IN RE HORIZON HEALTHCARE SERVICES INC. DATA BREACH LITIGATION
Filing
47
OPINION. Signed by Judge Claire C. Cecchi on 3/31/2015. (nr, )
NOT FOR PUBLICATION
UNITED STATES DISTRICT COURT
DISTRICT OF NEW JERSEY
Civil Action No.: 13-7418 (CCC)
TN RE HORIZON HEALTHCARE
SERVICES INC. DATA BREACH
LITIGATION
OPINION
CECCUI, District Judge.
I.
IT TRODUCTION
This matter comes before the Court on motion of Defendant Horizon Healthcare Services,
Inc. d/b/a Horizon Blue Cross Blue Shield of New Jersey (“Defendant” or “Horizon”) to dismiss
the consolidated class action complaint of Plaintiffs Courtney Diana (“Diana”), Karen Pekelney
(“Pekelney”), Mark Meisel (“Meisel”), and itchel1 Rindner (“Rindner”) (collectively,
“Plaintiffs”) [ECF No. 40]. Pursuant to Fed. R. Civ. P. 78, no oral argument was heard. For the
reasons set forth below, Defendant’s motion is granted.
II.
BACKGROUND
Defendant is a New Jersey-based company that provides health insurance products and
services to approximately 3.7 million members. (Am, Compl. ¶i 11-12.) In its normal course of
business, Horizon maintains personal and medical information of its members, including: names.
dates of birth, Social Security numbers, addresses, medical histories, and insurance information.
(Id. ¶ 1.) During the weekend of November 1-3, 2013, an unknown thief stole two passwordprotected laptop computers—containing information of more than 839,000 members—from
Defendant’s headquarters in Newark, NJ. (Id.
¶J 32,
37.) Defendant reported the incident to the
Newark Police Department on November 4, 2013 and began an investigation into the amount and
type of information in the stolen laptops. (Id.) On December 6, 2013, Horizon notified potentially
affected members of the theft via letter and press release. (Id.
¶ 37.)
The press release concerning
the incident stated:
A detailed review led by outside computer forensic experts has
confirmed that the laptops may have contained files with differing
amounts of member information, including name and demographic
information (e.g., address, member identification number, date of
birth), and in some instances, a Social Security number and/or
limited clinical information. Due to the way the stolen laptops were
configured, we are not certain that all of the member information
contained on the laptops is accessible.
(Id.
¶
37.) Defendant also “offered free credit monitoring and identity theft protection” for
members with Social Security numbers on the stolen laptops. (Horizon Press Release (December
6, 2013), available at http://www.horizonblue.comIbrokers/briefnotes/laptop-thefts; Am. Compi.
¶J 62-63.)
Plaintiffs filed this putative class action on behalf of themselves and other Horizon
members whose personal information was housed in the stolen laptops. They allege that, as “a
direct and proximate result of Horizon’s wrongful actions and inaction”, they “have been placed
at an imminent, immediate, and continuing increased risk of harm from identity theft, identity
fraud, and medical fraud, requiring them to take the time and effort to mitigate the actual and
potential impact of the Data Breach on their lives”. (Am. Compl. ¶ 58.) Thus, Plaintiffs claim to
i
As explained. infra. the Court may consider “allegations of the complaint and documents referenced therein and
attached thereto, in the light most favorable to the plaintiff.” Constitution Party of Pennyypiy. Aichele, 757
F.3d 347, 358 (3d Cir, 2014). Because the Horizon Press Release is referenced in the Amended Complaint, (Am,
Compl. ¶ 37), the Court may consider the entire release.
have sustained “economic damages and other actual harm for which they are entitled to
compensation”. (Id.
¶ 59 (listing various injuries).) They assert federal causes of action under the
Fair Credit Reporting Act (“FCRA”) and several state law causes of action.
III.
LEGAL STANDARDS
The gravamen of Defendant’s motion is that Plaintiffs lack standing to bring their claims.
A motion to dismiss for lack of standing is properly brought pursuant to Fed. R. Civ. P. 12(b)(l)
because standing is a matter ofjurisdiction. Ballentine v. U.S., 486 F.3d 806, 810 (3d. Cir. 2007)
(citing St. Thomas-St. John Hotel Tourism Ass’n v. Gov’t of the U.S. Virgin Islands, 218 F.3d
232, 240 (3d. Cir. 2000)); Kauffhian v. Dreyfus Fund, Inc., 434 F.2d 727, 733 (3d Cir. 1970).
However, not all 12(b)(l) motions are created equal: “[a] district court has to first determine
[]
whether a Rule 12(b)(l) motion presents a ‘facial’ attack or a ‘factual’ attack on the claim at issue,
because that distinction determines how the pleading must be reviewed.” Constitution Party of
Pennsylvania v. Aichele, 757 F.3d 347, 357 (3d Cir. 2014). A facial attack “is an argument that
considers a claim on its face and asserts that it is insufficient to invoke the subject matter
jurisdiction of the court because, for example, it does not present a question of federal law”. Id.. at
358. A factual attack, in contrast, “is an argument that there is no subject matter jurisdiction
because the facts of the case.
.
.
do not support the asserted jurisdiction.” Id. For instance. “while
diversity of citizenship might have been adequately pleaded by the plaintiff, the defendant can
submit proof that, in fact, diversity is lacking.” Id. Here, the Defendant’s motion attacks the
sufficiency of the consolidated complaint on the grounds that the pleaded facts do not establish
constitutional standing. Accordingly, the Court considers the Defendant’s motion a facial attack
on the consolidated complaint and therefore “must only consider the allegations of the complaint
and documents referenced therein and attached thereto, in the light most favorable to the plaintiff”
Id.
“Article III of the Constitution limits the jurisdiction of federal courts to ‘Cases’ and
‘Controversies.” Lance v. Cofan, 549 U.S. 437. 439 (2007); Lujan v. Defenders of Wildlife,
504 U.S. 555, 560 (1992) (“Though some of its elements express merely prudential considerations
that are part of judicial self-government, the core component of standing is an essential and
unchanging part of the case-or-controversy requirement of Article III.”). One key aspect of this
case-or-controversy requirement is standing. Lance, 549 U.S. at 439. “The standing inquiry
focuses on whether the party invoking jurisdiction had the requisite stake in the outcome when the
suit was filed.” Constitution Party of Pennsylvania, 757 F.3d at 360 (citing Davis v. FEC, 554 U.S.
724, 734 (2008)). To establish standing, a plaintiff must satisfy a three-part test, showing:
(I) an ‘injury in fact,’ i.e., an actual or imminently threatened injury that is ‘concrete and
particularized’ to the plaintiff; (2) causation, i.e., traceability of the injury to the actions
of the defendant; and (3) redressability of the injury by a favorable decision by the Court.
Nat’l Collegiate Athletic Ass’n v. Gov. of N.J., 730 F.3d 208, 218 (3d. Cir. 2013) (citing Summers
v. Earth Island Inst., 555 U.S. 488, 493 (2009)). “The party invoking federal jurisdiction bears the
burden of establishing these elements.” Lujan, 504 U.S. at 561. At the motion to dismiss stage, a
plaintiff must demonstrate a plausible claim of standing.
id. (“each element [of standing] must
be supported in the same way as any other matter on which the plaintiff bears the burden of
proof, Le, with the manner and deee of evidence required at the successive stages of the
litigation.”)
All three elements of standing are constitutionally mandated, hut the injury-in-fact
requirement is often determinative. IQils. v.
p.fReadig
,
555 F.3d 131, 138 (3d Cir.
2009). While a plaintiff may adequately allege a future injury sufficient to confer standing, the
future injury must be “imminent”. This concept of imminence is “elastic”, but “it cannot be
4
stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for
Article III purposes.” Clapper v. Amnesty
mCi USA,
133 S. Ct. 1138 (2013). Accordingly, the
Supreme Court has reiterated that “threatened injury must be certainly impending to constitute
injury in fact, and that allegations of possible future injury are not sufficient.”
(edits and
citations omitted).
A plaintiff must not only allege a cognizable injury-in-fact, but also “a causal connection
between the injury and the conduct complained of”. Lujan, 504 U.S. at 560. While “[c]ausation
in the context of standing is not the same as proximate causation from tort law”, Constitution Party
of Pennsylvania, 757 F.3d at 366, “the injury has to be fairly traceable to the challenged action of
the defendant, and not the result of the independent action of some third party not before the court.”
Lujan, 504 U.S. at 560 (internal edits omitted). “If the injury-in-fact prong focuses on whether the
plaintiff suffered harm, then the traceability prong focuses on who inflicted that harm.” Toll Bros.,
555 F.3d at 142.
The final element of standing, redressability, “is ‘closely related’ to traceability, and the
two prongs often overlap.” Id. “The difference is that while traceability looks backward (did the
defendants cause the harm?), redressability looks forward (will a favorable decision alleviate the
harm?).” Id. That said, “[r]edressability is not a demand for mathematical certainty”—”[i]t is
sufficient for the plaintiff to establish a substantial likelihood that the requested relief will remedy
the alleged injury in fact.’ Id. at 143 (internal quotation omitted).
In the class action context, as here, “[n]amed plaintiffs who represent a class must allege
and show that they personally have been injured, not that injury has been suffered by other,
unidentified members of the class to which they belong and which they purport to represent.”
Klein v. Gen. Nutrition Companies. Inc., 186 F.3d 338, 345 (3d Cir. 1999). Accordingly. “a claim
S
cannot be asserted on behalf of a class unless at least one named plaintiff has suffered the injury
that gives rise to that claim.” Griffin v. Dugger, 823 F.2d 1476. 1483 (11th Cir. 1987); In re
Niaspan Antitrust Litig.. 2014 WL 4403848, at *16 (E.D. Pa. Sept. 5, 2014). “[IJf none of the
named plaintiffs purporting to represent a class establishes the requisite of a case or controversy
with the defendants, none may seek relief on behalf of himself or any other member of the class.”
O’Shea v. Littleton, 414 U.S. 488, 494 (1974).
IV.
DISCUSSION
Here, the Court’s subject matter jurisdiction is based on the federal question presented by
Plaintiffs claims under FCRA; the Court has supplemental jurisdiction over Plaintiffs’ state law
claims. (Am. Compi. ¶ 5.)
.
Accordingly, as a threshold matter, the Court must examine whether
any of the named Plaintiffs have standing under Article Ill to assert their federal claims, as they
form the basis of the Court’s jurisdiction. See Griffin, 823 F.2d at 1483.
A.
Standing of Plaintiffs Diana, Pekelney, and Meisel
Defendant contends that Diana, Pekelney, and Meisel have not demonstrated a cognizable
injury sufficient for Article III standing. (Def.’s Mot. at 5-6.) These Plaintiffs have not alleged,
Horizon argues, that “their personal information was accessed” or “misused”, that there have been
“any unauthorized withdrawals [from] their accounts”, that their “credit has been impaired”, or
that “their identities [have been] stolen”. (Def’s Not. at 6) In response, Plaintiffs stop one step
shy of explicitly conceding that Diana, Pekelney. and Meisel have not sutTered any particularized
harm. (See Pis.’ Opp’n at 7-IS.) Indeed, Plaintiffs devote two separate sections of their brief to
Rindner’ s injuries, (Id. at 11, 16-18), but fail to point out any individual harm suffered by Diana,
Pekelnev, or Meisel.
Instead, Plaintiffs rest on generalized allegations of harm based on
(1) “economic injury”. (2) “violation of common law and statutory rights’. and (3) “an imminent
6
risk of future harm”. (Id. at 7-18.) The Court will examine each of these theories in turn.
1.
Economic Injuries
With respect to “economic injury”, Plaintiffs claim that they “received less than they
bargained for” because they paid insurance premiums to Defendant that were, at least in part,
“allocated” for data protection and Defendant “did not encrypt all computers”. ( at 8-9.) In
support of this argument, Plaintiffs cite Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012)
for the proposition that, where a plaintiff pays for data security through monthly premiums and the
defendant fails to secure personal data, a plaintiff has standing. In Resnick, as here, two laptop
computers containing members’ personal information was stolen from a health care company.
Resnick. 693 F.3d at 1322. However, the named plaintiffs in Resnick explicitly alleged that
(1) they were “careful in guarding their sensitive information and had never been victims of
identity theft before the laptops were stolen”, and (2) they had become victims of identity theft
within a year of the laptop larceny. Id. More specifically, one plaintiff contended that bank
accounts were opened in her name, credit cards were activated, the cards were used to make
unauthorized purchases, and her home address was changed with the U.S. Postal service. Id. The
other plaintiff claimed that an account was opened in his name with E*Trade Financial and he was
notified that the account had been overdrawn.
The court found that plaintiffs’ alleged injuries-
in-fact were sufficient for standing because they had “become victims of identity theft and have
suffered
monetary damages as a result,” Id. at 1323.2
2
Under the second prong of the standing inquiry, the court also found that these injuries were fairly traceable to the
defendant because. “[d]espite [p]laintiffs’ personal habits of securing their sensitive information, [p]laintiffs became
the victims of identity theft after the unencrypted laptops containing their sensitive information were stolen.” Id. at
1324. Importantly. plaintiffs injuries were redressable under the third standing prong because they alleged “a
monetary injury and an award of compensatory damages would redress that injury.” Ed.
7
In stark contrast, neither Diana nor Pekelney nor Meisel allege that they were careful in
guarding their sensitive information, that they suffered any monetary losses like those alleged in
Resnick, or that they have sustained any other injuries such as identity theft, identity fraud, medical
fraud, or phishing. The only discussion in Resnick regarding the connection between insurance
premiums and inadequate data security is an analysis of whether plaintiffs adequately plead a claim
for unjust enrichment under Florida law. Importantly. as explained above, the court determined
that plaintiffs had standing before reaching this state law question. Thus, Diana, Pekelney, and
Meisel have not alleged an “economic injury” sufficient for standing.
In re Sci. Applications
Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 2014 WL 1858458, at
*rn
(D.D.C. May 9,
2014) [hereinafter “SAIC Data Theft”] (“To the extent that [p]laintiffs claim that some
indeterminate part of their premiums went toward paying for security measures, such a claim is
too flimsy to support standing.”)
2.
Violation of Common Law and Statutory Rights
With respect to “violation of common law and statutory rights”, Plaintiffs claim that they
have sustained an injury sufficient for standing merely because their rights were purportedly
violated. (Pls.’ Opp’n at 9-10.) It is well settled that “[t]he proper analysis of standing focuses on
whether the plaintiff suffered an actual injury, not on whether a statute was violated.” Doe v. Nat’l
Bd. of Med. Examiners. 199 F.3d 146, 153 (3d Cir. 1999). In SAIC Data Theft. Judge Boasberg
succinctly stated: “Standing
[] does not merely require a showing that the law has been violated,
or that a statute will reward litigants in general upon showing of a violation, Rather, standing
demands some form of injury—some showing that the legal violation harmed you in particular.
and that you are therefore an appropriate advocate in federal court.” 2014 WL 1858458, at *10.
As previously explained, Plaintiffs Diana, Pekelney, and Meisel do not allege any specific harm
8
as a result of Horizon’s stolen laptops and therefore may not rest on mere violations of statutory
and common law rights to maintain standing. See Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451,
469 (D,N.J. 2013) (“[Mjerely asserting violations of certain statutes is not sufficient to demonstrate
an injury-in-fact for purposes of establishing standing under Article III”.)
3.
Imminent Risk of Future Harm
With respect to ‘san imminent risk of future harm”, Plaintiffs contend that, despite their
lack of injury thus far, ‘identity theft could occur at moment”. (PIs.’ Opp’n at 15.) The Third
Circuit’s decision in Reilly is both squarely on point and binding on this Court. 664 F.3d 38 (3d
3
Cir. 2011). There, an unknown hacker infiltrated the computer system of a payroll processing
firm, potentially gaining access to the names, addresses, social security numbers, dates of birth,
and bank account information of approximately 27,000 employees.
Id. There, as here, the
defendant worked with law enforcement and professional investigators to determine what
information the hacker may have accessed, sent letters to potential identity theft victims, and
provided potentially affected individuals with one year of free credit monitoring and identity theft
protection. Id. The Reilly court held that “an increased risk of identity theft resulting from a
security breach [isj
[J insufficient to secure standing.” jj at 43. In so holding, the court recognized
that the plaintiffs’ contentions relied “on speculation that the hacker: (1) read, copied, and
understood their personal information: (2) intends to commit future criminal acts by misusing the
information: and (3) is able to use such information to the detriment of {plaintiffsj by making
As Plaintiffs themselves admit, “çjppg[yestvInfSA, 133 S. Ct, 1138 (2013)] did not impose a new
framework for Article III standing” in the Third Circuit. (P1s’ Opp’n at 14’ I 5.) Moreover, this Court recognized in
Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451 (D.N.J. 20I3)—a case that postdates ,ppr—that the Court is
bound by Rciil.
9
unauthorized transactions in [plaintiffs’) names.” j at 42. Plaintiffs’ “allegations of hypothetical,
future injury are insufficient to establish standing” because plaintiffs had “not suffered any injury”
and would not sustain an injury ‘[u]nless and until these conjectures come true”. Id. Simply put.
“there [was] no misuse of the information, and thus, no harm”. hi.
This Court, in Polanco. 988 F. Supp. 2d 451 (D.N.J. 2013), faced a putative class action
strikingly similar to the case at bar. There, a laptop containing personal and medical information
of thousands of patients was stolen from an employee’s locked car. Id. at 456. As in this case, the
defendant contended that there was “no reason to believe that the [laptop] was taken for the
information it contained, or that the information has been accessed or used improperly.” Id. at
469. Judge Hillman concluded that the plaintiff “has not alleged an injury sufficient to confer
standing” because plaintiff could not distinguish her injuries from the hypothetical injuries in
Reilly. Id. at 466-70.
Plaintiffs attempt to evade these cases by arguing that “[t]he imminence of future harm in
data breach cases depends upon two factors: (1) whether any of the compromised data was misused
post-breach, causing injury, and ([2]) whether the facts surrounding the data breach indicate that
the data theft was sophisticated, intentional, or malicious.” (PIs.’ Opp’n at 11 .) However, even
if this accurately characterizes the law, Plaintiffs Diana, Pekelney, and Meisel fail on both prongs.
As extensively discussed above, these Plaintiffs have not alleged a’ post-breach misuse of
compromised data. With respect to the “sophisticated, intentional, or malicious” nature of the data
As Defendant points out, two cases on which Plaintiffs rely—Pisciotta v, Old National Bap, 499 F.3d 629 (7th
628 F.3d 1139 (9th Cir,20 10)—were expressly rejected by the Third
Cir.2007) and pgr2 SJarbucks Co
664 F,3d at 44, In any event, the subsequent decision of ç,ppr has created intra-circuit
Circuit in j)Jy. Reilly,
splits between district courts in the Seventh and Ninth Circuits regarding whether çjppr overruled Piscioua and
Krottner. Peters v. St. Joseph Servs. Corp.. 2015 WL 589561. at *8, n. 10 (S.D. Tex. Feb. 11.2015).
,,
10
breach—a factor supported only by oblique dicta in Reilly—the Court fails to see how the theft of
Horizon laptops here is any more “sophisticated, intentional, or malicious” than the taking of a
laptop from a locked car in Polanco or the hacking of a computer system in Reilly. If anything,
hacking a computer seems to require more planning, savvy, and sophistication than the simple
theft of two laptops. Additionally, compared to hypothetical string of events identified in Reilly,
Plaintiff’s injury is even more attenuated: (1) the crook must gain access to the information on the
password-protected laptops, (2) he or she must read, copy, and understood the personal
information; (3) he or she must intend to commit future criminal acts by misusing the information;
and (4) the perpetrator must then be able to use such information to the detriment of Plaintiffs by
making unauthorized transactions in Plaintiffs’ names. See Reilly, 664 F.3d at 42. As in Reilly
and other data breach cases, Plaintiffs’ future injuries stem from the conjectural conduct of a third
party bandit and are therefore inadequate to confer standing. ; Peters v. St. Joseph Servs. Corp.,
2015 WL 589561, at *5 (S.D. Tex. Feb. 11, 2015) (rejecting standing in a data breach case
premised on the theory of an imminent identity theft); SAIC Data Theft, 2014 WL 1858458, at *6
(Rejecting standing where “events are entirely dependent on the actions of an unknown third
party—namely, the thief’, and noting: “[alt this point, we do not know who she was, how much
she knows about computers, or what she has done with the [stolen] tapes.”): Galaria v. Nationwide
Mut, Ins, Co.. 998 F. Supp. 2d 646, 655 (S.D. Ohio 2014) (Rejecting standing because, “[e]ven
though Named Plaintiffs allege a third party or parties have their [personal information], whether
Named Plaintiffs will become victims of theft or fraud or phishing is entirely contingent on what,
if anything, the third party criminals do with that information.”). Accordingly, Plaintiffs Diana,
Pekelney. and Meisel cannot rely on their increased likelihood of future harm as a basis for
II
5
standing.
For the reasons set forth above, Diana, Pekelney, and Meisel do not have standing to assert
their FCRA claims.
B.
Standing of Plaintiff Rindner
Unlike the other Plaintiffs, Rindner asserts that the Horizon laptop thief filed a fraudulent
joint tax return under his and his wife’s names. (Am. Compi. ¶J 10, 60; Pis.’ Opp’n at 11.) Rindner
also claims that the unknown culprit attempted to fraudulently use his credit card. (RI.) Defendant
contends that Rindner’s fraudulent tax return is not a cognizable injury because he received a full
tax refund. (Def.’s Mot. at 6, n. 4.) Defendant also argues that any injury resulting from the
6
fraudulent tax return or the purported credit card use was not sufficiently linked to the laptop theft
and therefore does not meet the causation requirement of standing. (RI. at 6-1 1.)
7
1.
Fraudulent Tax Return
Rindner alleges that, “[ajs a result of the Data Breach, a thief or thieves submitted to the
Internal Revenue Service [j a fraudulent Income Tax Return for 2013 in Rindner’s and his wife’s names
and stole their 2013 income tax refund.” (Am. Compi.
¶ 60.) Defendant strenuously argues that
“[Rindner’sJ allegations contradict any plausible connection to the laptop theft”, because Rindner
Because Plaintiffs cannot rely on their asserted future harm for standing, they also may not rely on th.e expense of
credit monitoring and other preventative measures for standing. See çippgr, 133 S. Ct. at 1151(2013) (“[plaintiffs]
cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future
harm that is not certainly impending”): Reilly. 664 F,3d at 46 (“P1aintiffs’1 alleged time and money expenditures to
monItor their financial information do not establish standing. because costs incurred to watch fur a speculative chain
of future events based on hypothetical future criminal acts are no more ‘actual’ injuries than the alleged ‘increased
risk of injury’ which forms the basis for [plaintiffs’] claims.”)
Defendant characterizes this argument as an attack on the injuryinfact requirement. (Def.’s Mot. at 6. n. 4.) As
discussed further below, the Court views this more properly as a redressability argument.
To the extent Rindner claims the same generalized harms as Plaintiffs Diana. PekeIney. and Meisel. those
assertions fail for the reasons stated, supra.
does not contend that the stolen laptops contained any personal infonnation from Rindner’s nif
such that the perpetrator could submit a fraudulent tax return form in her name. (Def. Mot. at 7.)
8
This fact, Defendant reasons, in addition to the fact that no other putative class member—out of
839,000—alleges any identity theft, demonstrate that Rindner’s identity was stolen through other
means. (Id. at 7-9.) In opposition, Rindner indicates that the laptop thief could have obtained
Rindner’s personal information from the stolen computers and cobbled together his wife’s personal
information from other sources. (Pis.’ Opp’n at 17-18.) Defendant, in reply, counters that this is
exactly the point: if the identity thief stole personal information from another source, then Rindner
cannot bear his burden of demonstrating standing. (Def.’s Reply at 2-3.)
It is
true,
as Rindner notes, that the Third Circuit has recognized “room for concurrent
causation in the analysis of standing.” Constitution Party of Pennsylvania, 757 F.3d at 366. Two
points bear mention. First, although there is room for concurrent causation in the “analysis” of
standing, this does not mean that pure concurrent causation (two independent actions comingling
to cause a plaintiffs injury) is stfJIcient for standing purposes. In other words, concurrent causes
may provide a basis for standing, but the analysis does not end there. Second, even accepting
Rindner’s concurrent causation theory that his personal information was taken from the Horizon
laptops and combined with his wife’s personal information from an unidentified source, he cannot
plausibly demonstrate a causal connection adequate for standing.
The court in SAIC Data Theft, faced a very similar situation. There. several plaintiffs
alleged that “unauthorized charges were made to their existing credit cards or debit cards, or that
Plaintiffs note that. if oiven the opportunity to amend their complaint. they would allege that Rindner furnished his
wife’s Social Security number to Horizon at the time ofenroliment. (Pis.’ Opp’n at 17. n. 11.)
13
money was withdrawn from an existing bank account.” 2014 WL 1858458, at *11. Although
credit-card, debit-card, or bank-account infonnation was not on the stolen tapes, the plaintiffs
argued that “a criminal could obtain some of a victim’s personal information from a data breach
and then go ‘phishing’ to get the rest.
.
.
.
That is, the crook could acquire a name and phone
number and then make calls pretending to be a legitimate business asking for information like
credit-card or bank—account numbers.” Id. The court rejected this contention. After noting that,
like here, the plaintiffs did not allege any phishing in their complaint, Judge Boasberg explained:
[plaintiffs] proffer no plausible explanation for how the thief would
have acquired their banking information. In a society where around
3.3% of the population will experience some form of identity theft—
regardless of the source—it is not surprising that at least five people
out of a group of 4.7 million happen to have experienced some form
of credit or bank-account fraud. As that information was not on the
tapes, though, Plaintiffs cannot causally link it to the SAIC breach.
Id. (citation omitted).
This rationale applies with equal force here.
Indeed, the minuscule
percentage of affected members in both SAIC Data Theft and the present case are exactly the same:
0.0001%. And while it is possible that the thief obtained Rindner’s wife’s information from
another source and pooled it with Rindner’s information from the stolen laptops, the dearth of any
other identity theft victims (out of 839,000 members) makes this an unlikely scenario. As
Defendant points out, “Rindner’s circumstances are singular, unique, and particular to him”.
(Def.’s Mot. at 8.) In sum, even if Rindner’s theory is adequate to support standing in the abstract.
the facts of this case demonstrate the remote possibility, rather than the plausibility, that the
fraudulent tax return was connected to the Horizon laptop theft, Accordingly, Rindner’s tax fraud
injury is not “fairly traceable” to Defendant.
Finally, even if the Court were to find that Rindner’s injury was “fairly traceable” to
Defendant, his claim must fail at the third element of standing: redressability. As Defendant notes,
14
Rindner admits receiving his tax refund. Therefore, even if Horizon were found culpable for the
9
laptop thefts under FCRA, Rindner would not be entitled to damages because he already received
his tax refund. Accordingly, Rindner cannot meet the third prong of redressability. See People
To End Homelessness, Inc. v. Develco Singles Apartments Associates, 339 F.3d 1, 9 (1st Cir.
2003) (“[plaintiffl does not have standing to pursue its lawsuit because its alleged injuries, to the
extent they can be redressed, have already been remedied”); Hammond v. The Bank of New York
Mellon Corp., 2010 WL 2643307, at *8 (S.D.N.Y. June 25, 2010) (same).
For the foregoing reasons, Rindner lacks standing to bring FCRA claims based on the
alleged false tax return.
2.
Fraudulent Credit Card Use
Rindner also alleges fraudulent use of his credit card. (Am. Compl.
¶J 10, 60). Defendant
points out, and Rindner does not contest, that current credit card information (as opposed to a new
credit card, which can be fraudulently obtained using a stolen Social Security number) was not on
the stolen laptops. (Def.’s Reply at 2.) Thus, any harm stemming from the fraudulent use of
Rindner’s current credit card is not “fairly traceable” to Defendant.’
0
$, SAIC Data Theft, 2014
WL 1858458, at *6 (“Five of those six [plaintiffsj claim only that unauthorized charges were made
to their existing credit cards or debit cards. or that money was withdrawn from an existing bank
Indeed. Plaintiffs did not even address this argument in their opposition brief. And while the consolidated
complaint sets forth the bare assertion that “Rmdner has also been damaged financiallY by the related delay in
receiving his tax refund fur 2013”, (Am. Compl. ‘ 10), he gives no explanation as to how or why that is the case.
Such “[t]hreadbare recitals” and “mere conelusory statements, do not suffice.” croft.Ibal, 556 U.S. 662, 678
(2009).
Rindner does not seem to make an argument analogous to his fraudulent tax return argument; i.e.. although current
credit card information was not on the stolen laptops. the thief could have used the personal information therein to
obtain Rindner’s credit card information from another source. Nonetheless, this argument would fail for the reasons
explained in the tax fraud discussion, supra.
_____
_____
_____
_
account. But here!s the problem: No one alleges that credit-card, debit-card. or bank-account
information was on the stolen tapes....As that information was not on the tapes,
[J [pilaintiffs
cannot causally link it to the SAIC breach.”). Accordingly, Rindner lacks standing to bring FCRA
claims based on the alleged fraudulent use of his credit card.
C.
Plaintiffs’ State Law Claims
In addition to the FCRA claims, Plaintiffs also assert various New Jersey state law claims.
(Am. Compl.
¶J 103-170). Given that the Court lacks original jurisdiction over Plaintiffs’ federal
claims, the Court lacks discretion to retain supplemental jurisdiction over the state law claims
pursuant to 28 U.S.C.
§ 1367. Storino v. Borough of Pleasant Beach, 322 F.3d 293, 299-300 (3d
Cir. 2003) (noting that because the plaintiffs lacked standing, “the District Court lacked original
jurisdiction over the federal claim, and it therefore could not exercise supplemental jurisdiction”).
Thus, the Court will dismiss the state law claims.
V.
COCLUS ION
As explained above, none of the named Plaintiffs have adequately alleged Article III
standing. Accordingly, the Court shall dismiss Plaintiffs’ consolidated class action complaint
without prejudice. An appropriate Order follows this Opinion.
DATE
CLAIRE C. CECC11I, U.SD.J.
16
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?