IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF PENNSYLVANIA PITTSBURGH KELLEY MCGOWAN, INDIVIDUALLY ) AND ON BEHALF OF ALL OTHERS ) SIMILARLY SITUATED; ) 2:23-CV-00524-MJH )
Plaintiff, ) ) ) vs. )
) CORE CASHLESS, LLC,
Defendant,
Opinion This case had been referred to United States Magistrate Judge Lisa Lenihan1 for pretrial proceedings in accordance with the Magistrate Judges Act, 28 U.S.C. § 636(b)(1), and Rule 72 of the Local Rules for Magistrate Judges. On October 17, 2023, Magistrate Judge Lenihan issued a Report and Recommendation (ECF No. 31) recommending that Defendant’s Motion to Dismiss First Amended Complaint Pursuant to Rule 12(b)(1) be granted and that Defendant’s Motion to Dismiss First Amended Complaint Pursuant to Rule 12(b)(6) be denied as moot (ECF No. 27). The parties were informed that written objections to the Report and Recommendation were due by November 21, 2023. (ECF No. 33). Plaintiff filed timely written objections, and Defendant filed a response to said objections. (ECF Nos. 34 and 35). Following de novo review, Judge Lenihan’s Report and Recommendation will be adopted, and Defendant’s Motion to Dismiss First Amended Complaint
1 The matter has since been referred to Magistrate Judge Kezia O.L.Taylor following the retirement of Magistrate Judge Lenihan. Judge Lenihan authored the instant Report and Recommendation prior to her retirement. Pursuant to Rule 12(b)(1) will be granted and that Defendant’s Motion to Dismiss First Amended Complaint Pursuant to Rule 12(b)(6) will be denied as moot.2 I. Background Because the Court writes primarily for the parties, the Court provides only a condensed
background here. The facts of this case are provided in detail in Judge Lenihan’s Report and Recommendation. (ECF No. 31). Plaintiff, Kelley McGowan, brought this class action against Defendant CORE Cashless, LLC for its failure to properly secure and safeguard Plaintiff’s and Class Members’ personally identifiable information (“PII”) stored within CORE’s information network. (ECF No. 25). Ms. McGowan is a consumer of one of CORE’s clients, Waldameer Park, Inc., which operates an amusement park in Erie, Pennsylvania. Id. at ¶ 16. Ms. McGowan made a payment through Waldameer’s online payment portal which was powered, maintained, and operated by CORE, and in so doing, provided CORE with her PII and financial information. Id. at ¶¶ 16-17. On July 28, 2022, the Secret Service notified CORE that it had identified card numbers for sale on the
Dark Web whose common purchase point was CORE. Id. at ¶ 45. Thereafter, CORE conducted an internal investigation and ultimately determined that, on or around January 29, 2022, a data breach of its clients occurred. The web payment portals of approximately 45 of CORE’s clients were affected by the Data Breach, including at least two Pennsylvania companies. Id. at ¶ 47. CORE directed Plaintiff and the Class Members to take various mitigation steps, such as monitoring their accounts and reporting any suspicious activity or misuse of their personal information. Id. at ¶ 56. Following the notice from CORE of the Data Breach, Plaintiff alleges
2 Rule 72 of the Federal Rules of Civil Procedure provides in pertinent part: “The district judge may accept, reject, or modify the recommended disposition; receive further evidence; or return the matter to the magistrate judge with instructions.” Fed. R. Civ. P. 72(b)(3). she spent time dealing with the consequences of the Data Breach, which included and continues to include time spent: (1) verifying the legitimacy and impact of the Data Breach, (2) exploring credit monitoring and identity theft insurance options, (3) self-monitoring her accounts with heightened scrutiny, and (4) seeking legal counsel regarding her options for remedying and/or
mitigating the effects of the Data Breach. Id. at ¶ 21. As a result of the Data Breach, Plaintiff contends that she suffered actual injury in the form of damages to and diminution in the value of her PII. Id. at ¶ 22. In addition, she claims to have experienced increased anxiety, a loss of privacy, and a substantially increased risk of identity theft and fraud. Id. at ¶ 23. Ms. McGowan alleges common law claims for negligence, negligence per se, breach of implied contract, and unjust enrichment. CORE moved to dismiss Ms. McGowan’s Amended Complaint, pursuant to Fed. R. Civ. P. 12(b)(1), for lack of standing, and Fed. R. Civ. P. 12(b)(6) for failure to state a claim. Magistrate Lenihan recommended dismissing Ms. McGowan’s Amended Complaint for lack for standing and denying her Fed. R. Civ. P. 12(b)(6) motion as moot.
In response to the Report and Recommendation, Ms. McGowan raised three objections: 1. Her allegations establish a concrete injury-in-fact under Article III and Third Circuit precedent for standing; 2. Judge Lenihan’s Report does not recognize Plaintiff’s sufficient allegation of “concrete” injuries and damages; and 3. Judge Lenihan’s Report does not recognize Plaintiff’s sufficient claim for injunctive relief. II. Discussion A. Article III Standing Objection Article III standing is comprised of three elements: “1) injury-in-fact… that is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical; (2) a causal connection between the injury and the conduct complained of; and (3) [a likelihood] … that the injury will be redressed by a favorable decision.” McNair v. Synapse Grp. Inc., 672 F.3d 213, 223 (3d Cir. 2012). In its Motion to Dismiss, CORE only challenged Ms. Gowan’s establishment of “injury-in-fact.”
1. Imminent Injury In Clemens v. ExecuPharm, Inc., the Third Circuit “identified a set of non-exhaustive factors” for courts to use in the data breach context to determine whether a plaintiff alleges an “imminent injury” that satisfies the “injury-in-fact” requirement: “1) whether the data breach was intentional; 2) whether the data was misused; and 3) whether the nature of the information accessed through a data breach could subject a plaintiff to a risk of identity theft.” Clemens, 48 F.4th 146, 153–54 (3d Cir. 2022). Ms. McGowan first objects that she sufficiently alleged that the data breach was imminent because the Data Breach was an intentional criminal act, and that an unauthorized third-party gained access to the web payment portals of CORE’s clients by activating a
previously deactivated administrator account and installing a digital skimmer tool to capture the text inputted into online payment portals. Clemens found the intentionality requirement was met “[w]here a laptop with personal unencrypted data was stolen, and the plaintiff alleged that someone attempted to open a bank account in his name,” and “[w]here the plaintiff alleged that personal data had already been stolen and that 9,200 people had incurred fraudulent charges.” Id. at 154. In contrast, in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir.
Free access — add to your briefcase to read the full text and ask questions with AI
IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF PENNSYLVANIA PITTSBURGH KELLEY MCGOWAN, INDIVIDUALLY ) AND ON BEHALF OF ALL OTHERS ) SIMILARLY SITUATED; ) 2:23-CV-00524-MJH )
Plaintiff, ) ) ) vs. )
) CORE CASHLESS, LLC,
Defendant,
Opinion This case had been referred to United States Magistrate Judge Lisa Lenihan1 for pretrial proceedings in accordance with the Magistrate Judges Act, 28 U.S.C. § 636(b)(1), and Rule 72 of the Local Rules for Magistrate Judges. On October 17, 2023, Magistrate Judge Lenihan issued a Report and Recommendation (ECF No. 31) recommending that Defendant’s Motion to Dismiss First Amended Complaint Pursuant to Rule 12(b)(1) be granted and that Defendant’s Motion to Dismiss First Amended Complaint Pursuant to Rule 12(b)(6) be denied as moot (ECF No. 27). The parties were informed that written objections to the Report and Recommendation were due by November 21, 2023. (ECF No. 33). Plaintiff filed timely written objections, and Defendant filed a response to said objections. (ECF Nos. 34 and 35). Following de novo review, Judge Lenihan’s Report and Recommendation will be adopted, and Defendant’s Motion to Dismiss First Amended Complaint
1 The matter has since been referred to Magistrate Judge Kezia O.L.Taylor following the retirement of Magistrate Judge Lenihan. Judge Lenihan authored the instant Report and Recommendation prior to her retirement. Pursuant to Rule 12(b)(1) will be granted and that Defendant’s Motion to Dismiss First Amended Complaint Pursuant to Rule 12(b)(6) will be denied as moot.2 I. Background Because the Court writes primarily for the parties, the Court provides only a condensed
background here. The facts of this case are provided in detail in Judge Lenihan’s Report and Recommendation. (ECF No. 31). Plaintiff, Kelley McGowan, brought this class action against Defendant CORE Cashless, LLC for its failure to properly secure and safeguard Plaintiff’s and Class Members’ personally identifiable information (“PII”) stored within CORE’s information network. (ECF No. 25). Ms. McGowan is a consumer of one of CORE’s clients, Waldameer Park, Inc., which operates an amusement park in Erie, Pennsylvania. Id. at ¶ 16. Ms. McGowan made a payment through Waldameer’s online payment portal which was powered, maintained, and operated by CORE, and in so doing, provided CORE with her PII and financial information. Id. at ¶¶ 16-17. On July 28, 2022, the Secret Service notified CORE that it had identified card numbers for sale on the
Dark Web whose common purchase point was CORE. Id. at ¶ 45. Thereafter, CORE conducted an internal investigation and ultimately determined that, on or around January 29, 2022, a data breach of its clients occurred. The web payment portals of approximately 45 of CORE’s clients were affected by the Data Breach, including at least two Pennsylvania companies. Id. at ¶ 47. CORE directed Plaintiff and the Class Members to take various mitigation steps, such as monitoring their accounts and reporting any suspicious activity or misuse of their personal information. Id. at ¶ 56. Following the notice from CORE of the Data Breach, Plaintiff alleges
2 Rule 72 of the Federal Rules of Civil Procedure provides in pertinent part: “The district judge may accept, reject, or modify the recommended disposition; receive further evidence; or return the matter to the magistrate judge with instructions.” Fed. R. Civ. P. 72(b)(3). she spent time dealing with the consequences of the Data Breach, which included and continues to include time spent: (1) verifying the legitimacy and impact of the Data Breach, (2) exploring credit monitoring and identity theft insurance options, (3) self-monitoring her accounts with heightened scrutiny, and (4) seeking legal counsel regarding her options for remedying and/or
mitigating the effects of the Data Breach. Id. at ¶ 21. As a result of the Data Breach, Plaintiff contends that she suffered actual injury in the form of damages to and diminution in the value of her PII. Id. at ¶ 22. In addition, she claims to have experienced increased anxiety, a loss of privacy, and a substantially increased risk of identity theft and fraud. Id. at ¶ 23. Ms. McGowan alleges common law claims for negligence, negligence per se, breach of implied contract, and unjust enrichment. CORE moved to dismiss Ms. McGowan’s Amended Complaint, pursuant to Fed. R. Civ. P. 12(b)(1), for lack of standing, and Fed. R. Civ. P. 12(b)(6) for failure to state a claim. Magistrate Lenihan recommended dismissing Ms. McGowan’s Amended Complaint for lack for standing and denying her Fed. R. Civ. P. 12(b)(6) motion as moot.
In response to the Report and Recommendation, Ms. McGowan raised three objections: 1. Her allegations establish a concrete injury-in-fact under Article III and Third Circuit precedent for standing; 2. Judge Lenihan’s Report does not recognize Plaintiff’s sufficient allegation of “concrete” injuries and damages; and 3. Judge Lenihan’s Report does not recognize Plaintiff’s sufficient claim for injunctive relief. II. Discussion A. Article III Standing Objection Article III standing is comprised of three elements: “1) injury-in-fact… that is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical; (2) a causal connection between the injury and the conduct complained of; and (3) [a likelihood] … that the injury will be redressed by a favorable decision.” McNair v. Synapse Grp. Inc., 672 F.3d 213, 223 (3d Cir. 2012). In its Motion to Dismiss, CORE only challenged Ms. Gowan’s establishment of “injury-in-fact.”
1. Imminent Injury In Clemens v. ExecuPharm, Inc., the Third Circuit “identified a set of non-exhaustive factors” for courts to use in the data breach context to determine whether a plaintiff alleges an “imminent injury” that satisfies the “injury-in-fact” requirement: “1) whether the data breach was intentional; 2) whether the data was misused; and 3) whether the nature of the information accessed through a data breach could subject a plaintiff to a risk of identity theft.” Clemens, 48 F.4th 146, 153–54 (3d Cir. 2022). Ms. McGowan first objects that she sufficiently alleged that the data breach was imminent because the Data Breach was an intentional criminal act, and that an unauthorized third-party gained access to the web payment portals of CORE’s clients by activating a
previously deactivated administrator account and installing a digital skimmer tool to capture the text inputted into online payment portals. Clemens found the intentionality requirement was met “[w]here a laptop with personal unencrypted data was stolen, and the plaintiff alleged that someone attempted to open a bank account in his name,” and “[w]here the plaintiff alleged that personal data had already been stolen and that 9,200 people had incurred fraudulent charges.” Id. at 154. In contrast, in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), an unknown hacker infiltrated defendant’s system and potentially gained access to personal and financial information belonging to plaintiffs and approximately 27,000 employees at 1,900 companies, and it is not known whether the hacker read, copied, or understood the data. Id. at 40. In that context, the Third Circuit held that “there [was] no evidence that the intrusion was intentional or malicious.” Id. at 44. As regards intentionality, Judge Lenihan noted that “all cyber-attacks involve some degree of intentional conduct,” but, in this case, the alleged Data Breach involved an unknown
hacker and where it is unknown whether the hacker, read, copied, or understood the data. And therefore, this case was more akin to Reilly, and Judge Lenihan concluded Ms. McGowan had not alleged the type of sophisticated intent to demonstrate that the data breach was intentional. Following de novo review, the Court concurs with Judge Lenihan’s well-reasoned Report and Recommendation that Ms. McGowan had not sufficiently alleged that the data breach was intentional as defined under Reilly. This Court finds no error in Judge Lenihan’s determination. Ms. McGowan next objects that she has sufficiently alleged “misuse” of the breached data. Specifically, she argues that cybercriminals began misusing the data by offering payment card information for sale on the Dark Web and in support, refers to the allegation that the Secret Service had identified payment card numbers for sale on the Dark Web whose common purchase
point was CORE. Judge Lenihan disagreed and found that “[p]laintiff has failed to allege sufficient facts to plausibly show that her payment card information was misused by the unknown hackers.” (ECF No. 31 at p. 18) (emphasis in original). Following de novo review, the Court concurs with Judge Lenihan’s well-reasoned Report and Recommendation that Ms. McGowan had not sufficiently alleged a specific “misuse” of her information following the alleged data breach. This Court finds no error in Judge Lenihan’s determination. Ms. McGowan next objects that Judge Lenihan erred in concluding that the data breach was unlikely to subject plaintiff to identity theft risk. In the Report and Recommendation, Judge Lenihan noted: The Court finds that the nature of the information accessed through the Data Breach is not likely to subject Plaintiff to a substantial risk of identity theft or fraud. There is no alleged disclosure of social security numbers, dates of birth, driver’s license numbers, taxpayer identification numbers, banking information, sensitive tax forms, and passport numbers.
(ECF No. 31 at pp. 19-20).
Following de novo review, the Court concurs with Judge Lenihan’s well-reasoned Report and Recommendation that Ms. McGowan had not sufficiently alleged disclosure of personal information that would place Plaintiff in a substantial risk of identity theft or fraud. This Court finds no error in Judge Lenihan’s determination. Accordingly, this Court agrees with the determination that Ms. McGowan’s alleged injury is “imminent.” 2. Concrete Ms. McGowan next objects that Judge Lenihan did not appropriately recognize her allegations of “concrete” injuries and damages. The First Amended Complaint alleged that Ms. McGowan’s damages included 1) investment of time and effort to address the impact of the Data Breach, 2) increased anxiety, and 3) diminution of value of personal information. In Reilly, the Third Circuit held that “[plaintiffs’] alleged time and money expenditures to monitor their financial information do not establish standing, because costs incurred to watch for a speculative chain of future events based on hypothetical future criminal acts are no more ‘actual’ injuries than the alleged ‘increased risk of injury’ which form the basis of [plaintiffs’] claims.” 664 F.3d at 46. In finding no concrete injury, Judge Lenihan stated that “Plaintiff’s alleged injuries cannot establish standing for damages because she has failed to show a substantial risk of future harm in the first instance.” She further stated, “any alleged diminution in the value of her personal information cannot establish an injury in fact where it has been determined that Plaintiff
has failed to establish a substantial risk of harm because any alleged future harm remains speculative.” And as to anxiety, Judge Lenihan likewise held that there can be no injury in fact in the absence of a substantial risk of future harm. Following de novo review, the Court concurs with Judge Lenihan’s well-reasoned Report and Recommendation that Ms. McGowan had not sufficiently alleged a concrete injury based upon the absence of plausible allegations of a substantial risk of future harm. This Court finds no error in Judge Lenihan’s determination. B. Injunctive Relief Objection Finally, Ms. Gowan objects that Judge Lenihan improperly dismissed Plaintiff’s claim for injunctive relief based up upon a lack of allegation of substantial future harm. Because Judge
Lenihan found that Ms. McGowan could not demonstrate that she had met the concrete injury requirement necessary for standing, she likewise concluded that Plaintiff lacked standing to pursue injunctive relief. Following de novo review, the Court concurs with Judge Lenihan’s well-reasoned Report and Recommendation that Ms. McGowan had not sufficiently alleged standing that would have warranted injunctive relief. This Court finds no error in Judge Lenihan’s determination. III. Conclusion Following consideration of the foregoing, Judge Lenihan’s Report and Recommendation (ECF No. 31) dated October 17, 2023, will be ADOPTED as the Opinion of this Court. Defendant’s Motion to Dismiss for Lack of Jurisdiction will be GRANTED, and Defendant’s Motion to Dismiss First Amended Complaint Pursuant to Rule 12(b)(6) will be DENIED as moot. A separate order will follow. DATED this 8th day of February, 2024. BY THE COURT:
MARILYN J. United States District Judge