Reilly v. Ceridien Corp.: Data Breach Case

Site Admin
Posts: 11757
Joined: Tue Jul 26, 2005 4:15 am

Reilly v. Ceridien Corp.: Data Breach Case

Postby Administrator » Wed Oct 29, 2014 9:28 am

Reilly v. Ceridien Corp.
Not Reported in F.Supp.2d, 2011 WL 735512
February 22, 2011


LINARES, District Judge.

*1 This matter comes before the Court on Defendant's motion to dismiss Plaintiffs' complaint pursuant to Federal Rules of Civil Procedure 12(b)(1), (b)(6), and 9(b). The Court has considered the submissions made in support of and in opposition to the motion and decides this matter without oral argument pursuant to Rule 78 of the Federal Rules of Civil Procedure. For the reasons set for below, Defendant's motion to dismiss is granted.


Ceridien Corporation (“Ceridien”) is a payroll processing firm with its principal place of business in Bloomington, MN. Complaint (“Compl.”) ¶¶ 3, 7. To provide services to its customers, which are employers, Ceridien comes into possession of information necessary for it to process the employers' payroll. This information may include, among other information, the names of employees and their addresses, social security numbers, dates of birth, and in some instances, bank account information. Compl. ¶¶ 7–8. Plaintiffs Kathy Reilly and Patricia Pluemacher (“Plaintiffs”) bring suit on behalf of themselves and the proposed Class Members FN1. Plaintiffs allege they were employees of Brach Eichler until September 2003. Ceridien entered into a contract with their employer (and the employers of the proposed Class Members) to provide payroll processing services. Compl. ¶¶ 12, 49.

FN1. Plaintiffs' proposed Class is defined as follows: All persons whose personal and financial information was contained in or on the Ceridien Powerpay System whose personal and financial information was stolen or otherwise misplaced on or about December 22 and 23, 2009.

On or about December 22, and 23, 2009, Defendant suffered a security breach of its system whereby an unknown hacker accessed Ceridien's Powerpay system and potentially gained access to certain confidential personal and financial information of Plaintiffs and approximately 27,000 other employees working at 1,900 companies nationwide. Compl. ¶¶ 11, 14 (emphasis added).

On or about January 29, 2010, Ceridien sent letters to employees of certain employer-customers for which Ceridien provides or provided payroll processing services informing them that “some of your personal information may have been illegally accessed by an unauthorized hacker.” Compl., Ex. A. Ceridien further notified them “that the information accessed included your first name, last name, social security number and, in several cases, birth date and/or bank account that is used for direct deposit.” Compl., Ex. A.

As a result of the breach, Ceridien arranged to provide the affected individuals, free of charge, one year of credit monitoring and identity theft protection through Equifax Credit Watch Silver. Compl., Ex. A. The employees had until April 30, 2010 to enroll in the free program, and Ceridien included in its letter instructions regarding how to enroll. Plaintiffs do not indicate whether they enrolled in the free credit monitoring and identity theft protection program offered by Ceridien through Equifax. They allege that the program offered by Ceridien was “inadequate.” Compl. ¶ 19.

Plaintiffs further allege that Ceridien unnecessarily kept Plaintiffs' and the proposed Class Members' personal and financial information for years after they were employed by the subject employers. Plaintiffs in this case both had last worked for the subject employer Brach Eichler in September 2003. Plaintiffs also allege the Ceridien suffered a security breach in 2007. Compl. ¶¶ 12–13.

*2 Plaintiffs filed a Complaint on October 7, 2010 alleging negligence, breach of contract, breach of the covenants of good faith and fair dealing, consumer fraud, and violation of the New Jersey Theft Prevention Act (“TPA”), N.J.S.A. 56:11–44, et seq. and New Jersey Consumer Fraud Act (“CFA”), N.J.S.A. 56:8–19 et seq. by Defendant. Plaintiffs seek, inter alia, compensatory, consequential, and punitive damages, treble damages and attorney's fees pursuant to all applicable statutes including but not limited to the CFA. In addition to the aforementioned requests for relief and others, Plaintiffs also seek: (1) the provision on credit monitoring and/or credit card monitoring services for the proposed Class for at least ten years; (2) the provision of bank monitoring and/or bank monitoring services for the proposed Class for at least ten years; (3) the provision of credit restoration services for the proposed Class for at least ten years; and (4) the provision of identity theft insurance for the proposed Class for at least ten years.

Defendant filed the instant motion to dismiss on December 15, 2010 pursuant to Federal Rules of Civil Procedure 12(b)(1), 12(b) (6), and 9(b).


Under Fed.R.Civ.P. 12(b)(1), a court must grant a motion to dismiss if it lacks subject-matter jurisdiction to hear a claim. Standing is a jurisdictional matter and thus “a motion to dismiss for want of standing is also properly brought pursuant to Rule 12(b) (1).” Ballentine v. United States, 486 F.3d 806, 810 (3d Cir.2007). A 12(b)(1) motion to dismiss may be treated as either a “facial or factual challenge to the court's subject matter jurisdiction.” Gould Electronics Inc. v. U.S., 220 F.3d 169, 176 (3d Cir.2000). Under a facial attack, the movant challenges the legal sufficiency of the claim and the Court considers only “the allegations of the complaint and documents referenced therein and attached thereto in the light most favorable to the plaintiff.” Id. In reviewing a factual attack, however, the challenge is to the actual alleged jurisdictional facts. Thus, a court is free in that instance to consider evidence outside the pleadings. Id. Finally, once a 12(b)(1) challenge is raised, the burden shifts and the plaintiff must demonstrate the existence of subject-matter jurisdiction. PBGC v. White, 998 F.2d 1192, 1196 (3d Cir.2000).


Article III of the Constitution limits the judicial power of federal courts to “issues and controversies” between parties. See U.S. Const. Art. III, § 2. To satisfy the standing requirements, Plaintiff must allege:

(1) [a]n injury-in-fact, which is an invasion of a legally protected interest that is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical; (2) a causal connection between the injury and the conduct complained of; and (3) [that] it must be likely, as opposed to merely speculative that the injury will be redressed by a favorable decision.

*3 Lujan v. Defenders of Wildlife, 504 U.S. 555, 560–61, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992). A “legally and judicially cognizable” injury-in-fact must be “distinct and palpable,” not “abstract or conjectural or hypothetical.” A plaintiff must show that he or she has “sustained or is immediately in danger of sustaining some direct injury as a result of the challenged official conduct and the injury or threat of injury must be both ‘real and immediate’ “ City of Los Angeles v. Lyons, 461 U.S. 95, 101–02, 103 S.Ct. 1660, 75 L.Ed.2d 675 (1983). A Plaintiff lacks standing when the alleged injury is dependent on upon the perceived risk of future actions of third parties not before the Court. Lujan, 504 U.S. at 564.

Defendant claims that Plaintiffs have not alleged any actual or imminent injury-in-fact. Plaintiffs themselves allege that, as a result of a breach of Ceridien's Powerpay system, they “are at an increased and imminent risk of becoming victims of identity theft crimes, fraud, and abuse.” Compl. ¶ 10. The Complaint does not allege that, as a result of the security breach, Plaintiffs' identities were actually stolen or that their private and confidential information has been misused in any way. They “only allege a potential of injury based on the hypothetical misuse of their private and confidential information, or hypothetical identity theft, occurring at some time in the future.” Def. Brief. at 10.

Defendant cites Giordano v. Wachovia Securities, LLC, 2006 WL 2177036 (D.N.J. July 21, 2006), and Hinton v. Heartland Payment Systems, Inc., 2009 WL 704139 (D.N.J. Mar.16, 2009) in support of their position that Plaintiffs lack standing. In Giordano, Plaintiff, a Wachovia Securities customer, brought suit when Wachovia lost a package containing Plaintiff's, and others', personal and confidential information. There, as here, Plaintiff alleged that as a result of Wachovia's actions, “she will incur costs associated with obtaining credit monitoring services ... to prevent identity theft.” Giordano, 2009 WL at *4. According to Plaintiff, indirect economic injury was a sufficient basis for standing. Id. at * 3. Wachovia maintained that “because (1) there is no evidence that Plaintiff's confidential financial information had been stolen or that (2) a third-party intends to make unauthorized use of such information, theft of her identity (and thus, Plaintiff's injury), is not ‘certainly impending’ “ Id.

The Court agreed with Wachovia writing that “Plaintiff's allegations that, as a result of Wachovia's actions, she will incur costs associated with obtaining credit monitoring services in order to prevent identity theft simply does not rise to the level of creating a concrete and particularized injury.” Id. at *4. The Court in Giordano noted that its decision was “in line was with recent district court decisions involving claims of negligence and breach of confidentiality brought in response to a third-party stealing or unlawfully accessing personal or financial information from a financial institution.” Id. at *5; see Forbes v. Wells Fargo Bank, N.A., 420 F.Supp.2d 1018 (D.Minn.2006); Guin v. Brazos Higher Educ. Serv. Corp. Inc., 2006 WL 288483 (D.Minn. Feb.7, 2006); Stollenwerk v. Tri–West HealthCare Alliance, 2005 WL 2465906 (D.Ariz. Sept.6, 2005). In all of these cases, the district courts “rejected a Plaintiff's argument that he or she was entitled to reimbursement for credit monitoring services or for the time and money he or she spent monitoring his [or her] credit.” Giordano, 2009 WL at *5. These courts determined that Plaintiffs had not actually suffered an injury, but instead were complaining of the perceived risk of future injury. Id. Under the circumstances, Plaintiffs “had failed to show a present injury or reasonably certain future injury to support damages for any alleged increased risk of harm.” Id.

*4 Similarly, in its one-page opinion in Hinton, the Court dismissed Plaintiff's Complaint, which alleged facts similar to those in the instant matter, for “failing to assert that a third party had actually used his credit information to either open a credit card account or otherwise secure a fraudulent benefit at his expense ...” 2009 WL at *1. Therefore, Plaintiff failed to establish that he had suffered an actual injury due to the breach. Id.

Plaintiffs correctly point out that “there is no reported New Jersey District Court, Third Circuit, New Jersey State Trial or New Jersey Appellate Court decision on these issue concerning either standing or damages as a matter of law in data breach/risk of identity theft cases.” Pl. Brief at 9. Therefore, Plaintiffs ask the Court to rely on “the one Circuit to consider this issue”—the Seventh Circuit—and consider its holding in Pisciotta v. Old National Bancorp., 499 F.3d 629 (7th Cir.2007).

In Pisciotta, customers of a bank brought a putative class action alleging that through its website, the bank had solicited personal information on applicants for banking services, but had failed to secure it accurately. Id. As to the issue of standing, the Seventh Circuit held that:

the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent defendant's actions ... Once the plaintiffs' anticipate that some greater potential harm might follow the defendant's act does not affect the standing inquiry.

499 F.3d at 634. However, although Plaintiffs in Pisciotta were found to have standing, the Seventh Circuit ultimately upheld the dismissal of Plaintiffs' claims for lack of cognizable damages. Id. at 636 (“When given a choice between an interpretation of state law which reasonably restricts liability, and one which greatly expands it, we should choose the narrower and more reasonable path.”) The Court noted that “[i]n the end ... it is the Plaintiffs that must come forward with some authority to support their view that they have a right to the relief they seek.” Id. at 635–36 (citing A.W. Huss Co. v. Cont'l Cas. Co., 735 F.2d 246, 253 (7th Cir.) (emphasis in original)). The Court wrote:

Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy. Plaintiffs have not come forward with a single case or statute, from any jurisdiction, authorizing the kind of action they now ask this federal court, sitting in diversity, to recognize as a valid theory of recovery under [state] law. We decline to adopt a ‘substantive innovation’ in state law, or ‘to invent what would be a truly novel tort claim’ on behalf of the state.

Id. at 639–40. Thus, because Plaintiffs' claims were not compensable as a matter of state law, the Seventh Circuit affirmed the dismissal of Plaintiffs' claims. Id. at 640.

*5 In light of the ultimate holding in Pisciotta, Plaintiffs' reliance on this case is misguided. Further, other courts, including this one, have continued to find that Plaintiffs lacked standing in cases with similar facts even after Pisciotta. See Hinton, 2009 WL 704139; Amburgy v. Express Scripts, Inc., 671 F.Supp.2d 1046, 1053 (E.D.Mo.2009) (finding that increased risk of future identity theft is insufficient to confer standing). This Court is guided by the foregoing case law and finds that, similarly, because Plaintiffs have failed to allege injury-in-fact, as opposed to perceived risk of future injury, Plaintiffs lack standing to pursue their claims.

In the alternative, even if this Court determined that Plaintiffs had standing to pursue their claims, Plaintiffs' have failed to state a claim on which relief may be granted. Like in Pisciotta, Plaintiffs' claims are primarily based on a theory of negligence. In order to demonstrate negligence, Plaintiffs must show: (1) duty; (2) breach; and (3) compensable injury proximately caused by defendant's breach of duty. P.T. v. Richard Hall Community Mental Health Care Center, 364 N.J.Super. 561, 572, 837 A.2d 436 (2002) (emphasis added). Thus, even if Plaintiffs' “threat of future injury” is sufficient to garner standing, Plaintiffs have failed to demonstrate the prima facie elements of a claim for negligence, the theory on which all of their claims are based. FN2

FN2. “Actual injury” is also required to maintain claims for breach of contract, breach of the covenant of good faith and fair dealing, consumer fraud, and violations of the TPA and CFA.


For the foregoing reasons, Defendant's motion to dismiss Plaintiff's complaint in its entirety is granted. An appropriate order accompanies this opinion.

Reilly v. Ceridien Corp.
Not Reported in F.Supp.2d, 2011 WL 735512 (D.N.J.)
David A. Szwak
Bodenheimer, Jones & Szwak, LLC
416 Travis Street, Suite 1404, Mid South Tower
Shreveport, Louisiana 71101
318-424-1400 / Fax 221-6555
President, Bossier Little League
Chairman, Consumer Protection Section, Louisiana State Bar Association

Return to “Standing and Statutes of Limitations”

Who is online

Users browsing this forum: No registered users and 1 guest