On October 22, a federal judge in the Eastern District of Pennsylvania granted a payroll provider’s motion to dismiss a privacy lawsuit arising from a March 2024 data breach. The plaintiff, a former user of the provider’s services, averred the data breach led to unauthorized changes to her account and subsequent identity theft. The complaint alleged claims of negligence, negligence per se, invasion of privacy, and violations of the New York Deceptive Trade Practices Act against the provider.

The payroll provider moved to dismiss the plaintiff’s claims for lack of standing, arguing that the plaintiff did not suffer an actual injury connected to the data breach. The court found that the plaintiff sufficiently alleged a concrete and particularized injury-in-fact due to the exposure of her personal information. However, the judge concluded the plaintiff did not establish a causal link between her injuries and the data breach — as required to establish Article III standing.

The opinion noted that the provider’s internal investigation determined the breach was limited to certain individuals with California addresses, and that personally identifiable information belonging to the plaintiff — a Pennsylvania resident — was not among those affected. The court determined the plaintiff’s allegations relied on the coincidental timing of the breach and subsequent identity theft, but did not include facts showing her injuries were “fairly traceable” to the breach.

In an accompanying order, the judge dismissed the complaint without prejudice, providing the plaintiff 20 days to file an amended complaint addressing the deficiencies, or the case would be dismissed with prejudice.