UNITED STATES DISTRICT COURT EASTERN DISTRICT OF PENNSYLVANIA _____________________________________ COLLEEN WATERMAN, : Plaintiff, : : v. : No. 25-cv-2908 : PAYCHEX, INC., : Defendant. : _________________________________________________
O P I N I O N Defendant’s Motion to Dismiss, ECF No. 9 – Granted
Joseph F. Leeson, Jr. October 22, 2025 United States District Judge
I. INTRODUCTION The issues in this case stem from a cybersecurity attack and data breach experienced by Defendant Paychex, Inc., in March of 2024. Plaintiff Colleen Waterman, a former user of Paychex’s services, believes this data breach to be the reason her personal identifying information (PII) was stolen, and has brought claims of negligence, negligence per se, invasion of privacy, and violations of New York Gen. Bus. Law § 349(a), against Paychex. Currently before the Court is Paychex’s Motion to Dismiss the Complaint pursuant to Fed. R. Civ. P. 12(b)(1) and 12(b)(6). For the reasons below, the Court will dismiss the Complaint without prejudice for lack of standing. II. BACKGROUND A. Waterman’s Factual Allegations For the period relevant to this case, Waterman was an employee of Gray Chevrolet of Stroudsburg, PA, which uses Paychex, Inc.’s online platform for its HR and payroll services. Compl., ECF No. 1, ¶¶ 90, 92. While employed at Gray Chevrolet, Waterman was required to create an account with Paychex and provide them with certain information in order to receive her pay directly to her bank account. Id. at ¶ 93. On or around March 22, 2024, Paychex experienced a cybersecurity (data) breach of its computer and data systems. Id. at ¶ 22. On or around March 29, 2024, the payment information in Waterman’s Paychex account was modified without her authorization. Id. at ¶¶ 95-96. Waterman later discovered that the bank account registered to
receive her direct deposits was changed from her own account to a PNC Bank account which she did not create, and which did not use her signature. Id. at ¶¶ 100-102. She immediately informed Paychex of these developments. Id. at ¶ 103. On April 2, 2024, Paychex responded to Waterman’s communication and asked her to confirm that she was logging in to her account via the correct website. Id. at ¶¶ 104-105. Waterman updated her passwords and changed the bank account for her direct deposits. Id. at ¶¶ 108-109. Waterman later experienced several other incidents which led her to believe that her identity had been stolen, including being locked out of her phone in August of 2024, id. at ¶ 113, being notified in November of 2024 of a Members First Federal Credit Union account opened in her name and used to conduct fraudulent transactions, id. at ¶¶ 122-29; and being informed that
Treasury bonds were purchased with funds from her Wells Fargo bank account in November and December of 2024, id. at ¶¶ 137-45. Waterman filed a police report regarding the suspected identity theft in November of 2024, the investigation of which remains ongoing. Id. at ¶¶ 134-36. Waterman attributes her injuries—among them financial loss, devaluation of her personal identification information (PII), anxiety, and sleeplessness, id. at ¶¶ 151-165—to the Paychex data breach. Id. at ¶¶ 32, 38, 40. On June 5, 2025, Waterman filed a Complaint in this Court against Paychex, in which she brings claims of negligence, negligence per se, invasion of privacy, and violations of the New York Deceptive Trade Practices Act, New York Gen. Bus. Law § 349. See id., ECF No. 1. B. Paychex’s Motion to Dismiss On July 1, 2025, Paychex filed a Motion to Dismiss the Complaint pursuant to Fed. R. Civ. P. 12(b)(1) and 12(b)(6). See Motion, ECF No. 9. The Motion argues, in part, that Waterman lacks Article III standing to sue because she has shown neither an injury-in-fact nor a
causal connection to the Paychex data breach. See Defendant’s Brief in Support of Motion to Dismiss (Def. Br.), ECF No. 9-5.1 Paychex challenges Waterman’s factual allegation that her personal identifying information (PII) was disclosed in the data breach, and alleges, in contrast, that Waterman’s information “was not implicated in the data breach at issue,” Def. Br. at 4 n.4, because the data involved in the breach was limited to certain persons with California addresses, id. at 2, and Waterman is a Pennsylvania resident who has not alleged that she ever resided or worked in California, id. at 2, 12.2 Waterman says it “remains unclear” who was negatively impacted by Paychex’s data breach, to what extent they were affected, and in what geographic locations, Compl. at ¶¶ 25-26, but Paychex counters that its internal investigation of the breach resulted in a complete list of all known, affected persons—and Waterman is not on it. See Def.
Br. at 5-6. Paychex supplemented its Motion to Dismiss with declarations from the corporation’s
1 References to the page numbers in this pleading are to those assigned by defense counsel and marked at the bottom of each page, not the page numbers assigned by the ECF docketing system. 2 Paychex alleges that “[o]n April 30, 2024, when Paychex attempted to exchange information with the State of California regarding certain unclaimed property, it inadvertently allowed an unauthorized individual to access the information instead.” Def. Br. at 1. Regarding the scope of the breach, Paychex adds the following:
While it is true that the Data Breach involved the inadvertent disclosure of information intended to be reported to the State of California regarding unclaimed property, Plaintiff’s data was not included in that disclosure. Instead, the only data disclosed during the Data Breach was a list compiled as part of Paychex’s annual reporting requirements under California’s Unclaimed Property Law, Cal. Code of Civ. P. § 1500, et seq. (the “Unclaimed Property List”). The only data on the Unclaimed Property List was that associated with individuals for whom the last known address Paychex had on file was in California. Plaintiff, however, is not a resident of California; she lives in Pennsylvania and does not allege to have lived in California.
Id. at 2 (internal citations omitted). Manager of Fraud & Risk Analysis, Christopher M. Voos, and its Tax Manager, Hannah M. Garofoli, who confirm this. See ECF Nos. 9-3, 9-4. C. Other Procedural History On July 15, 2025, Waterman filed her Response in Opposition to Paychex’s Motion to
Dismiss. See Response (Pl. Br.), ECF No. 19. In it, she argues that Paychex’s factual challenge under Rule 12(b)(1) is essentially “an attack on the merits” of her claims, urging the Court to view the facts in a light most favorable to her, and to review all arguments in the Motion to Dismiss under the Rule 12(b)(6) standard. See id. at 11. On July 22, 2025, Paychex filed its Reply in Further Support of its Motion to Dismiss. See Reply, ECF No. 20. On August 8, 2025, Paychex filed a Motion for Rule 11 Sanctions, see ECF No. 22, which the Court denied on September 16, 2025, see ECF No. 27. Paychex also requested a stay of discovery pending resolution of its Motion to Dismiss, which the Court denied on September 30, 2025. See ECF No. 29. The Court is now prepared to rule on the Motion to Dismiss.
III. LEGAL STANDARDS A. Motion to Dismiss under Rule 12(b)(1) – Review of Applicable Law Federal courts are courts of limited subject matter jurisdiction. Erie Ins. Exch. by Stephenson v. Erie Indem. Co., 68 F.4th 815, 818 (3d Cir. 2023) cert. denied, 144 S. Ct. 1007 (2024). “They possess only that power authorized by Constitution and statute.” Kokkonen v. Guardian Life Ins. Co. of Am., 511 U.S. 375, 377 (1994). Thus, a presumption against jurisdiction exists which the party asserting subject matter jurisdiction must overcome. Aldossari on Behalf of Aldossari v. Ripp, 49 F.4th 236, 260 (3d Cir. 2022). Since a challenge to subject matter jurisdiction “call[s] into question the very legitimacy of a court's adjudicatory authority,” Council Tree Commc'ns, Inc. v. F.C.C., 503 F.3d 284, 292 (3d Cir. 2007) (quoting Am. Canoe Ass'n v. Murphy Farms, Inc., 326 F.3d 505, 515 (4th Cir. 2003)), courts have both an affirmative duty to ensure the existence of subject matter jurisdiction and to dismiss those actions where it does not exist. See Fed. R. Civ. P. 12(h)(3) (“If the court determines at any time that it lacks
subject-matter jurisdiction, the court must dismiss the action.”); In re Schering Plough Corp. Intron/Temodar Consumer Class Action, 678 F.3d 235, 243 (3d Cir. 2012) (“Under Fed. R. Civ. P. 12(b)(1), a court must grant a motion to dismiss if it lacks subject-matter jurisdiction to hear a claim.”). “[T]here are two types of Rule 12(b)(1) motions: those that attack the complaint on its face and those that attack subject matter jurisdiction as a matter of fact.” Petruska v. Gannon Univ., 462 F.3d 294, 302 n.3 (3d Cir. 2006) (citing Mortensen v. First Fed. Sav. & Loan, 549 F.2d 884, 891 (3d Cir. 1977)). “[A] court must first determine whether the movant presents a facial or factual attack” because the distinction determines the standard of review. In re Schering, 678 F.3d at 243. A facial attack “challenges subject matter jurisdiction without disputing the
facts alleged in the complaint, and it requires the court to ‘consider the allegations of the complaint as true.’” Davis v. Wells Fargo, 824 F.3d 333, 346 (3d Cir. 2016) (quoting Petruska, 462 F.3d at 302 n.3). A factual attack challenges “subject matter jurisdiction because the facts of the case . . . do not support the asserted jurisdiction.” Constitution Party of Pa. v. Aichele, 757 F.3d 347, 358 (3d Cir. 2014). A factual attack “cannot occur until plaintiff’s allegations have been controverted[,]” Mortensen, 549 F.2d at 892 n.17, which occurs when the movant files an answer or “otherwise present[s] competing facts.” Aichele, 757 F.3d at 358. “When a factual challenge is made, ‘the plaintiff will have the burden of proof that jurisdiction does in fact exist,’ and the court ‘is free to weigh the evidence and satisfy itself as to the existence of its power to hear the case.’” Davis, 824 F.3d at 346 (quoting Mortensen, 549 F.2d at 891). “[N]o presumptive truthfulness attaches to [the] plaintiff’s allegations. . . .” Id. (quoting Mortensen, 549 F.2d at 891) (alterations in original). i. Standing – Review of Applicable Law
“Only a party with standing can invoke the jurisdiction of the federal courts.” Aichele, 757 F.3d at 357. “A motion to dismiss for want of standing is ... properly brought pursuant to Rule 12(b)(1), because standing is a jurisdictional matter.” In re Schering, 678 F.3d at 243 (quoting Ballentine v. United States, 486 F.3d 806, 810 (3d Cir. 2007)). Article III standing consists of three elements: (1) an injury in fact; (2) a “fairly traceable” causal connection between that injury and the complained-of conduct; and (3) a likelihood that the injury will be redressed by a favorable judicial decision. Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016), as revised (May 24, 2016) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992)). A “plaintiff who raises multiple causes of action ‘must demonstrate standing for each claim he seeks to press.’” In re Schering, 678 F.3d at 245 (quoting DaimlerChrysler Corp. v. Cuno, 547
U.S. 332, 352 (2006)). The standing requirement is “analytically distinct from the merits of the underlying dispute.” Davis, 824 F.3d at 348. Thus, “when a case raises a disputed factual issue that goes both to the merits and jurisdiction, district courts must ‘demand less in the way of jurisdictional proof than would be appropriate at a trial stage.’” Davis, 824 F.3d at 350 (citing Mortensen, 549 F.2d at 892). For that reason, the Court of Appeals for the Third Circuit advises that “dismissal via a Rule 12(b)(1) factual challenge to standing should be granted sparingly.” Id. a. Injury-in-Fact An “injury-in-fact” is “an invasion of a legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical.” Lujan, 504 U.S. at 560 (internal quotations omitted); see Kamal v. J. Crew Group, Inc., 918 F.3d 102, 110 (3d Cir. 2019) (quoting Spokeo, Inc., 578 U.S. at 338-39). To be “concrete,” an injury must be “de facto”; it “must actually exist” and be “real[,] not abstract.” Spokeo, Inc., 578 U.S. at 340 (internal quotations omitted). An injury need not be
“tangible,” however, in order to be concrete. Id. Intangible injuries have “long been understood as cognizable,” In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 637 (3d Cir. 2017) (citing Spokeo, Inc., 578 U.S. at 340), such as the “violation of a procedural right granted by statute.” Id. Helpfully, the Third Circuit has articulated two inquiries to guide concreteness determinations: (1) whether “an alleged intangible harm” is closely related “to a harm that has traditionally been regarded as providing a basis for a lawsuit,” and (2) “whether Congress has expressed an intent to make an injury redressable.” Id. “For an injury to be ‘particularized,’ it must affect the plaintiff in a personal and individual way.” Spokeo Inc., 578 U.S. at 339 (internal quotations omitted). So long as the plaintiff is “himself among the injured,” In re Schering, 678 F.3d at 245, he “need not ‘suffer any
particular type of harm to have standing,’” In re Horizon, 846 F.3d at 636 (quoting In re Google Inc. Cookie Placement Consumer Privacy Litigation, 806 F.3d 125, 134 (3d Cir. 2015)). The Third Circuit has before found that “the disclosure of [one’s] own private information” was “no doubt” a particularized injury. See id. at 633 n.10. b. Causation To establish a “causal connection between the injury and the conduct complained of—the injury has to be fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court.” See Aichele, 757 F.3d at 360 and In re Schering, 678 F.3d at 244 (all citing Lujan, 504 U.S. at 560) (cleaned up). “Causation in the context of standing is not the same as proximate causation from tort law.” Aichele, 757 F.3d at 366. An “indirect causal relationship will suffice, so long as there is a fairly traceable connection.” Id. c. Redressability
To demonstrate redressability, a plaintiff “must show that it is ‘likely, as opposed to merely speculative, that the alleged injury will be redressed by a favorable decision.’” See Finkelman v. Nat'l Football League, 877 F.3d 504, 511 (3d Cir. 2017) (citing Finkelman v. Natl. Football League, 810 F.3d 187, 194 (3d Cir. 2016)). IV. DISCUSSION A. Standing Since Paychex initially categorizes its Rule 12(b)(1) argument as a factual challenge, and Waterman does not explicitly disagree with that categorization except to say it overlaps with Paychex’s 12(b)(6) argument, the Court will find the same.3 Accordingly, the Court will weigh
3 In its Motion to Dismiss, Paychex appears to categorize its Rule 12(b)(1) argument as a factual challenge to standing. See Def. Br. at 11 (“Plaintiff cannot defeat Paychex’s factual showing that she did not suffer an injury-in- fact connected to the Data Breach.”). Paychex asserts that Waterman’s allegations—namely, that her PII was compromised in the data breach—are “conclusory” and that “Paychex has offered evidence [to the contrary] on this point” to show that such allegations are “simply not true.” Id. at 9-11. Paychex argues, accordingly, that Waterman never suffered an injury-in-fact, let alone one causally connected to the data breach. See id. Such a challenge would shift the burden to Waterman to combat the evidence provided by Paychex and show “that jurisdiction does in fact exist,” and would enable the Court to consider evidence like the competing factual allegations in Paychex’s Motion and the declarations appended thereto, and “satisfy itself as to the existence of its power to hear the case.” See Davis v. Wells Fargo, 824 F.3d 333, 346 (3d Cir. 2016) (internal quotations omitted). In her Response, Waterman does not acknowledge Paychex’s jurisdictional challenge as either factual or facial, but instead declares it “nothing more than a well-disguised motion on the merits,” or a merits challenge “masquerading” as a factual challenge to standing. Pl. Br. at 10. Waterman thus urges the Court to apply the Rule 12(b)(6) standard when evaluating the Motion to Dismiss in its entirety, and to view the factual allegations in the light most favorable to her, the nonmovant. See id. at 10-11. In its Reply, Paychex equivocatingly says that even if the Court were to view the Rule 12(b)(1) Motion as a facial challenge to standing, thereby requiring an application of the same nonmovant-deferential standard as Rule 12(b)(6), Waterman still lacks standing because she fails to provide sufficient support to establish a causal connection between any injury she suffered and Paychex’s actions. See Reply at 1-3. Overall, it appears to the Court that there exists a (i) factual challenge as to whether Waterman’s PII was actually implicated in the data breach (a challenge which Paychex argues negates Waterman’s injury-in-fact and causation allegations, as required for standing), and, in the alternative, (ii) a facial challenge to the causation requirement of standing. Because the facial challenge is highlighted only in Paychex’s Reply in Further Support of the competing evidence on both sides, and determine whether it retains its power to hear the case. Davis, 824 F.3d at 346 (quoting Mortensen, 549 F.2d at 891). Because Paychex’s Motion to Dismiss challenges two of the three criteria for standing (injury-in-fact and causation), the Court will address each in turn.
i. Injury-in-Fact Waterman has alleged sufficient facts to show that she has suffered an injury-in-fact as required for standing. Waterman alleges that she suffered the “exposure of her PII,” Compl. ¶¶ 153, 194, 207, 223, which the Third Circuit has suggested is “particularized” because the disclosure of one’s private information is both personal and individual. See In re Horizon, 846 F.3d at 633 n.10; see also id. at 629 (“Even without evidence that the Plaintiffs’ information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury.”). The Court agrees, and also finds that this injury is concrete. The disclosure of one’s private personal information has “traditionally been regarded as providing a basis for a lawsuit,” because “‘unauthorized disclosures of information’ have long been seen as injurious.” Id. at 638
(citing In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262, 274 (3d Cir. 2016). Even “[t]he common law alone will sometimes protect a person's right to prevent the dissemination of private information.” Id. (citing Restatement (Second) of Torts § 652A (2016) (“One who invades the right of privacy of another is subject to liability for the resulting harm to the interests
its Motion to Dismiss, see ECF No. 20, and because the thrust of the Motion to Dismiss centers around the contrary allegation that Waterman’s data was not disclosed in the breach, the Court regards the instant 12(b)(1) challenge as a factual attack on standing. The Court acknowledges Waterman’s comments that the Rule 12(b)(1) arguments made in Paychex’s Motion to some degree overlap with its Rule 12(b)(6) arguments, and agrees to the extent that “the facts necessary to succeed on the merits” in this case are “at least in part the same as must be alleged or proven to withstand jurisdictional attacks.” Hartig Drug Co. Inc. v. Senju Pharm. Co. Ltd., 836 F.3d 261, 268 (3d Cir. 2016) (citing Davis, 824 F.3d at 350 (citing Mortensen v. First Fed. Sav. & Loan, 549 F.2d 884, 892 (3d Cir. 1977)). In such cases, a court evaluating a factual challenge to standing attaches “no presumptive truthfulness . . . to [the] plaintiff’s allegations,” Davis, 824 F.3d at 346 (quoting Mortensen, 549 F.2d at 891), but also “demand[s] less in the way of jurisdictional proof than would be appropriate at a trial stage.” Id. at 350 (citing Mortensen, 549 F.2d at 892). of the other.”)). Moreover, Waterman alleges that such exposure of her PII actually occurred between March and December of 2024, see Compl. at ¶¶ 38, 151, 153, 181, 185, 193, 198, 207, 223, so such injury is neither “conjectural [n]or hypothetical.” Lujan, 504 U.S. at 560. Thus, this alleged injury is concrete, particularized, and actual.
In addition, Waterman has alleged that the “exposure of her PII” also led to the hacking of her bank account information, Compl. ¶¶ 137-50, the commission of several fraudulent transactions made in her name, id. at ¶¶ 123-31, the ongoing experience of anxiety and sleeplessness, id. at ¶ 159, as well as the following harms: (i) the lost or diminished value of PII; (ii) out‐of‐pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of her PII; (iii) lost opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach, including, but not limited to, time spent deleting phishing scams and reviewing and monitoring sensitive accounts; (iv) the present and continued risk to her PII, which may remain for sale on the dark web and is in Paychex’s possession and subject to further unauthorized disclosures so long as Paychex fails to undertake appropriate and adequate measures to protect the PII in its continued possession; (v) future costs in terms of time, effort, and money that will be expended to prevent, monitor, detect, contest, and repair the impact of the Data Breach for the remainder of Plaintiff’s life, including ongoing credit monitoring. Id. at ¶ 185; see id. at ¶¶ 193, 206, 222. Some of these allegations, namely her out-of-pocket expenses and ongoing mitigation costs, describe or otherwise “bear[] a close relationship to” monetary harm, which is a “harm traditionally recognized by American courts,” thereby lending further support for Waterman’s satisfaction of the “concreteness” requirement of injury-in-fact. See Barclift v. Keystone Credit Services, LLC, 93 F.4th 136, 142, 145 (3d Cir. 2024), cert. denied, 145 S. Ct. 169 (2024), (referencing TransUnion LLC v. Ramirez, 594 U.S. 413, 417 (2021)). With respect to the remaining allegations, the intangibility of future or prospective harms matters not. See In re Horizon, 846 F.3d at 637. “[I]n the data breach context, where the asserted theory of injury is a substantial risk of identity theft or fraud,” a plaintiff can satisfy concreteness by alleging that “the exposure to that substantial risk caused additional, currently felt concrete harms. For example, if the plaintiff's knowledge of the substantial risk of identity theft causes him to presently experience emotional distress or spend money on mitigation measures like
credit monitoring services, the plaintiff has alleged a concrete injury.” Clemens v. ExecuPharm Inc., 48 F.4th 146, 155–56 (3d Cir. 2022) (emphasis added). So long as Waterman’s other intangible injuries bear a similarly close relationship “to harms traditionally recognized as providing a basis for lawsuits in American courts, such as reputational harms, disclosure of private information, and intrusion upon seclusion,” they too satisfy the concreteness requirement. Barclift, 93 F.4th at 142 (referencing TransUnion LLC, 594 U.S. at 425). Here, Waterman alleges present harms in the form of monetary loss (to mitigate damages from the breach), invasion of privacy, and ongoing emotional stress. She also alleges imminent future harms, supplemented by research regarding the substantial risk that her allegedly disclosed PII continues to pose. See Compl. at ¶¶ 59-75 (reproducing research on the value of PII to data
thieves and the increased risk of fraud and identity theft to consumers, particularly those whose social security numbers were stolen, based on ever-changing methods of using PII to facilitate illegal activity). Additionally, the alleged injury “must be concrete in both a qualitative and temporal sense.” Kamal, 918 F.3d at 110 (emphasis added) (affirming district court’s holding that the plaintiff lacked standing where the alleged injury was not itself concrete and the alleged risk of identity theft was too speculative to satisfy the requirement of concreteness). Although Waterman also brings “[a]llegations of ‘possible future injury,’” which would typically be insufficient to satisfy Article III standing in a suit for damages, see Barclift, 93 F.4th at 147 (citing Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011)), she clarifies that the impacts of her data exposure are “present and continued,” and the costs of preparing against future harms are “ongoing.” Compl. at ¶¶ 185, 193, 206, 222. Thus, Waterman has met her burden of showing that she was independently harmed and that her injuries, however intangible, are not only concrete and particular to her, but also actual and imminent.4 See Clemens, 48 F.4th at 152 (“the
type of data involved in a data breach may be such that mere access and publication do not cause inherent harm to the victim. Even then, however, it can still poise the victim to endure the kind of future harm that qualifies as ‘imminent.’”) (internal citations omitted). ii. Causation The Court, howbeit, finds that Waterman has not alleged sufficient facts in support of a causal connection, as required for Article III standing. Causation in this context requires that the injury complained of be “fairly traceable” to the defendant’s conduct. Aichele, 757 F.3d at 366. In Clemens v. ExecuPharm Inc., the Third Circuit found that a plaintiff satisfied the “traceability” requirement for standing where she alleged that her injuries were “a direct and
proximate result of Defendants' breach of contract” because her data was implicated in the defendant’s data breach and the defendant’s failure to safeguard her information enabled CLOP (a “known hacking group”) to publish it on the dark web. 48 F.4th at 158-59 (internal quotations omitted). Here, Waterman alleges that Paychex “failed to properly maintain and safeguard its data,” Compl. at ¶ 86, but stops short of saying how that conduct led to her injury. Like the plaintiff in Clemens, Waterman claims that her injuries, namely the “constant surveillance of her financial and personal records, monitoring, and loss of rights” were “directly and proximately
4 The Third Circuit has before instructed courts to consider the following non-dispositive inquiries in determining whether an injury is “imminent” in the data breach context: (i) whether the data breach was intentional; (ii) whether the data was misused; and (iii) whether the nature of the information accessed through the data breach could subject a plaintiff to a risk of identity theft. Clemens v. ExecuPharm Inc., 48 F.4th 146, 153-54 (3d Cir. 2022). caused by Paychex’s failure to implement or maintain adequate data security measures of Plaintiff’s PII,” but unlike the plaintiff in Clemens, Waterman does not connect her harm to Paychex’s conduct via a causal chain. See id. at ¶¶ 57-58. In Clemens, the plaintiff was notified by the defendant, her former employer, that her
data was implicated in a cybersecurity breach. 48 F.4th at 150-51. There, the plaintiff could trace the series of events and confidently allege that her data was confirmed to be implicated in the defendant’s breach, that there was a known hacker who obtained possession of her information during the breach and published it on the dark web, and that she suffered harm as a direct result of these events. See id. at 150-51, 156-58. Although Clemens involved a causal connection that was more directly traceable, here Waterman cannot identify a causal connection that is even fairly traceable. She does not allege but-for causation. See Clemens, 48 F.4th at 158 (“[B]ut-for causation is sufficient to satisfy traceability.”) (citing Edmonson v. Lincoln Nat'l Life Ins. Co., 725 F.3d 406, 418 (3d Cir. 2013)); see also Tignor v. Dollar Energy Fund, Inc., 745 F. Supp. 3d 189, 197 (W.D. Pa. 2024) (finding that plaintiffs satisfied “traceability” requirement where they
alleged that their PII could not have been exfiltrated in defendant’s data breach “but for” defendant’s failure to safeguard it). She does not point to facts in support of concurrent causation. See Clemens, 48 F.4th at 158 (citing Aichele, 757 F.3d at 366 (“[T]here is room for concurrent causation in the analysis of standing.”)). She has not connected Paychex’s breach to the conduct of a third party, known or unknown, who obtained her PII from Paychex and then used it to her detriment. See e.g., Graham v. Universal Health Serv., Inc., 539 F. Supp. 3d 481, 488 (E.D. Pa. 2021) (finding plaintiffs’ allegation—that “but-for” defendant’s negligence, the data breach would not have occurred and plaintiffs would not have been injured—insufficient to establish causation for Article III standing absent further discovery, in case where plaintiffs were users of defendant’s services claiming increased risk of identity theft). Waterman has alleged no more than temporal proximity between the Paychex data breach and the unfortunate occurrences of suspected identity theft that befell her in the months thereafter.5 Rather than confirm that Waterman’s PII was implicated in the breach, Paychex expressly denies that it was disclosed in
the breach and challenges Waterman’s factual allegation that her injuries were caused by Paychex. But see Tignor, 745 F. Supp. 3d at 197 (finding that plaintiffs satisfied “traceability” requirement for standing where plaintiffs alleged (i) that Defendant notified them that plaintiffs’ data was implicated in the data breach, and (ii) that their injuries would not have occurred “but- for” Defendant’s misconduct). This factual challenge places the onus on Waterman to demonstrate that causation otherwise exists, or risk dismissal for lack of standing. Waterman’s Response, however, does not allege additional facts beyond those in the Complaint, and does not draw a clearer connection between the harms she suffered and the data breach, which Paychex alleges was confined to California. See Pl. Br. Without more, the Court cannot reasonably find that Waterman’s injury was “not the result of the independent action of some third party not
before the court.” See Aichele, 757 F.3d at 360 and In re Schering, 678 F.3d at 244 (all citing Lujan, 504 U.S. at 560) (cleaned up). Thus, Waterman has failed to allege a causal connection as required for standing. The Complaint will be dismissed accordingly,6 with leave to amend the deficiencies articulated in this section.
5 Waterman also alleges that the payment information in her Paychex account was modified without her authorization on or around March 29, 2024. Compl. at ¶¶ 95-96. However, Waterman does not allege that Paychex was responsible for giving another party access to her account credentials, only that Paychex (i) experienced a data breach earlier that same month, (ii) was “generally unhelpful” when she sought customer assistance to resolve the issue, and (iii) implied that she might have inadvertently shared her login information by logging in via the wrong web address. Id. at ¶¶ 104-107. These factual allegations do not suggest a fairly traceable causal link between the data breach and the injury she suffered by having her direct deposit information changed. 6 To the extent the parties are experiencing any present discovery dispute, the Court underscores that the dismissal of the Complaint, without prejudice, renders discovery obsolete without the existence of an operable pleading, unless or until an amended pleading is filed. B. Leave to Amend and Other Considerations Though the Court does not agree with Waterman’s argument that Paychex’s Rule 12(b)(1) argument is merely a veiled Rule 12(b)(6) merits argument, the notion is not entirely misguided. As noted herein, see section IV(A) n.1, supra, this case marks one of the unique
circumstances in which “the facts necessary to succeed on the merits are at least in part the same as must be alleged or proven to withstand jurisdictional attacks.” Hartig Drug Co. Inc. v. Senju Pharm. Co. Ltd., 836 F.3d 261, 273 (3d Cir. 2016) (citing Davis, 824 F.3d at 350 (citing Mortensen, 549 F.2d at 892)). Cases like this mark the “rare” instances in which a Rule 12(b)(1) dismissal following a factual challenge may be appropriate. See id. (explaining it is only the “unusual” case such as this “that will be properly dismissed under 12(b)(1)”). For the reasons stated above, the Complaint will be dismissed for lack of standing. This dismissal is without prejudice and with leave to amend.7 See Barclift 93 F.4th at 148 (“Because the absence of standing leaves the court without subject matter jurisdiction to reach a decision on the merits, dismissals ‘with prejudice’ for lack of standing are generally improper.”) (quoting Cottrell v.
Alcon Lab'ys, 874 F.3d 154, 164 n.7 (3d Cir. 2017)); see also Alston v. Parker, 363 F.3d 229, 236 (3d Cir. 2004) (“Dismissal without leave to amend is justified only on the grounds of bad faith, undue delay, prejudice, or futility.”), abrogated on other grounds by Rivera v. Monko, 37 F.4th 909 (3d Cir. 2022); In re Burlington Coat Factory Securities Litig., 114 F.3d 1410, 1434 (3d Cir. 1997) (“Federal Rule of Civil Procedure 15(a) provides that ‘leave [to amend] shall be freely given when justice so requires.’ . . . Among the grounds that could justify a denial of leave to amend are undue delay, bad faith, dilatory motive, prejudice, and futility.”) (internal citations
7 Plaintiff counsel is advised that they, in addition to resolving the deficiencies under Rule 12(b)(1), should closely review the Rule 12(b)(6) arguments made in the Motion to Dismiss, ECF No. 9, and amend the complaint accordingly or otherwise allege additional facts in support of the pleaded claims, so as to address the challenges thereto in any amended complaint filed with the Court. omitted). Since the Court finds that Waterman lacks standing based on failure to show causation, it need not address the redressability requirement for Article III standing. V. CONCLUSION For the reasons stated herein, Waterman lacks standing to bring suit. Since the Court is
divested of subject matter jurisdiction, it will not consider further arguments made under Rule 12(b)(6) or on the merits. Paychex’s Motion to Dismiss the Complaint is granted. The Complaint will be dismissed without prejudice. A separate order follows.
BY THE COURT:
/s/ Joseph F. Leeson, Jr._________ JOSEPH F. LEESON, JR. United States District Judge