MOORE v. HIGHPOINT SOLUTIONS, LLC et al, No. 1:2017cv06266 - Document 22 (D.N.J. 2018)
Court Description: OPINION. Signed by Judge Joseph H. Rodriguez on 6/5/2018. (rtm, )
Download PDF
<![CDATA[
MOORE v. HIGHPOINT SOLUTIONS, LLC et al Doc. 22 UNITED STATES DISTRICT COURT DISTRICT OF NEW J ERSEY J ACLYN MOORE, Individually and on : Behalf of All Others Sim ilarly Situated, Plaintiff, : v. Hon. J oseph H. Rodriguez Civil Action No. 17-6266 : OPINION HIGHPOINT SOLUTIONS LLC and CHRISTINE M. CUSHMAN, : Defendants. : This m atter is before the Court on m otion of Defendant Highpoint Solutions LLC (“HighPoint”) to dism iss the Com plaint pursuant to Fed. R. Civ. P. 12(b)(1) and 12(b)(6). The Court has considered the subm issions of the parties and heard oral argument on May 30 , 20 18. For the reasons placed on the record that day, as well as those articulated below, the m otion will be granted. Background Plaintiff J aclyn Moore, a HighPoint contract em ployee since April 20 17, has filed a purported Class Action Com plaint as the result of a data breach by Defendant Christine M. Cushm an, who was HighPoint’s Hum an Resource Director. 1 Dockets.Justia.com On August 7, 20 17, the Montgom ery County, Pennsylvania District Attorney’s office and certain news outlets announced that Cushm an had stolen approxim ately one m illion dollars from HighPoint over a two-year period using private financial inform ation HighPoint m aintained concerning subcontractors. Specifically, from May 5, 20 15 to J une 15, 20 17, Cushm an used this stolen inform ation to issue herself 45 fraudulent checks totaling $ 919,30 1. 1 1 The press release provided: NORRISTOWN, Pa. (Aug. 7, 20 17)—Montgom ery County District Attorney Kevin R. Steele and East Norriton Township Police Chief Karyl J . Kates announce the arrest of Christine Cushm an, 31, of Douglassville, Pa., on felony charges of Theft by Unlawful Taking, Receiving Stolen Property and Identity Theft for stealing $ 919,30 1 from her em ployer, HighPoint Solutions LLC, in East Norriton. HighPoint Solutions was alerted to the potential thefts by its payroll com pany, after a bank officer had noticed suspicious m ultiple direct deposits of significant size going into the defendant’s personal account. The com pany’s chief financial officer met with East Norriton Township Detective Anthony Caso on J uly 4, 20 17, about the potential theft. The ensuing investigation revealed that Cushm an, who was HighPoint Solutions’ director of hum an resources, was issuing fraudulent payroll checks in the names of four form er subcontractors who no longer did business with the com pany. Cushm an’s responsibilities included preparing and reviewing the payroll inform ation before it was subm itted to the outside payroll com pany. The 45 thefts occurred between May 5, 20 15 and J une 15, 20 17 and totaled $ 919,30 1. “Nearly $ 1 m illion was stolen from this com pany by a senior2 On August 8, 20 17, HighPoint’s CEO J ohn Seitz em ailed HighPoint’s em ployees concerning Cushman’s actions. The e-m ail provided: Colleagues, By now m any of you are aware of the press release from the Pennsylvania District Attorney and subsequent articles regarding Christine Cushm an, our form er HR Manager. HighPoint indeed was the victim of a corporate theft over the past two years. The details are available in num erous online articles—I’ve attached the m ost thorough one I’ve found below. http:/ / www.readingeagle.com / news/ article/ am ity-townshipwom an-stole-nearly-1-m illion-from-em ployer-police-say The purpose of m y em ail is to explain the actions we have taken, as well as inform you of any risks to the com pany and em ployees’ personal and financial inform ation. By all evidence we’ve seen, HighPoint was the only victim in this theft, as funds were stolen from our bank account. No client, em ployee, or subcontractor bank account ever received or had any funds withdrawn. Once inform ed, we took appropriate remediation steps—including notifying the authorities. We have hired an independent, national audit firm to perform a forensic audit of our financial records and our controls to ensure no further dam age has occurred beyond what we’ve found, as well as to help strengthen our financial oversight. Although the am ount stolen was indeed significant, I can assure you we are a profitable and financially sound com pany. level, trusted employee. This breach of trust is something that needs to be guarded against by other com panies,” said Steele. “Unfortunately, corporate theft is all too prevalent and requires a system of checks and balances within the corporate system to m ake sure this doesn’t happen.” (Com pl. ¶ 14.) 3 For our em ployees, as I mentioned, all evidence points to only a HighPoint bank account being involved in this theft. However, please understand that our HR Departm ent does have on file (and Ms. Cushm an had access to) all em ployee Social Security inform ation as well as bank account inform ation for those using direct deposit. At this tim e, we don’t know if em ployee personal inform ation was also stolen. Please be on alert for any suspicious activity relating to your personal and financial records. For those custom ers who ask, please make clear to them that Ms. Cushm an did not have access to custom er inform ation/ invoicing, and we believe there is no risk to custom er identity inform ation. We can also assure them that we are a financially sound partner and that we will be filing an insurance claim for this m atter. Finally, we are coordinating all activities and com m unications strictly with the authorities, and I would ask all em ployees to refrain from participating in any social m edia discussions relating to this m atter. Thank you for your patience and understanding during this process. Sincerely, J ohn Seitz, Chief Executive Officer HighPoint Solutions, LLC (Com pl. ¶ 15.) Seitz e-m ailed HighPoint’s employees again on August 10 , 20 17, as follows: As a follow up to m y Tuesday em ail regarding the risk of com prom ise to our em ployee inform ation (i.e. the “Cushman m atter”), we have purchased a corporate-wide LifeLock identity protection subscription for all em ployees to help monitor and protect each employee’s individual financial records. We have 4 purchased a 12-m onth plan that covers each U.S.-based em ployee, plus spouse and 1 child. Ms. Cushm an had no involvem ent in ex-U.S. payroll processing, so we feel the U.S. focus covers all relevant risk. The corporate subscription will take a few days to activate, and we will be sending sign-up directions once available. In addition, we are com m unicating the events and our remediation plan to our clients on a case-by-case basis. If you are aware of a custom er who has raised concerns about this m atter, please direct that inquiry to a HighPoint executive, as we are replying directly to those clients one-on-one. For your benefit, our message to those clients is as follows: • Once aware of the theft, we took im mediate action, including notifying local law enforcement authorities • As a $ 170 M revenue com pany, this theft obviously hurt, but in no way affects our standing as a profitable and financially strong partner. We have also subm itted an insurance claim to recover m ost of the loss • This breach occurred within our HR payroll operations, specific to sub-contractors—separated from our client financial operations that includes tim esheet m anagem ent, project m anagem ent and invoicing • We have hired a nationally-accredited audit firm to perform a thorough review of our financial controls and to perform a forensic audit of our financial records Thank you for your continued patience as we continue to sort out and resolve this m atter. Regards, J ohn Seitz, Chief Executive Officer HighPoint Solutions, LLC (Com pl. ¶ 16.) As a result of the data breach, Plaintiff has alleged that Defendants negligently failed: 5 to secure and safeguard her personal identifying inform ation (“PII”), and that of, at least, all of HighPoint’s past and current em ployees, agents, subcontractors, custom ers and service providers, as well as their fam ilies and dependents (the “Class”). This PII includes, but is not lim ited to, the: names, Social Security numbers, Taxpayer Identification Num bers, birthdates, addresses, telephone numbers, em ail addresses, healthcare records, salary and bonus details, contract and agreement details, sensitive em ployment inform ation such as perform ance evaluations, disciplinary and em ploym ent term ination details, severance packages, and/ or other personal inform ation concerning HighPoint’s past and current em ployees, agents, subcontractors, custom ers and service providers, as well as their fam ilies and dependents. HighPoint was also negligent in failing to provide tim ely and adequate notice to Plaintiff and the Class that their PII had been stolen and precisely what types of inform ation were stolen. (Com pl. ¶ 3.) Against HighPoint, the Com plaint alleges negligence, intrusion upon seclusion, breach of fiduciary duty, breach of contract, breach of im plied contract, violation of the New J ersey Com puter Related Offenses Act, and vicarious liability. There is an additional claim for unjust enrichment against Cushm an. HighPoint seeks dism issal of the Com plaint. Motion to Dism iss Standard Rule 12(b)(1) of the Federal Rules of Civil Procedure perm its the dism issal of an action for “lack of subject m atter jurisdiction.” “A m otion to dism iss for want of standing is also properly brought pursuant to Rule 12(b)(1), because standing is a jurisdictional m atter.” Ballentine v. United States, 486 F.3d 80 6, 810 (3d Cir. 20 0 7). “The party invoking federal 6 jurisdiction bears the burden of establishing the elements of standing, and each elem ent m ust be supported in the sam e way as any other m atter in which the plaintiff bears the burden of proof, i.e., with the m anner and degree of evidence required at the successive stages of the litigation.” Focus v. Allegheny Cnty. Court of Com m on Pleas, 75 F.3d 834, 838 (3d Cir. 1996) (quoting Lujan v. Defenders of Wildlife, 50 4 U.S. 555, 561 (1992)). A Rule 12(b)(1) m otion m ay be treated as either a facial or factual challenge to the court’s subject m atter jurisdiction. Davis v. Wells Fargo, 824 F.3d 333, 346 (3d Cir. 20 16). A facial attack contests the sufficiency of the pleadings, whereas a factual attack contests the sufficiency of jurisdictional facts. Lincoln Ben. Life Co. v. AEI Life, LLC, 80 0 F.3d 99, 10 5 (3d Cir. 20 15). When considering a facial attack, the court accepts the plaintiff’s well-pleaded factual allegations as true and draws all reasonable inferences from those allegations in the plaintiff’s favor. In re Horizon Healthcare Services Inc. Data Breach Litigation, 846 F.3d 625, 633 (3d Cir. 20 17). When reviewing a factual attack, the court m ay weigh and consider evidence outside the pleadings. Gould Elecs. Inc. v. United States, 220 F.3d 169, 176 (3d Cir. 20 0 0 ). Federal Rule of Civil Procedure 12(b)(6) perm its a m otion to dism iss “for failure to state a claim upon which relief can be granted[.]” For a 7 com plaint to survive dism issal under Rule 12(b)(6), it m ust contain sufficient factual m atter to state a claim that is plausible on its face. Ashcroft v. Iqbal, 556 U.S. 662, 678 (20 0 9) (quoting Bell Atl. Corp. v. Twom bly, 550 U.S. 544, 570 (20 0 7)). A claim is facially plausible “when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the m isconduct alleged.” Id. Further, a plaintiff m ust “allege sufficient facts to raise a reasonable expectation that discovery will uncover proof of her claim s.” Connelly v. Lane Const. Corp., 80 9 F.3d 780 , 789 (3d Cir. 20 16). In evaluating the sufficiency of a complaint, district courts m ust separate the factual and legal elem ents. Fowler v. UFMC Shadyside, 578 F.3d 20 3, 210 -11 (3d Cir. 20 0 9) (“Iqbal ... provides the final nail-in-the-coffin for the ‘no set of facts’ standard that applied to federal com plaints before Twombly.”). The Court “m ust accept all of the com plaint’s well-pleaded facts as true,” Fowler, 578 F.3d at 210 , “and then determ ine whether they plausibly give rise to an entitlem ent for relief.” Connelly, 80 9 F.3d at 787 (citations om itted). Restatem ents of the elements of a claim , however, are legal conclusions and, therefore, not entitled to a presum ption of truth. Burtch v. Milberg Factors, Inc., 662 F.3d 212, 224 (3d Cir. 20 11). 8 Discussion Plaintiff has conceded through briefing that her claim s for breach of contract and breach of im plied contract cannot survive and are voluntarily dism issed. Accordingly, the rem aining claim s are for negligence 2 and breach of fiduciary duty, intrusion upon seclusion, 3 violation of the New J ersey Computer Related Offenses Act, 4 and vicarious liability. 5 2 Under New J ersey law, to prove negligence, the plaintiff m ust establish: (1) a duty of care owed to the plaintiff by the defendant; (2) that defendant breached that duty of care; and (3) that plaintiff’s injury was proximately caused by defendant’s breach. Sm ith v. Kroesen, 9 F. Supp. 3d 439, 442 (D.N.J . 20 14) (citing Endre v. Arnold, 692 A.2d 97 (N.J . Super Ct. App. Div. 1997)). Intrusion upon seclusion occurs when a plaintiff can show (i) an intentional intrusion (ii) upon the seclusion of another that is (iii) highly offensive to a reasonable person. In re Nickelodeon Consum er Privacy Litig., 827 F.3d 262, 293 (3d Cir. 20 16), cert. denied sub nom . C. A. F. v. Viacom Inc., 137 S. Ct. 624 (20 17). 3 Under the New J ersey Com puter Related Offenses Act, a person or enterprise is liable for: “The purposeful or knowing, and unauthorized altering, dam aging, taking or destruction of any data, data base, [etc.]; . . . The purposeful or knowing accessing and reckless altering, dam aging, destroying or obtaining of any data, data base, [etc.].” N.J . Stat. Ann. § 2A:38A-3. 4 An em ployer m ay be vicariously liable for its em ployee’s act within the scope of her em ploym ent: (1) if the act is of the kind she is em ployed to perform ; (2) if it occurs substantially within the authorized tim e and space lim its; (3) if it is actuated, at least in part, by a purpose to serve the em ployer; and (4) if force is intentionally used by the em ployee against another, the use of force is not unexpectable by the em ployer. Davis v. Devereux Found., 37 A.3d 469, 489-90 (N.J . 20 12). 5 9 The Constitution lim its the subject m atter jurisdiction of federal courts to “cases” and “controversies.” See U.S. Art. III § 2. To establish Article III standing, a plaintiff m ust plead “an ‘injury in fact’ or an ‘invasion of a legally protected interest that is concrete and particularized,’ . . . a ‘causal connection between the injury and the conduct com plained of,’ and ‘a likelihood that the injury will be redressed by a favorable decision.’” In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 633 (3d Cir. 20 17) (quoting Lujan v. Defenders of Wildlife, 50 4 U.S. 555, 560 -61 (1992)). See also Anjelino v. N.Y. Times Co., 20 0 F.3d 73, 88 (3d Cir. 20 0 0 ) (“Standing is established at the pleading stage by setting forth specific facts that indicate that the party has been injured in fact or that injury is im m inent, that the challenged action is causally connected to the actual or im m inent injury, and that the injury m ay be redressed by the cause of action.”). The Supreme Court has m ade clear that an “injury in fact” m ust be “concrete,” which m eans “it m ust actually exist.” Spokeo Inc. v. Robins, 136 S. Ct. 1540 , 1548 (20 16). “Concrete” injuries m ay be “intangible” or noneconom ic, but, like other cognizable injuries, they m ust be “actual or im m inent, not conjectural or hypothetical.” Spokeo, 136 S. Ct. at 1548. See also Clapper v. Amnesty Int’l USA, 568 U.S. 398, 40 9 (20 13) (“threatened 10 injury m ust be certainly im pending to constitute injury in fact,” and “[a]llegations of possible future injury” are not sufficient); Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 20 11) (finding, in a data security breach case, “[a]llegations of ‘possible future injury’ are not sufficient to satisfy Article III”). To determ ine whether an intangible harm is sufficiently concrete, a court m ust first decide “whether an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or Am erican courts.” Spokeo, 136 S. Ct. at 1549. If so, “it is likely to be sufficient to satisfy the injury-in-fact element of standing.” Horizon, 846 F.3d at 637. Next, the court determ ines “whether Congress has expressed an intent to make an injury redressable;” for, “even if an injury was previously inadequate in law, Congress may elevate it to the status of [a] legally cognizable injur[y].” Id. (quoting Spokeo, 846 F.3d at 637). Even in the context of a statutory violation, however, Article III standing requires a concrete injury. Spokeo, 136 S. Ct. at 1549. Applying Spokeo, the Third Circuit denied a facial challenge in a Fair Credit Reporting Act case where plaintiff alleged that two laptop com puters containing unencrypted personal inform ation of over 80 0 ,0 0 0 health insurance custom ers were stolen from the defendant’s headquarters. 11 Horizon, 846 F.3d at 630 . Am ong the stolen data was nam es, addresses, m ember identification num bers, dates of birth, “and in som e instances, a Social Security Num ber and/ or lim ited clinical inform ation.” Id. The breach led to a fraudulent tax return filed in plaintiff's nam e and to an attem pted credit card fraud. Plaintiff was also “denied retail credit because his social security number has been associated with identity theft.” Id. The Third Circuit held that the alleged injuries were sufficiently “concrete” to confer constitutional standing. First, under Anglo– Am erican law, “unauthorized disclosures of inform ation have long been seen as injurious.” Id. at 638. “The com m on law alone will som etim es protect a person’s right to prevent the dissem ination of private inform ation . . . [and] im proper dissem ination of inform ation can itself constitute a cognizable injury.” Id. at 638-39. Second, by passing the FCRA, Congress clearly intended to establish “that the unauthorized dissem ination of personal inform ation by a credit reporting agency causes an injury in and of itself— whether or not the disclosure of that inform ation increased the risk of identity theft or som e other future harm .” Id. at 639. The Court lim ited it holding as follows: We are not suggesting that Horizon’s actions would give rise to a cause of action under com m on law. No com m on law tort proscribes the release of truthful inform ation that is not harm ful to one’s reputation or otherwise offensive. But with the 12 passage of FCRA, Congress established that the unauthorized dissem ination of personal inform ation by a credit reporting agency causes an injury in and of itself—whether or not the disclosure of that inform ation increased the risk of identity theft or some other future harm. It created a private right of action to enforce the provisions of FCRA, and even allowed for statutory dam ages for willful violations—which clearly illustrates that Congress believed that the violation of FCRA causes a concrete harm to consumers. And since the “intangible harm ” that FCRA seeks to remedy “has a close relationship to a harm [i.e. invasion of privacy] that has traditionally been regarded as providing a basis for a lawsuit in English or Am erican courts,” Spokeo, 136 S. Ct. at 1549, we have no trouble concluding that Congress properly defined an injury that “give[s] rise to a case or controversy where none existed before.” Id. (citation and internal quotation m arks om itted). Horizon, 846 F.3d at 639-40 . Here, Plaintiff has not pled a violation of FCRA or another statute that m ay be read to create standing by its m ere violation, as in Horizon. As such, traditional concepts of standing guide the Court’s analysis. See Reilly, 664 F.3d at 41-43 (“Constitutional standing requires an injury-in-fact, which is an invasion of a legally protected interest that is (a) concrete and particularized, and (b) actual or im m inent, not conjectural or hypothetical. . . . [A]llegations of an increased risk of identity theft resulting from a security breach are therefore insufficient to secure standing.”). In this case, the Court finds that Plaintiff has failed to allege facts dem onstrating that she has sustained a concrete injury in fact. Any allegation of an increased risk of identity theft is speculative and 13 conclusory. Plaintiff has pled no facts to indicate that her personal identifying information was even accessed by Cushm an, but m ore im portantly, Plaintiff has failed to allege actual m isuse of her personal identifying information. Other courts in this District have held that plaintiffs who sim ilarly alleged that personal inform ation was lost or com prom ised, without asserting m isuse, lacked standing to bring claim s following data breaches. See Polanco v. Om nicell, Inc., 988 F. Supp. 2d 451 (D.N.J . 20 13) (stating that “the Third Circuit expressly determ ined in Reilly that the ‘alleged tim e and m oney expenditures [of the plaintiffs] to m onitor their financial inform ation [did] not establish standing . . . because costs incurred to watch for a speculative chain of future events based on hypothetical future crim inal acts are no m ore ‘actual’ injuries than the allege ‘increased risk of injury’ which form[ed] the basis for’ the plaintiffs’ claims”); Hinton v. Heartland Payment Sys., Inc., No. 0 9-594, 20 0 6 WL 21770 36, at *1 (D.N.J . Mar. 16, 20 0 9); Giordano v. Wachovia Sec., LLC, No. 0 6-476, 20 0 6 WL 21770 36, at *4-5 (D.N.J . J uly 31, 20 0 6) (“The m ere possibility of future harm fails to satisfy the standing requirem ents of the Suprem e Court and the Third Circuit Court of Appeals.”). See also Storm v. Paytim e, Inc., 90 F. Supp. 3d 359 (M.D. Pa. 20 15) ([T]he Third Circuit requires its district 14 courts to dism iss data breach cases for lack of standing unless plaintiffs allege actual m isuse of the hacked data or specifically allege how such m isuse is certainly im pending.”); Allison v. Aetna, Inc., Civ. No. 0 9-2560 , 20 10 WL 3719243, at *4-5 (E.D. Pa. Mar. 9, 20 10 ) (finding the “m ere possibility of increased risk of identity theft” insufficient to confer standing) (emphasis in original). Conclusion For the reasons stated here and those discussed on the record during oral argument, Defendant’s m otion to dism iss for lack of standing will be granted. An appropriate Order will issue. Dated: J une 5, 20 18 / s/ J oseph H. Rodriguez Hon. J oseph H. Rodriguez U.S.D.J . 15
]]>
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You
should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
