The U.S. Court of Appeals for the Fourth Circuit recently reversed a trial court's contrary ruling in a putative class action relating to a data breach, and remanded the case back to state court for lack of Article III standing.
In so ruling, the Fourth Circuit held that a plaintiff providing six (6) digits of his Social Security Number in alleged violation of state common law and statutory law was not a concrete injury sufficient to warrant Article III standing.
A copy of the opinion is available at: Link to Opinion
The plaintiff alleged that the defendant company (Company) was a subsidiary of a credit reporting agency that suffered a data breach. The credit reporting agency engaged its subsidiary company to inform customers they were impacted by the data breach. The defendant company's website prompted the impacted individuals to enter six (6) digits of their Social Security Number ("SSN") without requiring a password or other security precautions. The plaintiff alleged that the Company shared the six (6) digits of his SSN with the credit reporting agency who experienced the data breach.
Plaintiff filed a putative class action against Company in state court alleging that Company's practice of requiring six (6) digits of consumers' SSNs violated South Carolina's common-law right to privacy and South Carolina's Financial Identity Fraud and Identity Theft Protection Act (the "Act"). The Act prohibits "requir[ing] a consumer to use his social security number or a portion of it containing six digits or more to access an Internet web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet web site." S.C. Code Ann. § 37-20-180(A)(4).
Plaintiff argued that Company violated the Act by requiring him to provide more than five (5) digits of his SSNs. The Company removed the case to federal court under the federal Class Action Fairness Act ("CAFA"). Plaintiff filed an amended complaint which added a claim of negligence.
Company moved to dismiss under Fed. R. Civ. Pro. 12(b)(6) for failure to state a claim. While the motion to dismiss was pending, the Supreme Court of the United States issued its ruling in TransUnion LLC v. Ramirez. Plaintiff openly questioned whether or not he had standing. Ultimately, the trial court held Plaintiff adequately alleged an intangible concrete injury in the manner of an invasion of privacy, which gave the trial court subject matter jurisdiction. However, the trial court granted the Company's motion to dismiss holding that Plaintiff did not plausibly state a claim under the Act or under common law principles of privacy or negligence.
Plaintiff appealed only the trial court's decision to dismiss his claim under the Act and requested the Appellate Court affirm the trial court's ruling affirming that he suffered a concrete injury sufficient to give him standing under Article III.
As you may recall, under Article III, a federal court only hears cases or controversies in which (1) a plaintiff "suffered an injury in fact that is concrete, particularized, and actual or imminent," (2) "the injury was likely caused by the defendant," and (3) "the injury would likely be redressed by judicial relief." TransUnion, 141 S. Ct. at 2203. In examining whether the Plaintiff properly alleged an Article III injury in fact, the Fourth Circuit noted that there was no case law interpreting the Act under the Article III framework. However, the Appellate Court examined other jurisdictions involving the federal Fair and Accurate Credit Transactions Act ("FACTA").
FACTA forbids merchants from printing more than the last five digits of a credit card number or the card's expiration date on receipts offered to customers. Even though FACTA contains specific restrictions, federal courts still independently determine ether the plaintiff alleging a FACTA violation suffered a concrete injury. For example, the Eleventh Circuit Court of Appeals previously held that a plaintiff receiving a receipt containing the first six and last four digits of his sixteen-digit credit card number was not enough to establish a concrete injury because the plaintiff did not plausibly allege a material risk of or realist danger of identity theft. See Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917, 921. However, the D.C. Circuit Court held that a plaintiff receiving a receipt that exposed the entire credit card number and expiration date constituted a concrete injury because it was sufficient information for a criminal to defraud. See Jeffries v. Volume Servs. Am., Inc., 928 F.3d 1059, 1066 (D.C. Cir. 2019).
The Fourth Circuit also examined its own precedent where plaintiffs whose personal information was compromised in a data breach had not shown an Article III injury based on an alleged "increased risk of future identity theft and the cost of measures to protect against it. See Beck v. McDonald, 848 8 F.3d 262, 267 (4th Cir. 2017). The Fourth Circuit also noted that it previously held that a plaintiff did have Article III standing when the plaintiff was victims of identity theft traceable to the defendant's data breach. See Hutton v. National Board of Examiners in Optometry, Inc.892 F.3d 613, 621–22 (4th Cir. 2018).
The Fourth Circuit noted that Article III excludes plaintiffs who rely on an abstract statutory privacy injury unless it came with a nonspeculative increased risk of identity theft. Here, Plaintiff did not allege that that entering six digits of his SSN on the Company's website or sharing the information with the credit reporting agency somehow raised his risk of identity theft. Because Plaintiff alleged a violation that relied entirely on a procedural violation of a statute, the Fourth Circuit held that this was not sufficient under Article III.
Plaintiff argued further that under the Act he had a privacy interest in his SSN and this right was violated when he gave six (6) digits of his SSN to the Company to determine if he was impacted by the credit reporting agency's data breach. However, the Fourth Circuit distinguished Plaintiff's allegations of a general right to privacy in his Social Security Number coupled with a speculative connection to potential identity theft from other cases where receiving an unwanted telephone call or text message was considered invading the privacy interest in the home. See generally Krakauer v. Dish Network, L.L.C., 925 F.3d 643, 653 (4th Cir. 2019) and Gadelhak v. AT&T Servs., Inc., 950 F.3d 458, 462 (7th Cir. 2020).
The Fourth Circuit held that the Plaintiff did not adequately plead that that he was injured by the alleged statutory violation of the Company at all and he fell short of averring a concrete injury in fact. The Appellate Court did not determine whether Plaintiff stated a claim under the Act.
Because it determined that Plaintiff did not have standing under Article III, the Fourth Circuit vacated and remanded the trial court's judgment with instructions to remand this case to state court, where the state court could separately determine the merits of Plaintiff's claims.
Ralph T. Wutscher
Maurice Wutscher LLP
The Loop Center Building
105 W. Madison Street, 6th Floor
Chicago, Illinois 60602
Direct: (312) 551-9320
Fax: (312) 284-4751
Mobile: (312) 493-0874
Admitted to practice law in Illinois
Alabama | California | Florida | Illinois | Massachusetts | New Jersey | New York | Ohio | Pennsylvania | Tennessee | Texas | Washington, DC
NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.
Our updates and webinar presentations are available on the internet, in searchable format, at:
Financial Services Law Updates
The Consumer Financial Services Blog™