IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF PENNSYLVANIA
RYAN EMMETT, individually and on behalf of himself and others similarly situated,
Plaintiff, Civil Action No. 2:25-cv-546
v. Hon. William S. Stickman IV
CITRIX SYSTEMS, INC., et al,
Defendants.
MEMORANDUM OPINION
WILLIAM S. STICKMAN IV, United States District Judge Defendants Comcast Cable Communications, LLC and Comcast Corporation (collectively, “Comcast”) filed a Motion to Transfer Venue (ECF No. 22) requesting that the Court transfer this litigation to the United States District Court for the Eastern District of Pennsylvania (“EDPA”). Plaintiff Ryan Emmett (“Emmett”) opposed Comcast’s motion to transfer (ECF No. 27). Emmett filed a Motion to Remand or, in the Alternative, Motion for a More Definite Statement (ECF No. 25) requesting that the Court remand this litigation to the Court of Common Pleas of Allegheny County, Pennsylvania, or, in the alternative, order a more definite statement as to subject-matter jurisdiction. Defendants Citrix Systems, Inc. and Cloud Software Group, Inc. (collectively, “Citrix”) opposed Emmett’s motion to remand and requested that the Court transfer the litigation to the EDPA. (ECF No. 28). Comcast also opposed Emmett’s motion for remand. (ECF No. 29). For the following reasons, the Court will grant Emmett’s motion for remand and deny Comcast’s motion to transfer. I. FACTUAL BACKGROUND Emmett filed this action in the Court of Common Pleas of Allegheny County, Pennsylvania, on behalf of himself and all others similarly situated against Comcast and Citrix. (See generally ECF No. 1-1).1 Comcast provides internet services and products, cable television, a mobile 5G network, and landline telephone services and products to individuals and businesses
across the United States under the brand name Xfinity. (Id. ¶ 1). Citrix provides a variety of business technology services including application and desktop virtualization, networking, software, and cloud computing services. (Id. ¶ 2). This lawsuit centers around an alleged data breach that occurred in October 2023 (“the Data Breach”) and allegations that Comcast and Citrix failed to properly secure and safeguard the personally identifiable information (“PII”) of approximately 36 million Comcast customers. (Id. ¶ 3). Emmett seeks to represent a forty-nine (49) state class and subclass as detailed below: 49-State Class: All natural persons residing in the United States excluding California, whose [PII] was compromised as a result of the Data Breach.
Cable Act Subclass: All natural persons residing in the United States, excluding California, whose [PII] was compromised as a result of the Data Breach, and who received Xfinity Residential Services (including Xfinity Cable Television, Xfinity TV, Xfinity Internet, and/or Xfinity Voice).
(Id. ¶ 209). The complaint contains the following counts: • Count One (on behalf of Emmett and the 49-State Class, or alternatively, on behalf of Emmett and the Cable Act Subclass, against Comcast): Emmett alleges that Comcast violated various provisions of the Cable Communications Act, 47 U.S.C. §§ 551(a), (c),
1 Emmett’s counsel also filed a related action in California state court on behalf of only California residents. See Scheirer v. Comcast Commc’ns Corp. LLC, et al., No. 25CV116323 (Alameda Cnty. Super. Ct. Mar. 21, 2025). and (e) by failing to prevent access to his and class members’ PII by unauthorized third parties. (Id. ¶¶ 224-36). • Count Two (on behalf of Emmett and the 49-State Class against Comcast): Emmett alleges that Comcast acted negligently by protecting its customers’ PII with inadequate security
measures. (Id. ¶¶ 237-53). • Count Three (on behalf of Emmett and the 49-State Class against Comcast): Emmett alleges that Comcast was negligent per se by failing to provide fair, reasonable, or adequate computer systems and data security practices to safeguard Emmett’s and proposed class members’ PII. (Id. ¶¶ 254-66). • Count Four (on behalf of Emmett and the 49-State Class against Comcast): Emmett alleges that Comcast breached an express contract by failing to protect Emmett’s and proposed class members’ PII. (Id. ¶¶ 267-76). • Count Five (on behalf of Emmett and the 49-State Class against Comcast): Emmett alleged
that Comcast breached an implied contract with Emmett and the proposed class members by failing to protect their PII. (Id. ¶¶ 276-87). • Count Six (on behalf of Emmett and the 49-State Class against Comcast): Emmett alleges that Comcast will be unjustly enriched if it is permitted to retain the benefits derived after the alleged theft of Emmett’s and proposed class members’ PII. (Id. ¶¶ 287-303). • Count Seven (on behalf of Emmett and the 49-State Class against Citrix): Emmett alleges that Citrix negligently failed to implement adequate security measures to protect Emmett’s and proposed class members’ PII. (Id. ¶¶ 303-20). • Count Eight (on behalf of Emmett and the 49-State Class against Citrix): Emmett alleges that Citrix was negligent per se in failing to implement reasonable data security measures to protect and secure Emmett’s and proposed class members’ PII. (Id. ¶¶ 320-30). • Count Nine (on behalf of Emmett and the 49-State Class against Comcast and Citrix):
Emmett seeks a declaratory judgment stating that (1) Comcast owes a legal duty to secure customers’ PII under the common law, 15 U.S.C. § 45, and the Cable Communications Policy Act; (2) Citrix owes a legal duty to secure customers’ PII under the common law and 15 U.S.C. § 45; (3) Comcast and Citrix continue to breach this legal duty by failing to employ reasonable data security measures to safeguard Emmett’s and proposed class members’ PII. Emmett also requests corresponding injunctive relief requiring Comcast and Citrix to employ adequate security protocols consistent with law and industry standards to protect customers’ PII. (Id. ¶¶ 330-38). II. STANDARD OF REVIEW Under 28 U.S.C. § 1441(a), a defendant may remove a civil action filed in a state court if
the federal court would have had original jurisdiction over the action. “The defendants bear the burden of establishing removal jurisdiction and compliance with all pertinent procedural requirements.” Winnick v. Pratt, 2003 WL 21204467, at *2 (E.D. Pa. May 20, 2003) (citing Boyer v. Snap–On Tools Corp., 913 F.2d 108, 111 (3d Cir. 1990)). The removal statutes “are to be strictly construed against removal and all doubts should be resolved in favor of remand.” Boyer, 913 F.2d at 111 (quoting Steel Valley Authority v. Union Switch & Signal Div., 809 F.2d 1006, 1010 (3d Cir.1987)). 28 U.S.C. § 1447(c) states: A motion to remand the case on the basis of any defect other than lack of subject matter jurisdiction must be made within 30 days after the filing of the notice of removal under section 1446(a). If at any time before final judgment it appears that the district court lacks subject matter jurisdiction, the case shall be remanded. 28 U.S.C. § 1447(c). Remand to state court is therefore appropriate for “(1) lack of district court subject matter jurisdiction or (2) a defect in the removal process.” PAS v. Travelers Ins. Co., 7 F.3d 349, 352 (3d Cir. 1993). III. ANALYSIS The Court must decide which motion to address first: the motion to remand or the motion to transfer. There does not appear to be any precedent from the United States Court of Appeals for the Third Circuit governing this issue. Other courts have held that “[w]hen presented with competing motions to remand a case and to transfer venue, a court is to consider the remand motion first, and then address the motion to transfer venue only if it first denies the motion to remand.”
Callen v. Callen, 827 F. Supp. 2d 214, 215 (S.D.N.Y. 2011). Because Emmett’s motion to remand implicates the Court’s subject-matter jurisdiction, a threshold issue, the Court will first address whether remand is appropriate. A. Judicial Estoppel Citrix removed this litigation from the Court of Common Pleas of Allegheny County under 28 U.S.C. § 1441 and the Class Action Fairness Act (“CAFA”), codified at 28 U.S.C. §§ 1332(d) and 1453. (ECF No. 1, p. 1). Emmett is seeking to remand the litigation in part based on the doctrine of judicial estoppel. (ECF No. 25-1). Specifically, Emmett points to Hasson v. Comcast Cable Commc’ns, LLC, et. al., Case No. 2:23-cv-05039 (E.D. Pa.) (“the Hasson action”). The Hasson action, which is comprised of over twenty related class action cases, involves the same
Defendants, identically situated plaintiffs, and “nearly identical allegations.” (Id. at 2, 8 n.3); (see also id. (describing the Hasson action as “a nearly identical case”)). In Hasson, Comcast and Citrix filed a motion to dismiss arguing that the court lacks jurisdiction over the action because the plaintiffs do not have Article III standing. (Id. at 2). Emmett frames Citrix’s position in this litigation and Hasson as inconsistent and irreconcilable. He contends that the doctrine of judicial estoppel prevents Citrix from removing this litigation to federal court (and therefore contending that the Court has jurisdiction over the matter), while contending in a nearly identical case that the plaintiffs lack Article III standing. The Court applies federal judicial estoppel law (regardless of the basis of jurisdiction)
because “[a] federal court’s ability to protect itself from manipulation by litigants should not vary according to the law of the state in which the underlying dispute arose.” G-I Holdings, Inc. v. Reliance Ins. Co., 586 F.3d 247, 261 (3d Cir. 2009). Judicial estoppel is a judge-made doctrine that seeks to prevent a litigant from asserting a position inconsistent with one that he has previously asserted in the same or in a previous proceeding. It is not intended to eliminate all inconsistencies, however slight or inadvertent. It is designed to prevent litigants from “playing fast and loose with the courts.” Scarano v. Central R. Co. of New Jersey, 203 F.2d 510, 513 (3d Cir. 1953) (internal citations omitted). “The basic principle . . . is that absent any good explanation, a party should not be allowed to gain an advantage by litigation on one theory, and then seek an inconsistent
advantage by pursuing an incompatible theory.” Ryan Operations G.P. v. Santiam-Midwest Lumber Co., 81 F.3d 355, 358 (3d Cir. 1996). While there is no rigid test for judicial estoppel, the Third Circuit has enumerated the following factors for courts to consider when determining whether to apply the doctrine: Judicial estoppel may be imposed only if: (1) the party to be estopped is asserting a position that is irreconcilably inconsistent with one he or she asserted in a prior proceeding; (2) the party changed his or her position in bad faith, i.e., in a culpable manner threatening to the court’s authority or integrity; and (3) the use of judicial estoppel is tailored to address the affront to the court’s authority or integrity.
Montrose Med. Grp. Participating Sav. Plan v. Bulger, 243 F.3d 773, 777-78 (3d Cir. 2001). “A party has not displayed bad faith for judicial estoppel purposes if the initial claim was never accepted or adopted by a court or agency.” Id. at 778 (holding that because earlier statements in the same litigation were never accepted or adopted by the court, judicial estoppel was inappropriate); G-I Holdings, 586 F.3d at 262 (“We do not consider [the judicial estoppel factors], however, because, in our Circuit judicial estoppel is generally not appropriate where the defending
party did not convince the District Court to accept its earlier position.”). Nevertheless, it is not impossible for judicial estoppel to apply when a court has not accepted the initial position at issue. It should be applied to “neutralize threats to judicial integrity however they may arise.” Id. For example, in the bankruptcy context, the Third Circuit has applied judicial estoppel, even though no court relied on the debtor’s initial position, because the creditors almost certainly relied on the position, weakening their bargaining position. Krystal Cadillac–Oldsmobile GMC Truck, Inc. v. General Motors Corp., 337 F.3d 314, 324-25 (3d Cir. 2003); see also New Hampshire v. Maine, 532 U.S. 742, 750-51 (2001) (“[C]ourts regularly inquire whether the party has succeeded in persuading a court to accept that party’s earlier position, so that judicial acceptance of an
inconsistent position in a later proceeding would create ‘the perception that either the first or the second court was misled . . . .’ Absent success in a prior proceeding, a party’s later inconsistent position introduces no ‘risk of inconsistent court determinations,’ and thus poses little threat to judicial integrity.” (internal citations omitted)). An inconsistent argument sufficient to invoke judicial estoppel must be attributable to intentional wrongdoing. See Chaveriat v. Williams Pipe Line Co., 11 F.3d 1420, 1428 (7th Cir. 1993); see also Total Petroleum, Inc. v. Davis, 822 F.2d 734 (8th Cir. 1987) (holding that the doctrine only applies to deliberate inconsistencies that are “tantamount to a knowing misrepresentation to or even fraud on the court.”). Comcast and Citrix filed motions to dismiss in the Hasson action arguing that the district court lacked jurisdiction over the action because the plaintiffs failed to establish Article III standing, a prerequisite to jurisdiction. (2:23-cv-05039, ECF Nos. 158, 160). The district court has not yet ruled on these pending motions. Oral argument on the motions is scheduled for September 3, 2025. (2:23-cv-05039, ECF No. 201). Thus, to date, no federal court has accepted
Comcast and Citrix’s arguments that plaintiffs in Hasson lack Article III standing. Even assuming that Citrix’s positions are inconsistent, the Court does not perceive threat to judicial integrity. Further, the Court does not find that Citrix is acting in a manner that amounts to a knowing misrepresentation or fraud on the Court. Comcast, in opposing the remand to state court, highlights that its argument in the Hasson action was formulated after its review of discovery requests and business records specific to the plaintiffs in that litigation. (ECF No. 29, p. 3). None of these facts have been established with regard to Emmett because, unlike in Hasson, discovery has not yet commenced. (Id. at 4). Comcast correctly states that it cannot assume that the facts regarding Emmett will match those of
the plaintiffs in the Hasson action. (Id.). In sum, because Citrix’s position in the Hasson action has not been accepted by any court, and because that litigation is at a more advanced stage, the Court does not find that Citrix’s removal of this action was done in bad faith, or that it presents an affront to the Court’s authority or integrity. The Court holds that judicial estoppel does not apply to prevent Citrix from removing this action from state court.2
2 The Court need not delve into an analysis of whether Citrix’s position in the Hasson action is irreconcilably inconsistent with its position in this matter. B. Subject-Matter Jurisdiction & Article III Standing The next issue is whether removal of this litigation from state court was proper. Emmett does not contend that there was a defect in the removal process. He argues that Citrix did not meet its burden to show that he has Article III standing. (ECF No. 31, p. 6). The Court will focus on whether Emmett has Article III standing, and therefore, whether Citrix established that the Court
has subject-matter jurisdiction over this action.3 Article III of the United States Constitution provides that federal courts may only exercise jurisdiction over “Cases” and “Controversies.” U.S. CONST. art. III, § 2. The doctrine of standing is “an essential and unchanging part of the case-or-controversy requirement of Article III.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 559 (1992). To establish standing, a part must have “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Id. at 560–61. “To establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” Lujan,
504 U.S. at 560. “A threatened injury must be ‘certainly impending’ to constitute injury in fact,”
3 The posture of this case is somewhat unusual as all parties appear to dance around their positions in the Hasson action. For example, Emmett does not contend that he does not have Article III standing. Instead, he argues that Defendants cannot meet their burden to establish that he does. (ECF No. 25-1, p. 7). Likewise, Citrix does not argue that Emmett has Article III standing. Instead, it acknowledges in its notice of removal that, “Although the Defendants have argued in Hasson that those plaintiffs cannot meet the Article III standing requirements, Plaintiffs disagree and maintain federal court jurisdiction is appropriate (consistent with their filing the Hasson action originally in federal court).” (ECF No. 1, p. 4). No party briefed the standing issue or offers any argument on what element of standing is lacking. Because courts have an independent obligation to assess whether standing exists and “can dismiss a suit sua sponte for lack of subject [matter] jurisdiction at any stage in the proceeding,” Zambelli Fireworks Mfg. Co., Inc. v. Wood, 592 F.3d 412, 420 (3d Cir. 2010), the Court will analyze whether Emmett has Article III standing despite the parties’ lack of briefing on the issue. and “[a]llegations of possible future injury” are insufficient. Whitmore v. Arkansas, 495 U.S. 149, 158 (1990). Standing may be demonstrated at the pleading stage based upon the complaint’s factual allegations. Lujan, 504 U.S. at 561. In the context of a class action, the standing requirement must be satisfied “by at least one named plaintiff.” McNair v. Synapse Grp. Inc., 672 F.3d 213, 223 (3d Cir. 2012); see also O’Shea v. Littleton, 414 U.S. 488, 494 (1974) (“[I]f none
of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class.”). A specific line of standing case law has been developed in the data breach context. In Reilly v. Ceridian Corporation, 664 F.3d 38 (3d Cir. 2011), the Third Circuit considered “whether an alleged risk of future identity theft or fraud stemming from a data breach in which an unknown hacker potentially accessed sensitive personal and financial information from a company’s network was sufficiently imminent for purposes of standing.” Clemens v. ExecuPharm Inc., 48 F.4th 146, 153 (3d Cir. 2022) (citing Reilly, 664 F.3d at 38). “Because the plaintiffs in Reilly
alleged a future, hypothetical risk of identity theft or fraud, [the Third Circuit] concluded that they had not suffered an injury-in-fact.” Id. (citing Reilly, 664 F.3d at 42). There, the future harm was “dependent on entirely speculative, future actions of an unknown third-party.” Reilly, 664 F.3d at 42. The Third Circuit noted that it could not “describe how [the plaintiffs] will be injured in th[e] case without beginning [its] explanation with the word ‘if’: if the hacker read, copied, and understood the hacked information, and if the hacker attempts to use the information, and if he does so successfully, only then will [the plaintiffs] have suffered an injury.” Id. at 43 (emphasis in original). In Reilly, the Third Circuit considered that there was no evidence that the exfiltration was intentional or malicious, that the plaintiffs had not alleged misuse, and that no identifiable taking had occurred. Id. at 44. Thereafter in Clemens v. ExecuPharm Inc., 48 F.4th 146, 153 (3d Cir. 2022), the Third Circuit clarified that it did not create a “bright line rule” in Reilly precluding standing based on identity theft or fraud. Clemens, 48 F.4th at 153. “Instead, Reilly requires consideration of whether
an injury is present versus future, and imminent versus hypothetical.” Id. In determining whether an injury is imminent, the Third Court listed non-exhaustive factors courts should consider: (1) whether the data breach was intentional; (2) whether the data was misused; and (3) whether the nature of the information accessed through the data breach could subject a plaintiff to a risk of identity theft (i.e., disclosure of social security numbers, birth dates, and names—though, disclosure of financial information alone, without corresponding personal information, is insufficient). Id. at 154. No single factor is dispositive. Id. In determining whether the injury is concrete—that is, “real, and not abstract”—“where the asserted theory of injury is a substantial risk of identity theft or fraud, a plaintiff suing for damages can satisfy concreteness as long as he
alleges that the exposure to that substantial risk caused additional, currently felt concrete harms.” Id. at 155–56. Applying these principles in Clemens, the Third Circuit concluded that the plaintiff alleged a future injury that was sufficiently imminent because (1) the breach was conducted by a known hacking group, which intentionally stole the information, held it for ransom, and published it on the dark web, making it accessible to criminals worldwide; and (2) the nature of the information— a combination of personal and financial information—was the type of data that could be used to perpetrate identity theft or fraud. Id. at 159. Moreover, because intangible harms like the publication of personal information can qualify as concrete, the risk of identity theft or fraud in Clemens constituted an injury-in-fact. Id. Since Clemens, courts within the Third Circuit have analyzed standing in data breach cases using the three-factor test outlined in that case. See, e.g., Alonzo v. Refresco Beverages US, Inc., 2024 WL 4349592, at *5 (D.N.J. Sept. 30, 2024); In re Samsung Data Sec. Breach Litig., 761 F. Supp. 3d 781, 793-800 (D.N.J. 2025). 1. Whether the Data Breach was Intentional
Based on the factual allegations in the complaint, the Court first considers whether the breach was intentional. “[A]ll cyber-attacks involve some degree of intentional conduct just by the very nature of the attack.” McGowan v. CORE Cashless, LLC, 2023 WL 8600561, at *9 (W.D. Pa. Oct. 17, 2023), report and recommendation adopted, 2024 WL 488318 (W.D. Pa. Feb. 8, 2024). Here, Emmett alleges that Comcast and Citrix failed to properly secure and safeguard the personal identifying information of approximately 36 million Comcast customers. (ECF No. 1-1, ¶ 3). He alleges that unknown third-party cybercriminals exploited a vulnerability known in the cybersecurity community as “Citrix Bleed” which allowed the actors to gain unauthorized access to sensitive data contained on Comcast’s internal systems. (ECF No. 1-1, ¶ 126). The complaint
is silent as to the identity of the third-party cybercriminals. As stated by the Court in McGowan: At one end of the “intentionality” spectrum is the situation in Reilly where it was unknown whether the hacker read, copied or understood the data. At the other end of the “intentionality” spectrum is the situation in Clemens where a known hacking group accessed the defendant’s servers through a phishing attack, installed malware to encrypt the data stored on the defendant’s servers, and then held the decryption tools for ransom, threatened to release the information to the Dark Web if the ransom was not paid and did indeed carry out their threat.
McGowan, 2023 WL 8600561 at *9. The Court holds that, like in McGowan, this case is more akin to Reilly than Clemens. Emmett does not allege any facts indicating that the cybercriminals in the data breach at issue had the same type of malicious and sophisticated intent that existed in Clemens. See Clemens, 761 F. Supp. at 157 (holding that the first factor, whether the breach was intentional, weighed in favor of the plaintiffs establishing standing when the plaintiffs alleged that “CLOP,” “a sophisticated ransomware group,” accessed the plaintiff’s data, held it for ransom, and then published it on the dark web”). The complaint does not plead any other facts supporting a finding that the breach had a high degree of intentionality or sophistication. This factor weighs
against finding that Emmett has suffered an injury in fact sufficient to confer Article III standing. 2. Whether the Data was Misused With regard to the second factor, whether the data at issue was misused, Emmett alleges that Plaintiff’s and Class Members’ PII from the Data Breach is already circulating on the “dark web. . . .” Additionally, multiple sets of Comcast/Xfinity data were uploaded to a Torrent site called “Fox Store” where cybercriminals sell and purchase stolen PII. This data was uploaded on October 16, 2023, and October 23, 2023—the first day and one week after the Data Breach. Comcast/Xfinity data affiliated with Plaintiff and Class Members were also uploaded to BlackBet in July and September 2024.
(ECF No. 1-1, ¶ 179); (see also id. ¶ 196 (“The harm faced by Plaintiff and Class Members is substantial and imminent, as unauthorized cybercriminals now have possession of their information, available for their use however and whenever they see fit, including posting or selling that information on the dark web.”); id. ¶ 16 (“Upon information and belief, Plaintiff’s PII has already been stolen and misused.”)). Emmett’s allegations are somewhat undermined by other paragraphs of the complaint. For instance, Emmett alleged: “On information and belief, Plaintiff’s name, date of birth, last four digits of Social Security number, phone number, address, email address, Comcast username(s) and password(s), and/or Comcast security questions and answers were potentially compromised in the Data Breach.” (Id. ¶ 11 (emphasis added)). Emmett acknowledges that Comcast failed to disclose how many consumers’ PII was breached “leaving customers to speculate whether it was likely that their own PII” had been compromised. (Id. ¶ 146). It is unclear how Emmett can assert that cybercriminals have possession of his PII and that his sensitive data is circulating on the “dark web” when he simply asserts that his personally identifying information was “potentially compromised” in the October 2023 Data Breach. The Court finds that Emmett has failed to allege sufficient facts to plausibly show that his
PII was misused by unknown cybercriminals. Emmett does not definitely assert that his information was compromised in the Data Breach. Stating that his information was “potentially compromised” implies that he is speculating as to whether his information was even involved in the Data Breach. Emmett asks the Court to find that his information was misused because it was potentially compromised in the Data Breach and thus potentially may be circulating on the dark web. See Tignor v. Dollar Energy Fund, Inc., 745 F. Supp. 3d 189, 201 (W.D. Pa. 2024) (“[The plaintiff] is not certain that the hackers behind the Data Breach even accessed her [personal identifying information]. [The plaintiff’s] allegations are more akin to the facts presented in Reilly where the Third Circuit held that a plaintiff did not have standing if hackers potentially gained
access to their sensitive information. Without sufficient allegations of misuse, the Court cannot find her alleged injury to be imminent.” (internal citations omitted) (emphasis in original)). While Emmett alleges that “multiple sets of Comcast/Xfinity data” was uploaded to “Fox Store” and “BlackBet,” Emmett does not allege that his PII was involved in either of these uploads. (ECF No. 1-1, ¶ 179). Unlike in Clemens, Emmett has not alleged any attempted identity theft or fraud using any of his PII from which he could assert a heightened risk that he might experience identity theft or fraud in the future. See also Hood v. Educ. Computer Sys., Inc., 2025 WL 1284737, at *5 (W.D. Pa. May 2, 2025) (holding that the plaintiff’s data was misused when the plaintiffs alleged that unauthorized tax returns were filed in their names and unauthorized credit inquiries and attempts to open new accounts were made using their PII); Tignor, 745 F. Supp. at 200-01 (holding that one of the plaintiff’s suffered an actual injury when two alleged fraudulent credit card applications were submitted in her name). Emmett’s allegations are hypothetical and focused on events that may occur in the future. (ECF No. 1-1, ¶ 185 (“Plaintiffs and Class Members who were Xfinity
Mobile or NOW Mobile customers specifically also face an imminent risk of falling victim to ‘SIM-swap’ fraud.”)); (id. ¶ 186 (stating that Emmett and proposed class members “face a substantial and imminent risk of ‘port-out’ fraud discussed previously, whereby cybercriminals hijack a victim’s phone number using the victim’s name, address, birth date, passwords, and the last four digits of his or her Social Security number”)); (id. ¶ 190 (“Plaintiff and Class Members are particularly at risk of additional data breaches because part of the PII stolen in the Data Breach involved their usernames and passwords, which makes it far more likely that Plaintiff and Class Members will be victims of a future ‘credential stuffing’ attack.”)). Emmett alleges that “malicious actors often wait months or years to use the [personal identifying information] obtained in data
breaches.” (Id. ¶ 188). This may very well be so. Nonetheless, the Court cannot find that Emmett’s data was misused based off an unrealized prospect of future fraud or identity theft. See Reilly, 664 F.3d at 41 (““[A]llegations of hypothetical, future injury do not establish standing under Article III.”). Courts have found that data breach plaintiffs lacked standing under similar circumstances. See In re Am. Fin. Res., Inc. Data Breach Litig., 2023 WL 3963804, at *5 (D.N.J. Mar. 29, 2023) (finding that a plaintiff alleging a “criminal” hack by unknown individuals that could not “meaningfully allege that the information accessed in the breach was mass-published onto the dark web, or otherwise disseminated” lacked standing). Further, the alleged “deep psychological impact,” (ECF No. 1-1, ¶ 192) that data breaches have on their victims does not constitute misuse of data. This factor weighs against finding that Emmett has suffered an injury in fact sufficient to confer Article III standing. 3. The Type of Data Implicated in the Breach Finally, the type of information implicated in a data breach may affect whether a plaintiff has standing. Clemens, 48 F.4th at 154. In particular, the “disclosure of social security numbers,
birth dates, and names is more likely to create a risk of identity theft or fraud.” Id. However, even in cases involving disclosure of highly sensitive information, standing is not automatic. See McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 304 (2d Cir. 2021) (“[W]hile the information that was inadvertently disclosed by [the defendant] included the sort of PII that might put [p]laintiffs at a substantial risk of identity theft or fraud, in the absence of any other facts suggesting that the PII was intentionally taken by an unauthorized third party or otherwise misused, this factor alone does not establish an injury in fact.”). Emmett alleges that the highly valuable PII of approximately 36 million Comcast customers was compromised, including customers’ usernames and hashed passwords, names, contact information, full and partial social security
numbers, driver’s license numbers, dates of birth, secret security questions and answers, and other personal data. (ECF No. 1-1, ¶ 3). See Clemens, 48 F.4th at 150 (holding that the third factor weighed in favor of finding standing where the stolen information included “social security numbers, dates of birth, full names, home addresses, taxpayer identification numbers, banking information, credit card numbers, driver’s license numbers, sensitive tax forms, and passport numbers”). The Court finds that, due to the sensitive nature of the potentially impacted data, particularly social security numbers, names, and dates of birth, this factor cuts in favor of a finding that Emmett has alleged an injury in fact. See id. at 157 (finding that the “combination of financial and personal information is particularly concerning as it could be used to perpetrate both identity theft and fraud.”). 4. Weighing of the three Clemens factors Having considered the factors set forth above, the Court concludes that Citrix, as the removing party, has not met its burden of establishing that Emmett has the standing required for
the Court’s subject-matter jurisdiction. On balance, Emmett’s allegations are more consistent with those in Reilly than in Clemens. Even accepting all of his well-pled allegations as true, Emmett has only pled that he will suffer future injuries, which is not necessarily fatal to his claim but requires him to plead that his “injury is certainly impending, or there is a substantial risk that the harm will occur.” See Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014) (internal quotation marks omitted); Rauhala v. Greater New York Mut. Ins., Inc., 2022 WL 16553382, at *3 (E.D. Pa. Oct. 31, 2022) (“Although an injury that will occur in the future is not fatal to standing, the risk of injury cannot be hypothetical or speculative.” (internal citations omitted)). Emmett has not done so.
Further, the Court holds that Emmett’s alleged time and money expenditures to monitor his financial information does not establish standing because costs incurred to prevent or monitor a speculative chain of future events based on hypothetical criminal acts are no more “actual” injuries than the alleged “increased risk of injury” which form the basis of Emmett’s claims. See Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp.2d 1, 8 (D.D.C. 2007) (“[T]he ‘lost data’ cases . . . clearly reject the theory that a plaintiff is entitled to reimbursement for credit monitoring services or for time and money spent monitoring his or her credit.”). That Emmett willingly incurred costs to protect against an alleged increased risk of identity theft is not enough to demonstrate a “concrete and particularized” or “actual or imminent” injury. Id.; see also See Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1053 (E.D. Mo. 2009) (holding that the plaintiff lacked standing even though he allegedly spent time and money to protect himself from risk of future injury); Hammond v. Bank of N.Y. Mellon Corp., 2010 WL 2643307, at *4, *7 (S.D.N.Y. June 25, 2010) (noting that the plaintiffs’ “out-of-pocket expenses incurred to proactively safeguard and/or repair their credit” and the “expense of comprehensive credit
monitoring” did not confer standing); Allison v. Aetna, Inc., 2010 WL 3719243, at *5 n.7 (E.D. Pa. Mar. 9, 2010) (rejecting claims for time and money spent on credit monitoring due to a perceived risk of harm as the basis for an injury in fact). In sum, the bulk of Emmett’s alleged injuries are hypothetical and concern only the possibility that he may suffer adverse consequences in the future. (See ECF No. 1-1 ¶¶ 85,185- 86, 188, 190, 198). Emmett’s claims rely on the same speculative chain of events that the Third Circuit rejected in Reilly: “if the hacker read, copied, and understood the hacked information, and if the hacker attempts to use the information, and if he does so successfully, only then will [plaintiff] have suffered an injury.” Reilly, 664 F.3d at 43 (emphasis in original). Emmett’s
allegations do not establish that he has suffered an “actual or imminent” injury because he has not connected his forward-looking concerns to an imminent injury. Courts in this circuit have routinely held that the plaintiffs do not have standing in cases factually analogous to the instant case. See, e.g., Reilly, 664 F.3d 38; In re Retreat Behav. Health LLC, 2024 WL 1016368 (E.D. Pa. Mar. 7, 2024); In re Am. Fin. Res., Inc. Data Breach Litig., 2023 WL 3963804 (D.N.J. Mar. 29, 2023); McGowan, 2023 WL 8600561. Since the Court finds that Emmett’s claims involve future harms that are merely hypothetical, it finds that Emmett did not allege that he suffered an injury in fact. Thus, he does not have Article III standing, and the Court does not have subject-matter jurisdiction over this action.4 Citrix failed to meet its burden to establish that removal from state court was proper. The Court will remand Emmett’s complaint to the Court of Common Pleas of Allegheny County. Defendants Comcast Cable Communications, LLC and Comcast Corporation’s Motion to Transfer Venue will be denied as moot. IV. CONCLUSION
For the foregoing reasons, the Court will grant Plaintiff’s Motion to Remand or, in the Alternative, Motion for a More Definite Statement (ECF No. 25). The Court will deny Comcast’s Motion to Transfer Venue (ECF No. 22). An Order of Court will follow. BY THE COURT:
s/ William S. Stickman IV WILLIAM S. STICKMAN IV UNITED STATES DISTRICT JUDGE
July 11, 2025 Dated
4 The Court will not address whether the other standing requirements are met (whether the purported injury was fairly traceable to Defendants’ conduct and whether the injury would be redressable by a favorable judicial decision) because of its finding that no injury in fact exists.