On Appeal from the United States District Court for the District of New Jersey (D.C. Civil Action No. 2-10-cv-05142) District Judge: Hon. Jose L. Linares
The opinion of the court was delivered by: Aldisert, Circuit Judge.
Before: SLOVITER, GREENAWAY, JR. and ALDISERT, Circuit Judges.
Kathy Reilly and Patricia Pluemacher, individually and on behalf of all others similarly situated, appeal from an order of the United States District Court for the District of New Jersey, which granted Ceridian Corporation‟s motion to dis-miss for lack of standing, and alternatively, failure to state a claim. Appellants contend that (1) they have standing to bring their claims in federal court, and (2) they stated a claim that adequately alleged cognizable damage, injury, and ascertainable loss. We hold that Appellants lack standing and do not reach the merits of the substantive issue. We will therefore affirm.
Ceridian is a payroll processing firm with its principal place of business in Bloomington, Minnesota. To process its commercial business customers‟ payrolls, Ceridian collects information about its customers‟ employees. This information may include employees‟ names, addresses, social security numbers, dates of birth, and bank account information.
Reilly and Pluemacher were employees of the Brach Eichler law firm, a Ceridian customer, until September 2003. Ceridian entered into contracts with Appellants‟ employer and the employers of the proposed class members to provide payroll processing services.
On or about December 22, 2009, Ceridian suffered a security breach. An unknown hacker infiltrated Ceridian‟s Powerpay system and potentially gained access to personal and financial information belonging to Appellants and approximately 27,000 employees at 1,900 companies. It is not known whether the hacker read, copied, or understood the data.
Working with law enforcement and professional investigators, Ceridian determined what information the hacker may have accessed. On about January 29, 2010, Ceridian sent letters to the potential identity theft victims, informing them of the breach: "[S]ome of your personal information . . . may have been illegally accessed by an unauthorized hacker . . . . [T]he information accessed included your first name, last name, social security number and, in several cases, birth date and/or the bank account that is used for direct deposit." App. 00039. Ceridian arranged to provide the potentially affected individuals with one year of free credit monitoring and identity theft protection. Individuals had until April 30, 2010, to enroll in the free program, and Ceridian included instructions on how to do so within its letter.
On October 7, 2010, Appellants filed a complaint against Ceridian, on
behalf of themselves and all others similarly situated, in the United
States District Court for the District of New Jersey.*fn1
Appellants alleged that they: (1) have an increased risk of
identity theft, (2) incurred costs ...