MEMORANDUM & ORDER
SEYBERT, District Judge:
This action arises out of a data breach (the "Security Breach") involving Michael Stores Inc. ("Michaels" or "Defendant"), an arts and crafts retail chain. Plaintiff Mary Jane Whalen ("Whalen"), individually and on behalf of all others similarly situated, brings this class action against Defendant asserting claims for breach of implied contract and for violations of New York General Business Law ("GBL") § 349. Defendant has moved to dismiss the Complaint under Federal Rules of Civil Procedure 12(b)(1) for lack of subject matter jurisdiction and 12(b)(6) for failure to state a claim. (Docket Entry 14.) For the reasons that follow, Defendant's motion to dismiss is GRANTED.
BACKGROUND1
I. Factual Background
A. The Security Breach
On January 25, 2014, Michaels initially notified its customers of "possible fraudulent activity on some U.S. payment cards." (Compl., Docket Entry 1, ¶ 1.); (see also "Jan. 2014 Press Release," Arden Aff. Ex. A., Docket Entry 16-1.) Three months later, Michaels confirmed the existence of the Security Breach. (Compl. ¶ 2); (see also "April 2014 Press Release," Arden Aff. Ex. B., Docket Entry 16-2). Michaels reported that hackers used a "highly sophisticated malware," or malicious software, to retrieve the credit and debit card information from the systems of Michaels stores and its subsidiary, Aaron Brothers. (See April 2014 Press Release.) Notably, there was no evidence that the hackers retrieved any other customer information, such as names, addresses, or PIN numbers. (See April 2014 Press Release.) Michaels estimated that approximately 2.6 million cards may have been affected during the time period between May 8, 2013 and January 27, 2014 (the "Time Period"). (Compl. ¶¶ 13-16.) As a result, Michaels offered free credit monitoring services for twelve months. (See April 2014 Press Release.)
Whalen was one of Michaels' customers during the Time Period. She alleges that she made purchases with her credit card at a Michaels retail location in Manhasset, New York on December 31, 2013. (Compl. ¶ 7.)
B. The Alleged Harm
The Complaint alleges that Whalen has suffered actual damages and faces an increased risk of future harm. As to actual damages, Whalen essentially alleges five different types of injuries: (1) "actual damages including monetary losses arising from unauthorized bank account withdrawals, fraudulent card payments, and/or related bank fees charged to their accounts," (Compl. ¶ 49); (2) the loss of time and money associated with credit monitoring and obtaining replacement cards, (Compl. ¶ 54); (3) overpayment of Michaels' services because Whalen would not have shopped at Michaels had she known that Michaels did not properly safeguard her personal identified information ("PII"), (Compl. ¶¶ 24, 70-71); (4) the lost value of Whalen's credit card information, (Compl. ¶ 35-37); and (5) a statutory violation of GBL § 349, (Compl. ¶¶ 74-98).
Of particular relevance is that Whalen only experienced one attempted fraudulent charge. Following the Security Breach, her credit card "was physically presented for payment to a gym in Ecuador" and "physically presented for payment to a concert ticket company" also in Ecuador. (Compl. ¶ 7.) These charges occurred after Whalen shopped at Michaels in December 2013. (Compl. ¶ 7.) But Whalen does not allege that the attempted charges were approved or that she suffered any financial loss. (See generally Compl.) Rather, she cancelled her credit card and has not experienced any other attempted fraudulent charges. (Compl. ¶ 7.)
Whalen also alleges potential future harm as a result of the Security Breach. Whalen asserts that she has suffered damages arising out of "costs associated with identity theft and the increased risk of identity theft." (Compl. ¶ 52.) But she concedes that "fraudulent use of cards might not be apparent for years." (Compl. ¶ 50 (emphasis added).)
II. Procedural History
Whalen commenced this action on December 2, 2014. On February 27, 2015 Defendant filed a motion to dismiss. (Docket Entry 14.) In support, Defendant argues that: (1) Whalen lacks Article III standing because she failed to allege any actual damages arising out of the Security Breach or any future injuries that are "certainly impending," and (2) even if Whalen did have standing, she has failed to establish claims for breach of implied contract and for violation of GBL § 349. (Def.'s Br., Docket Entry 15, at 7, 10, 19, 21.) Whalen argues in opposition that she has already suffered from identity theft and continues to face an increased risk of future harm. (Pl.'s Opp. Br., Docket Entry 21, at 5-6.)
DISCUSSION2
I. Motion to Dismiss under Rule 12(b)(1)
A. Legal Standard
To survive a motion to dismiss under 12(b)(1), a plaintiff must establish subject matter jurisdiction. See Makarova v. United States, 201 F.3d 110, 113 (2d Cir.2000) (citations omitted). In resolving the motion, the Court may consider affidavits and other materials beyond the pleadings to resolve jurisdictional questions. See id. (citing Kamen v. Am. Tel. & Tel. Co., 791 F.2d 1006, 1011 (2d Cir.1986)). The Court must accept as true the factual allegations contained in the Complaint, but it will not draw argumentative inferences in favor of Plaintiffs because subject matter jurisdiction must be shown affirmatively. See Morrison v. Nat'l Australia Bank Ltd., 547 F.3d 167, 170 (2d Cir.2008) (citations omitted).
B. Article III Standing3
Defendant argues that Whalen lacks Article III standing because she has not alleged any actual damages arising out of the Security Breach and does not face a threat of "certainly impending" injuries. (Def.'s Br. at 7, 10.) The Court agrees.
"Standing is `the threshold question in every federal case,' and implicates the Court's subject matter jurisdiction." Cohan v. Movtady, 751 F.Supp.2d 436, 439 (E.D.N.Y.2010) (quoting Ross v. Bank of Am., N.A. (USA), 524 F.3d 217, 222 (2d Cir.2008)). To establish standing under Article III of the Constitution, a plaintiff must show that the injury-in-fact is: (1) concrete, particularized, and actual or imminent; (2) fairly traceable to the defendant's conduct; and (3) redressable by a favorable court decision. Liberty Global Logistics LLC v. U.S. Mar. Admin., No. 13-CV-0399, 2014 WL 4388587, at *3 (E.D.N.Y. Sept. 5, 2014) (citing Carver v. City of N.Y., 621 F.3d 221, 225 (2d Cir. 2010)). "The party invoking federal jurisdiction bears the burden of establishing these elements." Lujan v. Defenders of Wildlife, 504 U.S. 555, 560, 112 S.Ct. 2130, 2136, 119 L.Ed.2d 351 (1992) (citations omitted).
In the class action context, plaintiffs "must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent." Warth v. Seldin, 422 U.S. 490, 503, 95 S.Ct. 2197, 2207, 45 L.Ed.2d 343 (1975) (emphasis added). Thus, "if none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of [herself] or any other member of the class." O'Shea v. Littleton, 414 U.S. 488, 494, 94 S.Ct. 669, 675, 38 L.Ed.2d 674 (1974) (citations omitted).
1. Actual Harm
First, Whalen argues that she has standing because she experienced unauthorized fraudulent charges. (Pl.'s Opp. Br. at 6.) For this point, the Court embraces the reasoning of the Northern District of Illinois in In re Barnes & Noble Pin Pad Litigation, which confronted similar circumstances. No. 12-CV-8617, 2013 WL 4759588, at *6 (N.D.Ill. Sept. 3, 2013). In that case, hackers collected the credit and debit card information of various Barnes & Noble customers. Id. at *1. But only one customer experienced fraudulent charges after shopping at Barnes & Noble. She was contacted by her credit card company, cancelled her credit card, and experienced no further unauthorized activity. Id. at *2.
Ultimately, the court granted Barnes & Noble's motion to dismiss the complaint because, among other things, the customer suffered no out-of-pocket losses. Id. at *6. The court emphasized that "[e]ven assuming the fraudulent charge [was] due to the actions or inactions of Barnes & Noble, [the customer] has not pled that actual injury resulted and that she suffered any monetary loss due to the fraudulent charge." Id. The court reasoned that "[i]n order to have suffered an actual injury, [plaintiff] must have had an unreimbursed charge on her credit card." Id.
But Whalen has not alleged that she suffered any unreimbursed charges. To the contrary, she asserts only that her credit card was "physically presented for payment in Ecuador." (Compl. ¶ 7.) There are no allegations that Whalen was required to pay the charges made in Ecuador. Accord In re Target Corp. Data Sec. Breach Litig., 66 F.Supp.3d 1154, 1159 (D.Minn. 2014) (conferring standing where the plaintiffs pleaded allegations of "unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees"); In re Michaels Stores Pin Pad Litig., 830 F.Supp.2d 518, 527 (N.D.Ill.2011) (observing that the plaintiff "suffered monetary losses from unauthorized bank account withdrawals and/or related bank fees charged to their accounts"); (see also "In re Michaels Stores Pin Pad Litig. Complaint," Arden Aff. Ex. C., Docket Entry 16-3, ¶¶ 16-19.) (listing the dates where financial loss occurred and the amounts lost). And as Defendant aptly recognizes, even if the pending Ecuador charges were accepted by the bank, Whalen would not have suffered any liability "given the zero-fraud-liability policy of every major card issuer in the country, including Whalen's card issuer." (Def.'s Br. at 7.) (referring to the American Express website and how credit card holders "are not liable for fraudulent purchases") Thus, the Court finds that these allegations do not confer standing.
Whalen also argues that she has standing because she lost time and money associated with credit monitoring and other mitigation expenses. (Pl.'s Opp. Br. at 8.) But the Supreme Court has dismissed this type of argument, explaining that plaintiffs "cannot manufacture standing" through credit monitoring. Clapper v. Amnesty Int'l USA, ___ U.S. ___, 133 S.Ct. 1138, 1151, 185 L.Ed.2d 264 (2013). "If the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear." Id. That conclusion rings especially true here where Whalen cancelled her affected credit card. See Lewert v. P.F. Chang's China Bistro, Inc., No. 14-CV-4787, 2014 WL 7005097, at *3 (N.D.Ill. Dec. 10, 2014) ("[T]here is no reason to believe that identity theft protection was necessary after [the plaintiff] cancelled the affected debit card."). Thus, these allegations are insufficient to confer standing.
The next argument offered by Whalen — that she "paid for her Michaels purchases with a credit card and reasonably expected her data would be safeguarded" — lacks merit. (See Pl.'s Opp. Br. at 8.) Whalen only alleges, in a conclusory fashion, that she "would not have entrusted [her] private and confidential financial and personal information to Defendant" in the absence of Michaels' "oblig[ation] to reasonably safeguard [her] sensitive, non-public information." (See Compl. ¶¶ 70-71.) But Whalen has failed to allege that Michaels charges a different price for credit card payments and cash payments or that Michaels uses any customer payments for its security services. Compare Barnes & Noble, 2013 WL 4759588, at *5 (rejecting a similar argument, "particularly as Plaintiffs have not pled that [the retailer] charged a higher price for goods whether a customer pays with credit, and therefore, that additional value is expected in the use of a credit card") with In re LinkedIn User Privacy Litig., No. 12-CV-3088, 2014 WL 1323713, at *7 (N.D.Cal. Mar. 28, 2014) (granting Article III standing where the plaintiff only purchased the company's premium subscription based on the company's representation that "its users' data will be secured with industry standards and technology"). As such, this allegation does not amount to an injury-in-fact as required under Article III.
Whalen's argument that her credit card information has lost value is likewise without merit. (See Pl.'s Opp. Br. at 10.) Simply stated, Whalen has failed to allege how her credit card information or PII became less valuable after the Security Breach. Instead, Whalen merely asserts that "[c]onsumers ... place economic value on the ability to restrict improper access to their personal information...." (Pl.'s Opp. Br. at 10.) Thus, without allegations about how her cancelled credit card information lost value, Whalen does not have standing on this ground. See Galaria v. Nationwide Mut. Ins. Co., 998 F.Supp.2d 646, 660 (S.D.Ohio 2014) (dismissing an argument that the value of the plaintiffs' PII diminished where they "failed to allege any facts explaining how their PII became less valuable to them (or lost all value) by the data breach") (alteration in original).
Nor does a statutory violation save Whalen's argument. Whalen asserts that Michaels violated her statutory rights under GBL § 349. (Pl.'s Opp. Br. at 11.) But as the Third Circuit made clear, "[t]he proper analysis of standing focuses on whether the plaintiff suffered an actual injury, not on whether a statute was violated." Doe v. Nat'l Bd. of Med. Exam'rs, 199 F.3d 146, 153 (3d Cir.1999). As a result, because Whalen merely asserted a violation of GBL § 349, she does not have standing on this basis.
2. Increased Risk of Future Harm
Next, Whalen argues that she has presented a threat of "certainly impending" injury because she faces threats of identity theft and fraudulent charges. (Pl.'s Opp. Br. at 12.) But Defendant argues, and the Court agrees, that these allegations of future harm are too remote to establish an injury-in-fact for Article III purposes. (See Def.'s Br. at 10.)
"[T]he injury-in-fact requirement... helps to ensure that the plaintiff has a `personal stake in the outcome of the controversy.'" Susan B. Anthony List v. Driehaus, ___ U.S. ___, 134 S.Ct. 2334, 2341, 189 L.Ed.2d 246 (quoting Warth, 422 U.S. at 498, 95 S.Ct. at 2205). Allegations of future harm can establish Article III standing only "if the threatened injury is `certainly impending,' or there is a `substantial risk' that the harm will occur." Id. (quoting Clapper, 133 S.Ct. at 1147, 1150 n. 5). Although the Supreme Court recognized that "imminence is ... a somewhat elastic concept," the plaintiff must provide more than "allegations of possible future injury." Clapper, 133 S.Ct. at 1147 (emphasis in original).
In Clapper v. Amnesty International, the Supreme Court found that plaintiffs lacked standing where, as here, their injury was "highly speculative" and contingent upon a "highly attenuated chain of possibilities." Id. at 1148. In that case, the plaintiffs, a group of lawyers and various human rights organizations, challenged a provision of the Foreign Intelligence Surveillance Act of 1978, which authorized government surveillance of suspected terrorists. Id. at 1145. The plaintiffs feared that the surveillance would affect their ability to "communicate confidential information to their clients," who they suspected were targets of the government surveillance. Id.
The Court ultimately dismissed the claim because the plaintiffs' injuries failed to satisfy the injury-in-fact requirement. Id. at 1148. In reaching this conclusion, the Court found no evidence that the government targeted those individuals or would do so in the future. Id. The Court thus affirmed that plaintiffs may establish Article III standing only when their injury is "certainly impending" or based on a "substantial risk that the harm will occur." Id. at 1147, 1150 n.5 (internal quotation marks and citations omitted).
Before and after Clapper, the vast majority of courts have reached the same conclusion. See, e.g., Hammond v. The Bank of N.Y. Mellon Corp., No. 08-CV-6060, 2010 WL 2643307, at *8 (E.D.N.Y. June 25, 2010) (rejecting standing where the alleged injuries are merely "speculative" and "hypothetical"); In re Zappos.com, Inc., No. 12-CV-0325, 108 F.Supp.3d 949, 954-55, 2015 WL 3466943, at *4 (D.Nev. June 1, 2015) (collecting cases).
Here, Whalen has failed to allege an injury that is "certainly impending" or based on a "substantial risk that the harm will occur." Clapper, 133 S.Ct. at 1147, 1150 n. 5 (internal quotation marks and citations omitted). Although Whalen argues that she faces an increased risk of identity theft, she admits that "fraudulent use of cards might not be apparent for years." (Compl. ¶ 54 (emphasis added).) In fact, it has been nearly two years since the Security Breach, and Whalen has experienced no fraudulent charges after cancelling her credit card. See In re Zappos.com, 108 F.Supp.3d at 958, 2015 WL 3466943, at *8 ("The more time that passes without the alleged future harm actually occurring undermines any argument that the threat of that harm is immediate, impending, or otherwise substantial.") (citing Storm v. Paytime, Inc., 90 F.Supp.3d 359, 367 (M.D.Pa.2015)).
And several cases Whalen cites in support run contrary to the Clapper decision. (Pl.'s Opp. Br. at 14-15); see, e.g., Moyer v. Michaels Stores, Inc., No. 14-CV-0561, 2014 WL 3511500, at *4-5 (N.D.Ill. July 14, 2014) (relying on a pre-Clapper Seventh Circuit decision which held that "an elevated risk of identity theft is a cognizable injury-in-fact"). But see Peters v. St. Joseph Servs. Corp., 74 F.Supp.3d 847, 856 (S.D.Tex. Feb. 11, 2015) (observing that Clapper resolved a circuit split, in which the Seventh and Ninth Circuit previously held that an increased risk of future harm conferred standing, and finding that Clapper "compels the conclusion" that plaintiffs lack standing if their claims "are premised on the heightened risk of future identify theft/fraud").
Nor does the reasoning of the Seventh Circuit in Remijas v. Neiman Marcus Group, LLC apply here. 794 F.3d 688, 693 (7th Cir.2015). There, hackers stole the credit card information of roughly 350,000 Neiman Marcus customers. But one critical distinction in that case is that 9,200 of those customers experienced fraudulent charges following the breach. Id. at 690. By contrast, Whalen's Complaint only indicates that she was affected, and even she did not suffer any out-of-pocket losses. (See Compl. ¶ 7); (see also Pl.'s Opp. Br. at 3, 6).
Simply put, Whalen has not asserted any injuries that are "certainly impending" or based on a "substantial risk that the harm will occur." Clapper, 133 S.Ct. at 1147, 1150 n. 5 (internal quotation marks and citations omitted). Thus, Whalen's claims are DISMISSED WITHOUT PREJUDICE for lack of subject matter jurisdiction, and the Court need not address Defendant's remaining arguments. See JetBlue Airways Corp. v. CopyTele Inc., No. 15-CV-0086, 629 Fed.Appx. 44, 45, 2015 WL 6161774, at *1 (2d Cir. Oct. 21, 2015) ("`Article III deprives federal courts of the power to dismiss a case with prejudice where federal subject matter jurisdiction does not exist.'") (quoting Hernandez v. Conriv Realty Assocs., 182 F.3d 121, 123 (2d Cir.1999)).
CONCLUSION
For the foregoing reasons, Defendant's motion to dismiss the Complaint (Docket Entry 14.) is GRANTED. Whalen's claims are DISMISSED WITHOUT PREJUDICE. The Clerk of the Court is directed to mark this matter CLOSED.
SO ORDERED.