sale on the Dark Web whose common purchase point was CORE. ECF No. 29 at 14-15 (citing FAC at ¶45). Plaintiff submits that this crucial allegation dramatically distinguishes this case from Reilly where it was “not known whether the hacker read, copied, or understood the data.” Id. at 15 (quoting Reilly, 664 F.3d at 40). In response, CORE submits that although it was notified by the Secret Service that they had identified payment card numbers for sale on the Dark Web whose common purchase point was CORE, Plaintiff does not allege in the FAC that her payment card information was part of card numbers identified by the Secret Service. ECF No. 30 at 2-3. As such, CORE contends that Plaintiff has not satisfied the misuse requirement in Green-Cooper v. Brinker Int'l, Inc., 73 F. 4th 883 (11th Cir. 2023), and thus this case is more analogous to Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332 (11th Cir. 2021). ECF No. 30 at 3.
The Court need not consider the Eleventh Circuit's decision in either Green-Cooper or Tsao as neither has precedential weight in this Circuit. It bears noting, however, that in Green-Cooper, where the Eleventh Circuit found that affirmatively posting stolen credit card data and personal information on the dark web was the misuse that was missing in Tsao and established a substantial risk of future injury, the information for all 4.5 million cards that the hackers accessed was found on the Dark Web. 73 F. 4th at 886-87, 889-90.
The Court finds that Plaintiff has failed to allege sufficient facts to plausibly show that her payment card information was misused by the unknown hackers. In Clemens, the employer of the plaintiff-defendant ExecuPharm-sustained a cyberattack in which sensitive information of current and former employees was stolen, including the plaintiff. Here there is no direct relationship between Plaintiff and CORE from which the Court may infer that Plaintiff's payment card information was among the information the Secret Service discovered on the Dark Web. Rather, all that is alleged is that the Secret Service discovered payment card numbers for sale on the Dark Web and that the common purchase point was CORE. There is no allegation that any of the activity on the Dark Web involved payment card numbers from CORE's client Waldameer whose payment portal Plaintiff accessed. And unlike in Clemens, here Plaintiff has not alleged any attempted identity theft or fraud using any of the payment card information found on the Dark Web from which she could assert a heightened risk that she might experience identity theft or fraud in the future. Moreover, because more than eighteen (18) months have elapsed without any attempted identity theft or fraud using Plaintiff's personal information, it is unlikely that Plaintiff's personal information was among the payment card numbers listed for sale on the Dark Web. As such, Plaintiff has failed to plausibly establish the misuse requirement.
The Court notes that in the FAC, Plaintiff references an excerpt from a U.S. General Accountability Office (“GAO”) Report dated June 2007 in an attempt to explain why there may be a time lag between when the data breach occurs and when the data is used. See FAC at ¶ 89 (citing Report to Congressional Requesters, GAO at 29 (June 2007), available at http://www.gao.gov/new.items/d07737.pdf (last accessed 10/11/23). The excerpt cited by Plaintiff was one of three reasons the GAO delineated for why determining a link between data breaches and identity theft is challenging. GAO Report at 28. Indeed, attempting to establish a link between the Data Breach and a future risk of identity theft has proved to be a challenge for Plaintiff in the case at bar. However, although the GAO Report indicates that stolen data may be held for a year or more before being used to commit identity theft, this general observation does not explain why there has been no attempted misuse of Plaintiff's data for over eighteen (18) months even though the payment card information of some of CORE's clients has been posted on the Dark Web.
Finally, as to the third factor, Plaintiff submits that the type of information stolen in the Data Breach is sensitive enough to facilitate payment card fraud and identity theft because it includes at least her payment card data and her name, address, email address, and phone number. ECF No. 29 at 15. Plaintiff maintains that the hackers plausibly obtained all of the information a criminal would need to initiate another card-not-present transaction using an online portal fraudulently. Id. In response, CORE argues that the information at issue in Clemens is readily distinguishable from the financial information at issue in this case which, by itself, is insufficient to confer standing. ECF No. 30 at 4. CORE submits that Plaintiff does not allege that the compromised data involves high risk information such as social security numbers, dates of birth and full names, but rather, the type of information stolen here is less sensitive, such as basic publicly available information, e.g., names, addresses, or data that can be rendered useless to cybercriminals (payment card information). Id. at 4.
The Court finds that the nature of the information accessed through the Data Breach is not likely to subject Plaintiff to a substantial risk of identity theft or fraud. There is no alleged disclosure of social security numbers, dates of birth, driver's license numbers, taxpayer identification numbers, banking information, sensitive tax forms, and passport numbers-all of which were disclosed in Clemens. The Clemens Court found that the combination of financial and personal data disclosed in that case was “particularly concerning as it could be used to perpetrate identity theft or fraud.” 48 F.4th at 157. As noted in Clemens, “disclosure of social security numbers, birth dates, and names is more likely to create a risk of identity theft or fraud . . . [while] the disclosure of financial information alone, without corresponding personal information, is insufficient.” Id. at 154 (citations omitted). The Clemens Court went on to explain that “[t]his is because financial information alone generally cannot be used to commit identity theft or fraud.” Id. (citing In re SuperValu, Inc., 870 F.3d 763, 770-71 (8th Cir. 2017)). Because Plaintiff has not alleged that the Data Breach disclosed her social security number or her date of birth, and her name and address is publicly available information, the Court finds that the data disclosed here is unlikely to create a risk of identity theft or fraud generally, and more unlikely in the case of Plaintiff, as it has not been alleged that any of her payment card information was published on the Dark Web.
Together, these three factors do not plausibly show that Plaintiff's threatened risk of harm was “substantial” or “certainly impending.” As such, the Court finds that Plaintiff has failed to show that she sustained a plausible injury in fact sufficient to establish Article III standing.
To the extent Plaintiff attempts to show that her risk of identity theft or fraud is substantial or certainly impending based upon various articles reporting on the prevalence of digital card skimming in the eCommerce industry generally, these reports do not provide any support to show that the risk of harm to Plaintiff in this case was substantial or certainly impending. See, e.g., FAC, ¶¶ 95-100.
Nonetheless, Plaintiff attempts to establish standing by alleging that she has suffered an injury in fact as a result of (1) the alleged investment of time and effort to address the impact of the Data Breach including exploring credit monitoring and identity theft options, (2) the alleged increased anxiety that she claims to have suffered, and (3) the alleged diminution in the value of her personal information. Plaintiff argues that the once a substantial risk of future harm is shown, her reasonable efforts to take mitigation steps and emotional distress can demonstrate standing for damages claims. In support, Plaintiff cites Clemens as well as two cases from other circuits. However, in both Webb and Clemens, the courts of appeals found that the alleged injuries-time spent taking protective measures to address the impact of the data-were a response to a substantial risk of future harm and therefore were not an attempt to “manufacture standing by incurring costs in anticipation of non-imminent harm.” See Webb, 72 F.4th at 377 (citations and internal quotation marks omitted). In Clemens, the Court of Appeals determined that “where the asserted theory of injury is a substantial risk of identity theft or fraud, [which was found to exist in that case,] a plaintiff suing for damages can satisfy concreteness as long as he alleges that the exposure to that substantial risk caused additional, currently felt concrete harms.” 48 F.4th at 155-56. Here Plaintiff's alleged injuries cannot establish standing for damages because she has failed to show a substantial risk of future harm in the first instance.
Plaintiff cited Webb v. Injured Workers Pharmacy, 72 F.4th 365, 377 (1st Cir. 2023) (“concluding that time spent responding to a data breach can constitute a concrete injury sufficient to confer standing, at least when that time would otherwise have been put to profitable use.”), as well as Green-Cooper, 73 F.4th at 894. However, neither of the cited references are directly on point to the issue presented here. Indeed, the cited excerpt from Green-Cooper is not relevant to Plaintiff's argument as it appears in a discussion regarding whether the district court properly certified the class with regard to commonality requirement.
Moreover, as the Court of Appeals found in Reilly, “[Plaintiffs'] alleged time and money expenditures to monitor their financial information do not establish standing, because costs incurred to watch for a speculative chain of future events based on hypothetical future criminal acts are no more ‘actual' injuries than the alleged ‘increased risk of injury' which form the basis of [Plaintiffs'] claims.” 664 F.3d at 46. Similarly in Clapper, the Supreme Court found that respondents' attempt to establish standing by asserting that they incurred certain costs as a reasonable reaction to a risk of future harm (government surveillance) was unavailing because the harm respondents sought to avoid was not certainly impending. 568 U.S. at 416. Therefore, where a plaintiff has only alleged a hypothetical or speculative risk of future harm, any alleged expenditures attributable to such future harm cannot establish Article III standing.
Similarly, any alleged diminution in the value of her personal information cannot establish an injury in fact where it has been determined that Plaintiff has failed to establish a substantial risk of harm because any alleged future harm remains speculative. See, e.g., Graham v. Universal Health Serv., Inc., 539 F.Supp.3d 481, 488 (E.D.Pa. 2021); see also In re Am. Med. Collection Agency Customer Data Sec. Breach Litig., Civ.A. No. 19-md-2904, 2021 U.S. Dist. LEXIS 240360, at *47 (D.N.J. Dec. 16, 2021)(“without particularized allegations the [plaintiffs'] Personal Information were actually accessed or misused, these plaintiffs cannot plausibly allege that their information suffered any decrease in value.”); Gaddy v. Long & Foster Cos., Civ. No. 21-2396, 2022 U.S. Dist. LEXIS 46657, at *13 (D.N.J. Mar. 15, 2022)(same)(citing In re Am. Med. Collection Agency and Graham, supra).
Likewise, Plaintiff's alleged emotional distress fails to establish an injury in fact in the absence of a substantial risk of future harm. Gaddy, 2022 U.S. Dist. LEXIS at *13 (“plaintiffs' vague allegations of ‘anxiety' and ‘annoyance' untethered to an actual injury or material risk of future harm is inadequate to demonstrate an injury in fact.”) (citing Reilly, 664 F.3d at 44-46 (dismissing for lack of standing though the plaintiffs had made allegations of “emotional distress”)).
Because the Court has determined that Plaintiff has failed to plausibly show a substantial or certainly impending risk of harm, she cannot use prophylactic measures taken in response to a speculative or hypothetical risk of future harm to otherwise establish standing for damages.
Finally, with regard to Plaintiff's claim for injunctive relief, CORE argues that Plaintiff lacks standing to pursue injunctive relief because she does not allege a sufficiently imminent or likely future harm. ECF No. 28 at 19. In support, CORE cites In re Johnson & Johnson Talcum Powder Prods. Mktg., Sales Pracs. & Liab. Litig., 903 F.3d 278, 285 (3d Cir. 2018), for the proposition that to have constitutional standing to seek injunctive relief, a plaintiff must establish that she is “'likely to suffer future injury' from the defendant's conduct.” Id. CORE submits that because it does not collect, store or otherwise maintain customer data inputted into its clients' web portals and has taken steps to secure its environment, and the FAC does not allege otherwise, Plaintiff is not likely to suffer future economic injury from CORE's conduct. Id. CORE also relies on Webb, in which the First Circuit held that “[s]tanding for injunctive relief depends on ‘whether [the plaintiffs are] likely to suffer future injury.'” 72 F.4th at 378 (citing Laufer v. Acheson Hotels, LLC, 50 F.4th 259, 276 (1st Cir. 2022)(quoting City of Los Angeles v. Lyons, 461 U.S. 95, 105 (1983)). See CORE's Reply Br., ECF No. 30 at 4. The Webb Court concluded that the “plaintiffs lack[ed] standing to pursue [injunctive] relief because their requested injunctions are not likely to redress their alleged injuries.” 72 F.4th at 378 (citing Lujan, 504 U.S. at 568-71). CORE maintains that the same would be true in this case.
In response, Plaintiff submits that her claim for injunctive relief should proceed because she has adequately demonstrated the imminency of future harm. ECF No. 29 at 28. In support, Plaintiff relies on Clemens where the Court of Appeals held that in the data breach context, the requirement of an injury to be “concrete” for standing purposes can be met for injunctive relief in the form of an allegation of a risk of future harm so long as that risk is “sufficiently imminent and substantial.” Id. (quoting Clemens, 48 F.4th at 155-57).
Plaintiff's request for injunctive relief is set forth in paragraph 5 of her Prayer for Relief. ECF No. 25 at 31.
However, as explained above, the Court finds that Plaintiff has failed to plausibly show that her future risk of harm is substantial or certainly impending. As such, under Clemens, Plaintiff cannot show that she has met the concrete injury requirement necessary for standing to seek injunctive relief. See Clemens, 48 F.4th at 155 (citing TransUnion LLC, 141 S.Ct. at 2210 (citing Clapper, 567 U.S. at 414 n. 5)).
Moreover, as CORE correctly notes, most of the injunctive relief sought by Plaintiff involves measures to ensure that a future breach does not occur, as opposed to injunctive relief geared towards preventing future injury from the data already stolen. See FAC, ¶¶ 5(b) through (k). But Plaintiff does not allege that any future breach will occur, just that she has a substantial risk of future harm from the data already stolen and published on the Dark Web. As such, the injunctive relief sought by Plaintiff is not likely to redress her alleged injuries. Webb, 72 F.4th at 378. Accordingly, Plaintiff lacks standing to pursue injunctive relief.
Accordingly, because the Court has found that Plaintiff has failed to show that she sustained a plausible injury in fact sufficient to establish Article III standing, the Court recommends that CORE's Motion to Dismiss Pursuant to Rule 12(b)(1) be granted.
2. Motion to Dismiss Under 12(b)(6)
Because the Court has determined that Plaintiff has failed to plausibly show that she has Article III standing to pursue this action, the Court finds that CORE's Motion to Dismiss the First Amended Complaint under Rule 12(b)(6) is now moot. Accordingly, the Court recommends that CORE's Motion to Dismiss the First Amended Complaint Pursuant to Rule 12(b)(6) be denied as moot.
III. CONCLUSION
For the reasons discussed above, it is respectfully recommended that Defendant's Motion to Dismiss First Amended Complaint Pursuant to Rule 12(b)(1) be granted and Defendant's Motion to Dismiss First Amended Complaint Pursuant to Rule 12(b)(6) be denied as moot.
In accordance with the Magistrate Judges Act, 28 U.S.C. §636(b)(1)(B) and (C), and Rule 72.D.2 of the Local Rules of Court, the parties are allowed fourteen (14) days from the date of service of a copy of this Report and Recommendation to file objections. Any party opposing the objections shall have fourteen (14) days from the date of service of objections to respond thereto. Failure to file timely objections will constitute a waiver of any appellate rights.