Filing 47

OPINION. Signed by Judge Claire C. Cecchi on 3/31/2015. (nr, )

Download PDF
NOT FOR PUBLICATION UNITED STATES DISTRICT COURT DISTRICT OF NEW JERSEY Civil Action No.: 13-7418 (CCC) TN RE HORIZON HEALTHCARE SERVICES INC. DATA BREACH LITIGATION OPINION CECCUI, District Judge. I. IT TRODUCTION This matter comes before the Court on motion of Defendant Horizon Healthcare Services, Inc. d/b/a Horizon Blue Cross Blue Shield of New Jersey (“Defendant” or “Horizon”) to dismiss the consolidated class action complaint of Plaintiffs Courtney Diana (“Diana”), Karen Pekelney (“Pekelney”), Mark Meisel (“Meisel”), and itchel1 Rindner (“Rindner”) (collectively, “Plaintiffs”) [ECF No. 40]. Pursuant to Fed. R. Civ. P. 78, no oral argument was heard. For the reasons set forth below, Defendant’s motion is granted. II. BACKGROUND Defendant is a New Jersey-based company that provides health insurance products and services to approximately 3.7 million members. (Am, Compl. ¶i 11-12.) In its normal course of business, Horizon maintains personal and medical information of its members, including: names. dates of birth, Social Security numbers, addresses, medical histories, and insurance information. (Id. ¶ 1.) During the weekend of November 1-3, 2013, an unknown thief stole two passwordprotected laptop computers—containing information of more than 839,000 members—from Defendant’s headquarters in Newark, NJ. (Id. ¶J 32, 37.) Defendant reported the incident to the Newark Police Department on November 4, 2013 and began an investigation into the amount and type of information in the stolen laptops. (Id.) On December 6, 2013, Horizon notified potentially affected members of the theft via letter and press release. (Id. ¶ 37.) The press release concerning the incident stated: A detailed review led by outside computer forensic experts has confirmed that the laptops may have contained files with differing amounts of member information, including name and demographic information (e.g., address, member identification number, date of birth), and in some instances, a Social Security number and/or limited clinical information. Due to the way the stolen laptops were configured, we are not certain that all of the member information contained on the laptops is accessible. (Id. ¶ 37.) Defendant also “offered free credit monitoring and identity theft protection” for members with Social Security numbers on the stolen laptops. (Horizon Press Release (December 6, 2013), available at http://www.horizonblue.comIbrokers/briefnotes/laptop-thefts; Am. Compi. ¶J 62-63.) Plaintiffs filed this putative class action on behalf of themselves and other Horizon members whose personal information was housed in the stolen laptops. They allege that, as “a direct and proximate result of Horizon’s wrongful actions and inaction”, they “have been placed at an imminent, immediate, and continuing increased risk of harm from identity theft, identity fraud, and medical fraud, requiring them to take the time and effort to mitigate the actual and potential impact of the Data Breach on their lives”. (Am. Compl. ¶ 58.) Thus, Plaintiffs claim to i As explained. infra. the Court may consider “allegations of the complaint and documents referenced therein and attached thereto, in the light most favorable to the plaintiff.” Constitution Party of Pennyypiy. Aichele, 757 F.3d 347, 358 (3d Cir, 2014). Because the Horizon Press Release is referenced in the Amended Complaint, (Am, Compl. ¶ 37), the Court may consider the entire release. have sustained “economic damages and other actual harm for which they are entitled to compensation”. (Id. ¶ 59 (listing various injuries).) They assert federal causes of action under the Fair Credit Reporting Act (“FCRA”) and several state law causes of action. III. LEGAL STANDARDS The gravamen of Defendant’s motion is that Plaintiffs lack standing to bring their claims. A motion to dismiss for lack of standing is properly brought pursuant to Fed. R. Civ. P. 12(b)(l) because standing is a matter ofjurisdiction. Ballentine v. U.S., 486 F.3d 806, 810 (3d. Cir. 2007) (citing St. Thomas-St. John Hotel Tourism Ass’n v. Gov’t of the U.S. Virgin Islands, 218 F.3d 232, 240 (3d. Cir. 2000)); Kauffhian v. Dreyfus Fund, Inc., 434 F.2d 727, 733 (3d Cir. 1970). However, not all 12(b)(l) motions are created equal: “[a] district court has to first determine [] whether a Rule 12(b)(l) motion presents a ‘facial’ attack or a ‘factual’ attack on the claim at issue, because that distinction determines how the pleading must be reviewed.” Constitution Party of Pennsylvania v. Aichele, 757 F.3d 347, 357 (3d Cir. 2014). A facial attack “is an argument that considers a claim on its face and asserts that it is insufficient to invoke the subject matter jurisdiction of the court because, for example, it does not present a question of federal law”. Id.. at 358. A factual attack, in contrast, “is an argument that there is no subject matter jurisdiction because the facts of the case. . . do not support the asserted jurisdiction.” Id. For instance. “while diversity of citizenship might have been adequately pleaded by the plaintiff, the defendant can submit proof that, in fact, diversity is lacking.” Id. Here, the Defendant’s motion attacks the sufficiency of the consolidated complaint on the grounds that the pleaded facts do not establish constitutional standing. Accordingly, the Court considers the Defendant’s motion a facial attack on the consolidated complaint and therefore “must only consider the allegations of the complaint and documents referenced therein and attached thereto, in the light most favorable to the plaintiff” Id. “Article III of the Constitution limits the jurisdiction of federal courts to ‘Cases’ and ‘Controversies.” Lance v. Cofan, 549 U.S. 437. 439 (2007); Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992) (“Though some of its elements express merely prudential considerations that are part of judicial self-government, the core component of standing is an essential and unchanging part of the case-or-controversy requirement of Article III.”). One key aspect of this case-or-controversy requirement is standing. Lance, 549 U.S. at 439. “The standing inquiry focuses on whether the party invoking jurisdiction had the requisite stake in the outcome when the suit was filed.” Constitution Party of Pennsylvania, 757 F.3d at 360 (citing Davis v. FEC, 554 U.S. 724, 734 (2008)). To establish standing, a plaintiff must satisfy a three-part test, showing: (I) an ‘injury in fact,’ i.e., an actual or imminently threatened injury that is ‘concrete and particularized’ to the plaintiff; (2) causation, i.e., traceability of the injury to the actions of the defendant; and (3) redressability of the injury by a favorable decision by the Court. Nat’l Collegiate Athletic Ass’n v. Gov. of N.J., 730 F.3d 208, 218 (3d. Cir. 2013) (citing Summers v. Earth Island Inst., 555 U.S. 488, 493 (2009)). “The party invoking federal jurisdiction bears the burden of establishing these elements.” Lujan, 504 U.S. at 561. At the motion to dismiss stage, a plaintiff must demonstrate a plausible claim of standing. id. (“each element [of standing] must be supported in the same way as any other matter on which the plaintiff bears the burden of proof, Le, with the manner and deee of evidence required at the successive stages of the litigation.”) All three elements of standing are constitutionally mandated, hut the injury-in-fact requirement is often determinative. IQils. v. p.fReadig , 555 F.3d 131, 138 (3d Cir. 2009). While a plaintiff may adequately allege a future injury sufficient to confer standing, the future injury must be “imminent”. This concept of imminence is “elastic”, but “it cannot be 4 stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes.” Clapper v. Amnesty mCi USA, 133 S. Ct. 1138 (2013). Accordingly, the Supreme Court has reiterated that “threatened injury must be certainly impending to constitute injury in fact, and that allegations of possible future injury are not sufficient.” (edits and citations omitted). A plaintiff must not only allege a cognizable injury-in-fact, but also “a causal connection between the injury and the conduct complained of”. Lujan, 504 U.S. at 560. While “[c]ausation in the context of standing is not the same as proximate causation from tort law”, Constitution Party of Pennsylvania, 757 F.3d at 366, “the injury has to be fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court.” Lujan, 504 U.S. at 560 (internal edits omitted). “If the injury-in-fact prong focuses on whether the plaintiff suffered harm, then the traceability prong focuses on who inflicted that harm.” Toll Bros., 555 F.3d at 142. The final element of standing, redressability, “is ‘closely related’ to traceability, and the two prongs often overlap.” Id. “The difference is that while traceability looks backward (did the defendants cause the harm?), redressability looks forward (will a favorable decision alleviate the harm?).” Id. That said, “[r]edressability is not a demand for mathematical certainty”—”[i]t is sufficient for the plaintiff to establish a substantial likelihood that the requested relief will remedy the alleged injury in fact.’ Id. at 143 (internal quotation omitted). In the class action context, as here, “[n]amed plaintiffs who represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.” Klein v. Gen. Nutrition Companies. Inc., 186 F.3d 338, 345 (3d Cir. 1999). Accordingly. “a claim S cannot be asserted on behalf of a class unless at least one named plaintiff has suffered the injury that gives rise to that claim.” Griffin v. Dugger, 823 F.2d 1476. 1483 (11th Cir. 1987); In re Niaspan Antitrust Litig.. 2014 WL 4403848, at *16 (E.D. Pa. Sept. 5, 2014). “[IJf none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class.” O’Shea v. Littleton, 414 U.S. 488, 494 (1974). IV. DISCUSSION Here, the Court’s subject matter jurisdiction is based on the federal question presented by Plaintiffs claims under FCRA; the Court has supplemental jurisdiction over Plaintiffs’ state law claims. (Am. Compi. ¶ 5.) . Accordingly, as a threshold matter, the Court must examine whether any of the named Plaintiffs have standing under Article Ill to assert their federal claims, as they form the basis of the Court’s jurisdiction. See Griffin, 823 F.2d at 1483. A. Standing of Plaintiffs Diana, Pekelney, and Meisel Defendant contends that Diana, Pekelney, and Meisel have not demonstrated a cognizable injury sufficient for Article III standing. (Def.’s Mot. at 5-6.) These Plaintiffs have not alleged, Horizon argues, that “their personal information was accessed” or “misused”, that there have been “any unauthorized withdrawals [from] their accounts”, that their “credit has been impaired”, or that “their identities [have been] stolen”. (Def’s Not. at 6) In response, Plaintiffs stop one step shy of explicitly conceding that Diana, Pekelney. and Meisel have not sutTered any particularized harm. (See Pis.’ Opp’n at 7-IS.) Indeed, Plaintiffs devote two separate sections of their brief to Rindner’ s injuries, (Id. at 11, 16-18), but fail to point out any individual harm suffered by Diana, Pekelnev, or Meisel. Instead, Plaintiffs rest on generalized allegations of harm based on (1) “economic injury”. (2) “violation of common law and statutory rights’. and (3) “an imminent 6 risk of future harm”. (Id. at 7-18.) The Court will examine each of these theories in turn. 1. Economic Injuries With respect to “economic injury”, Plaintiffs claim that they “received less than they bargained for” because they paid insurance premiums to Defendant that were, at least in part, “allocated” for data protection and Defendant “did not encrypt all computers”. ( at 8-9.) In support of this argument, Plaintiffs cite Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012) for the proposition that, where a plaintiff pays for data security through monthly premiums and the defendant fails to secure personal data, a plaintiff has standing. In Resnick, as here, two laptop computers containing members’ personal information was stolen from a health care company. Resnick. 693 F.3d at 1322. However, the named plaintiffs in Resnick explicitly alleged that (1) they were “careful in guarding their sensitive information and had never been victims of identity theft before the laptops were stolen”, and (2) they had become victims of identity theft within a year of the laptop larceny. Id. More specifically, one plaintiff contended that bank accounts were opened in her name, credit cards were activated, the cards were used to make unauthorized purchases, and her home address was changed with the U.S. Postal service. Id. The other plaintiff claimed that an account was opened in his name with E*Trade Financial and he was notified that the account had been overdrawn. The court found that plaintiffs’ alleged injuries- in-fact were sufficient for standing because they had “become victims of identity theft and have suffered monetary damages as a result,” Id. at 1323.2 2 Under the second prong of the standing inquiry, the court also found that these injuries were fairly traceable to the defendant because. “[d]espite [p]laintiffs’ personal habits of securing their sensitive information, [p]laintiffs became the victims of identity theft after the unencrypted laptops containing their sensitive information were stolen.” Id. at 1324. Importantly. plaintiffs injuries were redressable under the third standing prong because they alleged “a monetary injury and an award of compensatory damages would redress that injury.” Ed. 7 In stark contrast, neither Diana nor Pekelney nor Meisel allege that they were careful in guarding their sensitive information, that they suffered any monetary losses like those alleged in Resnick, or that they have sustained any other injuries such as identity theft, identity fraud, medical fraud, or phishing. The only discussion in Resnick regarding the connection between insurance premiums and inadequate data security is an analysis of whether plaintiffs adequately plead a claim for unjust enrichment under Florida law. Importantly. as explained above, the court determined that plaintiffs had standing before reaching this state law question. Thus, Diana, Pekelney, and Meisel have not alleged an “economic injury” sufficient for standing. In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 2014 WL 1858458, at *rn (D.D.C. May 9, 2014) [hereinafter “SAIC Data Theft”] (“To the extent that [p]laintiffs claim that some indeterminate part of their premiums went toward paying for security measures, such a claim is too flimsy to support standing.”) 2. Violation of Common Law and Statutory Rights With respect to “violation of common law and statutory rights”, Plaintiffs claim that they have sustained an injury sufficient for standing merely because their rights were purportedly violated. (Pls.’ Opp’n at 9-10.) It is well settled that “[t]he proper analysis of standing focuses on whether the plaintiff suffered an actual injury, not on whether a statute was violated.” Doe v. Nat’l Bd. of Med. Examiners. 199 F.3d 146, 153 (3d Cir. 1999). In SAIC Data Theft. Judge Boasberg succinctly stated: “Standing [] does not merely require a showing that the law has been violated, or that a statute will reward litigants in general upon showing of a violation, Rather, standing demands some form of injury—some showing that the legal violation harmed you in particular. and that you are therefore an appropriate advocate in federal court.” 2014 WL 1858458, at *10. As previously explained, Plaintiffs Diana, Pekelney, and Meisel do not allege any specific harm 8 as a result of Horizon’s stolen laptops and therefore may not rest on mere violations of statutory and common law rights to maintain standing. See Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451, 469 (D,N.J. 2013) (“[Mjerely asserting violations of certain statutes is not sufficient to demonstrate an injury-in-fact for purposes of establishing standing under Article III”.) 3. Imminent Risk of Future Harm With respect to ‘san imminent risk of future harm”, Plaintiffs contend that, despite their lack of injury thus far, ‘identity theft could occur at moment”. (PIs.’ Opp’n at 15.) The Third Circuit’s decision in Reilly is both squarely on point and binding on this Court. 664 F.3d 38 (3d 3 Cir. 2011). There, an unknown hacker infiltrated the computer system of a payroll processing firm, potentially gaining access to the names, addresses, social security numbers, dates of birth, and bank account information of approximately 27,000 employees. Id. There, as here, the defendant worked with law enforcement and professional investigators to determine what information the hacker may have accessed, sent letters to potential identity theft victims, and provided potentially affected individuals with one year of free credit monitoring and identity theft protection. Id. The Reilly court held that “an increased risk of identity theft resulting from a security breach [isj [J insufficient to secure standing.” jj at 43. In so holding, the court recognized that the plaintiffs’ contentions relied “on speculation that the hacker: (1) read, copied, and understood their personal information: (2) intends to commit future criminal acts by misusing the information: and (3) is able to use such information to the detriment of {plaintiffsj by making As Plaintiffs themselves admit, “çjppg[yestvInfSA, 133 S. Ct, 1138 (2013)] did not impose a new framework for Article III standing” in the Third Circuit. (P1s’ Opp’n at 14’ I 5.) Moreover, this Court recognized in Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451 (D.N.J. 20I3)—a case that postdates ,ppr—that the Court is bound by Rciil. 9 unauthorized transactions in [plaintiffs’) names.” j at 42. Plaintiffs’ “allegations of hypothetical, future injury are insufficient to establish standing” because plaintiffs had “not suffered any injury” and would not sustain an injury ‘[u]nless and until these conjectures come true”. Id. Simply put. “there [was] no misuse of the information, and thus, no harm”. hi. This Court, in Polanco. 988 F. Supp. 2d 451 (D.N.J. 2013), faced a putative class action strikingly similar to the case at bar. There, a laptop containing personal and medical information of thousands of patients was stolen from an employee’s locked car. Id. at 456. As in this case, the defendant contended that there was “no reason to believe that the [laptop] was taken for the information it contained, or that the information has been accessed or used improperly.” Id. at 469. Judge Hillman concluded that the plaintiff “has not alleged an injury sufficient to confer standing” because plaintiff could not distinguish her injuries from the hypothetical injuries in Reilly. Id. at 466-70. Plaintiffs attempt to evade these cases by arguing that “[t]he imminence of future harm in data breach cases depends upon two factors: (1) whether any of the compromised data was misused post-breach, causing injury, and ([2]) whether the facts surrounding the data breach indicate that the data theft was sophisticated, intentional, or malicious.” (PIs.’ Opp’n at 11 .) However, even if this accurately characterizes the law, Plaintiffs Diana, Pekelney, and Meisel fail on both prongs. As extensively discussed above, these Plaintiffs have not alleged a’ post-breach misuse of compromised data. With respect to the “sophisticated, intentional, or malicious” nature of the data As Defendant points out, two cases on which Plaintiffs rely—Pisciotta v, Old National Bap, 499 F.3d 629 (7th 628 F.3d 1139 (9th Cir,20 10)—were expressly rejected by the Third Cir.2007) and pgr2 SJarbucks Co 664 F,3d at 44, In any event, the subsequent decision of ç,ppr has created intra-circuit Circuit in j)Jy. Reilly, splits between district courts in the Seventh and Ninth Circuits regarding whether çjppr overruled Piscioua and Krottner. Peters v. St. Joseph Servs. Corp.. 2015 WL 589561. at *8, n. 10 (S.D. Tex. Feb. 11.2015). ,, 10 breach—a factor supported only by oblique dicta in Reilly—the Court fails to see how the theft of Horizon laptops here is any more “sophisticated, intentional, or malicious” than the taking of a laptop from a locked car in Polanco or the hacking of a computer system in Reilly. If anything, hacking a computer seems to require more planning, savvy, and sophistication than the simple theft of two laptops. Additionally, compared to hypothetical string of events identified in Reilly, Plaintiff’s injury is even more attenuated: (1) the crook must gain access to the information on the password-protected laptops, (2) he or she must read, copy, and understood the personal information; (3) he or she must intend to commit future criminal acts by misusing the information; and (4) the perpetrator must then be able to use such information to the detriment of Plaintiffs by making unauthorized transactions in Plaintiffs’ names. See Reilly, 664 F.3d at 42. As in Reilly and other data breach cases, Plaintiffs’ future injuries stem from the conjectural conduct of a third party bandit and are therefore inadequate to confer standing. ; Peters v. St. Joseph Servs. Corp., 2015 WL 589561, at *5 (S.D. Tex. Feb. 11, 2015) (rejecting standing in a data breach case premised on the theory of an imminent identity theft); SAIC Data Theft, 2014 WL 1858458, at *6 (Rejecting standing where “events are entirely dependent on the actions of an unknown third party—namely, the thief’, and noting: “[alt this point, we do not know who she was, how much she knows about computers, or what she has done with the [stolen] tapes.”): Galaria v. Nationwide Mut, Ins, Co.. 998 F. Supp. 2d 646, 655 (S.D. Ohio 2014) (Rejecting standing because, “[e]ven though Named Plaintiffs allege a third party or parties have their [personal information], whether Named Plaintiffs will become victims of theft or fraud or phishing is entirely contingent on what, if anything, the third party criminals do with that information.”). Accordingly, Plaintiffs Diana, Pekelney. and Meisel cannot rely on their increased likelihood of future harm as a basis for II 5 standing. For the reasons set forth above, Diana, Pekelney, and Meisel do not have standing to assert their FCRA claims. B. Standing of Plaintiff Rindner Unlike the other Plaintiffs, Rindner asserts that the Horizon laptop thief filed a fraudulent joint tax return under his and his wife’s names. (Am. Compi. ¶J 10, 60; Pis.’ Opp’n at 11.) Rindner also claims that the unknown culprit attempted to fraudulently use his credit card. (RI.) Defendant contends that Rindner’s fraudulent tax return is not a cognizable injury because he received a full tax refund. (Def.’s Mot. at 6, n. 4.) Defendant also argues that any injury resulting from the 6 fraudulent tax return or the purported credit card use was not sufficiently linked to the laptop theft and therefore does not meet the causation requirement of standing. (RI. at 6-1 1.) 7 1. Fraudulent Tax Return Rindner alleges that, “[ajs a result of the Data Breach, a thief or thieves submitted to the Internal Revenue Service [j a fraudulent Income Tax Return for 2013 in Rindner’s and his wife’s names and stole their 2013 income tax refund.” (Am. Compi. ¶ 60.) Defendant strenuously argues that “[Rindner’sJ allegations contradict any plausible connection to the laptop theft”, because Rindner Because Plaintiffs cannot rely on their asserted future harm for standing, they also may not rely on th.e expense of credit monitoring and other preventative measures for standing. See çippgr, 133 S. Ct. at 1151(2013) (“[plaintiffs] cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending”): Reilly. 664 F,3d at 46 (“P1aintiffs’1 alleged time and money expenditures to monItor their financial information do not establish standing. because costs incurred to watch fur a speculative chain of future events based on hypothetical future criminal acts are no more ‘actual’ injuries than the alleged ‘increased risk of injury’ which forms the basis for [plaintiffs’] claims.”) Defendant characterizes this argument as an attack on the injuryinfact requirement. (Def.’s Mot. at 6. n. 4.) As discussed further below, the Court views this more properly as a redressability argument. To the extent Rindner claims the same generalized harms as Plaintiffs Diana. PekeIney. and Meisel. those assertions fail for the reasons stated, supra. does not contend that the stolen laptops contained any personal infonnation from Rindner’s nif such that the perpetrator could submit a fraudulent tax return form in her name. (Def. Mot. at 7.) 8 This fact, Defendant reasons, in addition to the fact that no other putative class member—out of 839,000—alleges any identity theft, demonstrate that Rindner’s identity was stolen through other means. (Id. at 7-9.) In opposition, Rindner indicates that the laptop thief could have obtained Rindner’s personal information from the stolen computers and cobbled together his wife’s personal information from other sources. (Pis.’ Opp’n at 17-18.) Defendant, in reply, counters that this is exactly the point: if the identity thief stole personal information from another source, then Rindner cannot bear his burden of demonstrating standing. (Def.’s Reply at 2-3.) It is true, as Rindner notes, that the Third Circuit has recognized “room for concurrent causation in the analysis of standing.” Constitution Party of Pennsylvania, 757 F.3d at 366. Two points bear mention. First, although there is room for concurrent causation in the “analysis” of standing, this does not mean that pure concurrent causation (two independent actions comingling to cause a plaintiffs injury) is stfJIcient for standing purposes. In other words, concurrent causes may provide a basis for standing, but the analysis does not end there. Second, even accepting Rindner’s concurrent causation theory that his personal information was taken from the Horizon laptops and combined with his wife’s personal information from an unidentified source, he cannot plausibly demonstrate a causal connection adequate for standing. The court in SAIC Data Theft, faced a very similar situation. There. several plaintiffs alleged that “unauthorized charges were made to their existing credit cards or debit cards, or that Plaintiffs note that. if oiven the opportunity to amend their complaint. they would allege that Rindner furnished his wife’s Social Security number to Horizon at the time ofenroliment. (Pis.’ Opp’n at 17. n. 11.) 13 money was withdrawn from an existing bank account.” 2014 WL 1858458, at *11. Although credit-card, debit-card, or bank-account infonnation was not on the stolen tapes, the plaintiffs argued that “a criminal could obtain some of a victim’s personal information from a data breach and then go ‘phishing’ to get the rest. . . . That is, the crook could acquire a name and phone number and then make calls pretending to be a legitimate business asking for information like credit-card or bank—account numbers.” Id. The court rejected this contention. After noting that, like here, the plaintiffs did not allege any phishing in their complaint, Judge Boasberg explained: [plaintiffs] proffer no plausible explanation for how the thief would have acquired their banking information. In a society where around 3.3% of the population will experience some form of identity theft— regardless of the source—it is not surprising that at least five people out of a group of 4.7 million happen to have experienced some form of credit or bank-account fraud. As that information was not on the tapes, though, Plaintiffs cannot causally link it to the SAIC breach. Id. (citation omitted). This rationale applies with equal force here. Indeed, the minuscule percentage of affected members in both SAIC Data Theft and the present case are exactly the same: 0.0001%. And while it is possible that the thief obtained Rindner’s wife’s information from another source and pooled it with Rindner’s information from the stolen laptops, the dearth of any other identity theft victims (out of 839,000 members) makes this an unlikely scenario. As Defendant points out, “Rindner’s circumstances are singular, unique, and particular to him”. (Def.’s Mot. at 8.) In sum, even if Rindner’s theory is adequate to support standing in the abstract. the facts of this case demonstrate the remote possibility, rather than the plausibility, that the fraudulent tax return was connected to the Horizon laptop theft, Accordingly, Rindner’s tax fraud injury is not “fairly traceable” to Defendant. Finally, even if the Court were to find that Rindner’s injury was “fairly traceable” to Defendant, his claim must fail at the third element of standing: redressability. As Defendant notes, 14 Rindner admits receiving his tax refund. Therefore, even if Horizon were found culpable for the 9 laptop thefts under FCRA, Rindner would not be entitled to damages because he already received his tax refund. Accordingly, Rindner cannot meet the third prong of redressability. See People To End Homelessness, Inc. v. Develco Singles Apartments Associates, 339 F.3d 1, 9 (1st Cir. 2003) (“[plaintiffl does not have standing to pursue its lawsuit because its alleged injuries, to the extent they can be redressed, have already been remedied”); Hammond v. The Bank of New York Mellon Corp., 2010 WL 2643307, at *8 (S.D.N.Y. June 25, 2010) (same). For the foregoing reasons, Rindner lacks standing to bring FCRA claims based on the alleged false tax return. 2. Fraudulent Credit Card Use Rindner also alleges fraudulent use of his credit card. (Am. Compl. ¶J 10, 60). Defendant points out, and Rindner does not contest, that current credit card information (as opposed to a new credit card, which can be fraudulently obtained using a stolen Social Security number) was not on the stolen laptops. (Def.’s Reply at 2.) Thus, any harm stemming from the fraudulent use of Rindner’s current credit card is not “fairly traceable” to Defendant.’ 0 $, SAIC Data Theft, 2014 WL 1858458, at *6 (“Five of those six [plaintiffsj claim only that unauthorized charges were made to their existing credit cards or debit cards. or that money was withdrawn from an existing bank Indeed. Plaintiffs did not even address this argument in their opposition brief. And while the consolidated complaint sets forth the bare assertion that “Rmdner has also been damaged financiallY by the related delay in receiving his tax refund fur 2013”, (Am. Compl. ‘ 10), he gives no explanation as to how or why that is the case. Such “[t]hreadbare recitals” and “mere conelusory statements, do not suffice.” croft.Ibal, 556 U.S. 662, 678 (2009). Rindner does not seem to make an argument analogous to his fraudulent tax return argument; i.e.. although current credit card information was not on the stolen laptops. the thief could have used the personal information therein to obtain Rindner’s credit card information from another source. Nonetheless, this argument would fail for the reasons explained in the tax fraud discussion, supra. _____ _____ _____ _ account. But here!s the problem: No one alleges that credit-card, debit-card. or bank-account information was on the stolen tapes....As that information was not on the tapes, [J [pilaintiffs cannot causally link it to the SAIC breach.”). Accordingly, Rindner lacks standing to bring FCRA claims based on the alleged fraudulent use of his credit card. C. Plaintiffs’ State Law Claims In addition to the FCRA claims, Plaintiffs also assert various New Jersey state law claims. (Am. Compl. ¶J 103-170). Given that the Court lacks original jurisdiction over Plaintiffs’ federal claims, the Court lacks discretion to retain supplemental jurisdiction over the state law claims pursuant to 28 U.S.C. § 1367. Storino v. Borough of Pleasant Beach, 322 F.3d 293, 299-300 (3d Cir. 2003) (noting that because the plaintiffs lacked standing, “the District Court lacked original jurisdiction over the federal claim, and it therefore could not exercise supplemental jurisdiction”). Thus, the Court will dismiss the state law claims. V. COCLUS ION As explained above, none of the named Plaintiffs have adequately alleged Article III standing. Accordingly, the Court shall dismiss Plaintiffs’ consolidated class action complaint without prejudice. An appropriate Order follows this Opinion. DATE CLAIRE C. CECC11I, U.SD.J. 16

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.

Why Is My Information Online?