EASTERN DISTRICT OF NEW YORK For Online Publication Only ----------------------------------------------------------------------X JILLIAN CANTINIERI, individually, and on behalf of all others similarly situated,
Plaintiff, ORDER 21-CV-06911 (JMA) (JMW) -against- FILED CLERK VERISK ANALYTICS, INC., INSURANCE 3:50 pm, Mar 31, 2023 SERVICES OFFICE, INC., and ISO CLAIMS SERVICES, INC., U.S. DISTRICT COURT EASTERN DISTRICT OF NEW YORK Defendants. LONG ISLAND OFFICE ----------------------------------------------------------------------X AZRACK, United States District Judge: Currently before the Court in this data breach action is the motion of Defendants Verisk Analytics, Inc., Insurance Services Office, Inc., and ISO Claims Services Inc., to dismiss Plaintiff Jillian Cantinieri’s proposed class action complaint pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). (ECF No. 26.) For the following reasons, the motion is denied without prejudice. A Rule 12(b)(1) motion challenging subject matter jurisdiction may be either facial or fact- based. Carter v. HealthPort Techs., LLC, 822 F.3d 47, 56 (2d Cir. 2016). “[A] facial challenge . . . accepts the jurisdictional facts pleaded and challenges only their sufficiency.” All. for Envtl. Renewal, Inc. v. Pyramid Crossgates Co., 436 F.3d 82, 88 n.7 (2d Cir. 2006) (citation omitted). “In reviewing a facial attack to the court’s jurisdiction, we draw all facts—which we assume to be true unless contradicted by more specific allegations or documentary evidence—from the complaint.” Amidax Trading Grp. v. S.W.I.F.T. SCRL, 671 F.3d 140, 145 (2d Cir. 2011) (citation omitted). By contrast, a fact-based challenge “place[s] jurisdictional facts in dispute[,]” and “the district court [may] properly consider[ ] evidence outside the pleadings.” Id. (citations omitted). Moreover, on a fact-based challenge, “the District Court has leeway as to the procedure it wishes to follow.’” All. for Envtl. Renewal, 436 F.3d at 87 (citation omitted). “If the extrinsic evidence findings of fact in aid of its decision as to standing.” -C-ar-te-r, 822 F.3d at 57.
At the heart of this case is a November 4, 2021 letter (“Notification Letter”) from Defendant ISO Claims Services Inc. (“ISOC”) notifying Plaintiff that her data may have been affected as part of a data breach that impacted ISOC. The Notification Letter stated, in relevant part: “It appears an unauthorized entity obtain[ed] credentials to access [ISOC’s] customer portal as early as July 5, 2021, and obtain [sic] certain motor vehicle reports containing driver names, dates of birth, addresses, and driver’s license numbers.” (Compl. ¶ 58.) Plaintiff, however, claims that the Notification Letter’s description of the timing and scope of the data breach is inaccurate. She alleges upon information and belief that “the scope of the timeframe during which [ISOC]’s networks remained compromised began much earlier than reported by [ISOC],” and that “the
scope of the PII released in the data breach was far more expansive than reported in the Disclosure Letter and included, but was not limited to, SSNs, prior names and addresses, copies of identification documents, and property and casualty claim information and reports pertaining to Plaintiff and the members of the proposed classes.” (Id. ¶ 59.) This conflict—between the description of the timing and scope of the data breach in the Notification Letter, on the one hand, and Plaintiff’s allegations, on the other—underpins Defendants’ 12(b)(1) motion. They argue that Plaintiff’s allegations are facially insufficient because she “extensively cites the core document outlining the time and scope of the [data breach]—the Notification Letter,” but “then asks this Court to ignore it and accept allegations about injuries that the [data breach] could not have plausibly caused, either because they occurred
before the [data breach] or require data not impacted in the [data breach].” (Defs.’ Mem. at 3, ECF No. 26-1.) Defendants characterize their Rule 12(b)(1) challenge to standing as facial, not factual. 2 At its core, Defendants’ motion places two key jurisdictional facts in dispute. First, if the
data breach began no earlier than July 5, 2021, as they contend, then Plaintiff’s alleged injuries- in-fact that occurred prior to that date could not be plausibly “linked to Defendants’ conduct,” In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 31 (D.D.C. 2014), and Plaintiff would lack standing with respect to those injuries. Second, and perhaps more importantly, if the data breach did not result in disclosure of sensitive data elements—such as Social Security numbers—that could have caused Plaintiff’s alleged injuries- in-fact, those harms would not be “fairly traceable to” the data breach. Cooper v. Bonobos, Inc., No. 21-CV-854, 2022 WL 170622, at *2–4 (S.D.N.Y. Jan. 19, 2022) (citation omitted); see also, e.g., In re Uber Techs., Inc., Data Sec. Breach Litig., No. 18-CV-182970, 2019 WL 6522843, at
*6 (C.D. Cal. Aug. 19, 2019) (plaintiff’s alleged injuries were not “fairly traceable” to data breach because it was not apparent “how the disclosure of Plaintiff’s basic contact information and driver’s license number could be plausibly used to gain access to his tax return or make fraudulent charges on his credit and debit cards”). The Court finds the reasoning of Cooper and In re Uber persuasive. Thus, the Court agrees with Defendants that—at the very least—the critical question here is whether Plaintiff’s Social Security number (or other sensitive data that could have caused Plaintiff’s alleged injuries-in-fact) was obtained or exposed in the data breach. The arguments Defendants advance based on the Notification Letter make Defendants’ standing challenge fact-based rather than facial. See Amidax, 671 F.3d at 145 (defendant’s 12(b)(1) motion placed jurisdictional facts in dispute by arguing, contrary to plaintiff’s allegations,
that plaintiff was not defendant’s customer); Tasini v. N.Y. Times Co., 184 F. Supp. 2d 350, 354 (S.D.N.Y. 2002) (“The [defendant]’s motion constitutes a factual challenge. The [defendant] does 3 is wanting. Rather, it takes issue with the allegations themselves, arguing that many could not
possibly be true. . . . This alone is enough to transform the [defendant’s] challenge to subject matter jurisdiction into a factual one.”). Even if the Court were to consider Defendants’ motion as merely making a facial challenge, the Court would deny the motion on that basis. It is plausible that Plaintiff’s insurance company was in possession of the information at issue (including Social Security numbers and “copies of identification documents” (Compl. ¶ 59)) and that her insurance company would have communicated that information to Defendants given the nature of their business and the services they provide. It also is plausible that, once the data breach occurred, any such information was exposed or obtained, in addition to the other information that Defendants admit was exposed in the Notification Letter.
Because Defendants’ standing challenge is factual, the Court “has leeway as to the procedure it wishes to follow.” All. for Envtl. Renewal, 436 F.3d at 87 (citation omitted).
Free access — add to your briefcase to read the full text and ask questions with AI
EASTERN DISTRICT OF NEW YORK For Online Publication Only ----------------------------------------------------------------------X JILLIAN CANTINIERI, individually, and on behalf of all others similarly situated,
Plaintiff, ORDER 21-CV-06911 (JMA) (JMW) -against- FILED CLERK VERISK ANALYTICS, INC., INSURANCE 3:50 pm, Mar 31, 2023 SERVICES OFFICE, INC., and ISO CLAIMS SERVICES, INC., U.S. DISTRICT COURT EASTERN DISTRICT OF NEW YORK Defendants. LONG ISLAND OFFICE ----------------------------------------------------------------------X AZRACK, United States District Judge: Currently before the Court in this data breach action is the motion of Defendants Verisk Analytics, Inc., Insurance Services Office, Inc., and ISO Claims Services Inc., to dismiss Plaintiff Jillian Cantinieri’s proposed class action complaint pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). (ECF No. 26.) For the following reasons, the motion is denied without prejudice. A Rule 12(b)(1) motion challenging subject matter jurisdiction may be either facial or fact- based. Carter v. HealthPort Techs., LLC, 822 F.3d 47, 56 (2d Cir. 2016). “[A] facial challenge . . . accepts the jurisdictional facts pleaded and challenges only their sufficiency.” All. for Envtl. Renewal, Inc. v. Pyramid Crossgates Co., 436 F.3d 82, 88 n.7 (2d Cir. 2006) (citation omitted). “In reviewing a facial attack to the court’s jurisdiction, we draw all facts—which we assume to be true unless contradicted by more specific allegations or documentary evidence—from the complaint.” Amidax Trading Grp. v. S.W.I.F.T. SCRL, 671 F.3d 140, 145 (2d Cir. 2011) (citation omitted). By contrast, a fact-based challenge “place[s] jurisdictional facts in dispute[,]” and “the district court [may] properly consider[ ] evidence outside the pleadings.” Id. (citations omitted). Moreover, on a fact-based challenge, “the District Court has leeway as to the procedure it wishes to follow.’” All. for Envtl. Renewal, 436 F.3d at 87 (citation omitted). “If the extrinsic evidence findings of fact in aid of its decision as to standing.” -C-ar-te-r, 822 F.3d at 57.
At the heart of this case is a November 4, 2021 letter (“Notification Letter”) from Defendant ISO Claims Services Inc. (“ISOC”) notifying Plaintiff that her data may have been affected as part of a data breach that impacted ISOC. The Notification Letter stated, in relevant part: “It appears an unauthorized entity obtain[ed] credentials to access [ISOC’s] customer portal as early as July 5, 2021, and obtain [sic] certain motor vehicle reports containing driver names, dates of birth, addresses, and driver’s license numbers.” (Compl. ¶ 58.) Plaintiff, however, claims that the Notification Letter’s description of the timing and scope of the data breach is inaccurate. She alleges upon information and belief that “the scope of the timeframe during which [ISOC]’s networks remained compromised began much earlier than reported by [ISOC],” and that “the
scope of the PII released in the data breach was far more expansive than reported in the Disclosure Letter and included, but was not limited to, SSNs, prior names and addresses, copies of identification documents, and property and casualty claim information and reports pertaining to Plaintiff and the members of the proposed classes.” (Id. ¶ 59.) This conflict—between the description of the timing and scope of the data breach in the Notification Letter, on the one hand, and Plaintiff’s allegations, on the other—underpins Defendants’ 12(b)(1) motion. They argue that Plaintiff’s allegations are facially insufficient because she “extensively cites the core document outlining the time and scope of the [data breach]—the Notification Letter,” but “then asks this Court to ignore it and accept allegations about injuries that the [data breach] could not have plausibly caused, either because they occurred
before the [data breach] or require data not impacted in the [data breach].” (Defs.’ Mem. at 3, ECF No. 26-1.) Defendants characterize their Rule 12(b)(1) challenge to standing as facial, not factual. 2 At its core, Defendants’ motion places two key jurisdictional facts in dispute. First, if the
data breach began no earlier than July 5, 2021, as they contend, then Plaintiff’s alleged injuries- in-fact that occurred prior to that date could not be plausibly “linked to Defendants’ conduct,” In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 31 (D.D.C. 2014), and Plaintiff would lack standing with respect to those injuries. Second, and perhaps more importantly, if the data breach did not result in disclosure of sensitive data elements—such as Social Security numbers—that could have caused Plaintiff’s alleged injuries- in-fact, those harms would not be “fairly traceable to” the data breach. Cooper v. Bonobos, Inc., No. 21-CV-854, 2022 WL 170622, at *2–4 (S.D.N.Y. Jan. 19, 2022) (citation omitted); see also, e.g., In re Uber Techs., Inc., Data Sec. Breach Litig., No. 18-CV-182970, 2019 WL 6522843, at
*6 (C.D. Cal. Aug. 19, 2019) (plaintiff’s alleged injuries were not “fairly traceable” to data breach because it was not apparent “how the disclosure of Plaintiff’s basic contact information and driver’s license number could be plausibly used to gain access to his tax return or make fraudulent charges on his credit and debit cards”). The Court finds the reasoning of Cooper and In re Uber persuasive. Thus, the Court agrees with Defendants that—at the very least—the critical question here is whether Plaintiff’s Social Security number (or other sensitive data that could have caused Plaintiff’s alleged injuries-in-fact) was obtained or exposed in the data breach. The arguments Defendants advance based on the Notification Letter make Defendants’ standing challenge fact-based rather than facial. See Amidax, 671 F.3d at 145 (defendant’s 12(b)(1) motion placed jurisdictional facts in dispute by arguing, contrary to plaintiff’s allegations,
that plaintiff was not defendant’s customer); Tasini v. N.Y. Times Co., 184 F. Supp. 2d 350, 354 (S.D.N.Y. 2002) (“The [defendant]’s motion constitutes a factual challenge. The [defendant] does 3 is wanting. Rather, it takes issue with the allegations themselves, arguing that many could not
possibly be true. . . . This alone is enough to transform the [defendant’s] challenge to subject matter jurisdiction into a factual one.”). Even if the Court were to consider Defendants’ motion as merely making a facial challenge, the Court would deny the motion on that basis. It is plausible that Plaintiff’s insurance company was in possession of the information at issue (including Social Security numbers and “copies of identification documents” (Compl. ¶ 59)) and that her insurance company would have communicated that information to Defendants given the nature of their business and the services they provide. It also is plausible that, once the data breach occurred, any such information was exposed or obtained, in addition to the other information that Defendants admit was exposed in the Notification Letter.
Because Defendants’ standing challenge is factual, the Court “has leeway as to the procedure it wishes to follow.” All. for Envtl. Renewal, 436 F.3d at 87 (citation omitted). The Court may direct the parties to engage in “limited discovery on the jurisdictional issue,” followed by “resolution on motion supported by affidavits,” or, “if a genuine dispute of material fact exists, the Court may conduct a hearing limited to Article III standing[.]” Id. at 88 (citations omitted); see also Advanced Video Techs., LLC v. HTC Corp., 103 F. Supp. 3d 409, 425 (S.D.N.Y. 2015) (on a factual challenge to standing, “the Second Circuit has recognized as appropriate . . . discovery concerning the jurisdictional issue,” followed by resolution “on a motion supported by affidavits and exhibits”) (citation omitted), aff’d, 677 F. App’x 684 (Fed. Cir. 2017). In light of these principles and the nature of Defendants’ challenge, the Court will direct
the parties to conduct focused jurisdictional discovery to expeditiously resolve the issue of Plaintiff’s Article III standing. Discovery should address the key jurisdictional facts outlined 4 data breach. Subsidiary facts relevant to the latter point include: (1) the specific data elements
Plaintiff disclosed to her insurance company, (2) the specific data elements that her insurance company disclosed to Defendants, and (3) the specific data elements that were exposed or obtained in the breach. Following discovery, Defendants may renew their motion under Rule 12(b)(1), supported by affidavits and exhibits, and Rule 12(b)(6). Until then, Defendants’ motion to dismiss is DENIED without prejudice. A scheduling order setting a telephonic status conference before the undersigned will issue. SO ORDERED. Dated: March 31, 2023 Central Islip, New York
/s/ (JMA) JOAN M. AZRACK UNITED STATES DISTRICT JUDGE