The U.S. Court of Appeals for the Fourth Circuit recently reversed a trial court’s contrary ruling in a putative class action relating to a data breach and remanded the case back to state court for lack of Article III standing.
In so ruling, the Fourth Circuit held that a plaintiff providing six digits of his Social Security number in alleged violation of state common law and statutory law was not a concrete injury sufficient to warrant Article III standing.
A copy of the opinion in Brady O’Leary v. TrustedID, Inc. is available at: Link to Opinion.
The plaintiff alleged that the defendant company was a subsidiary of a credit reporting agency that suffered a data breach. The credit reporting agency engaged its subsidiary company to inform customers they were impacted by the data breach. The defendant company’s website prompted the impacted individuals to enter six digits of their Social Security number (“SSN”) without requiring a password or other security precautions. The plaintiff alleged that the company shared the six digits of his SSN with the credit reporting agency who experienced the data breach.
The plaintiff filed a putative class action against the company in state court alleging that the company’s practice of requiring six digits of consumers’ SSNs violated South Carolina’s common-law right to privacy and South Carolina’s Financial Identity Fraud and Identity Theft Protection Act (the “Act”). The Act prohibits “requir[ing] a consumer to use his Social Security number or a portion of it containing six digits or more to access an Internet web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet web site.” S.C. Code Ann. § 37-20-180(A)(4).
The plaintiff argued that the company violated the Act by requiring him to provide more than five digits of his SSNs. The company removed the case to federal court under the federal Class Action Fairness Act (CAFA). The plaintiff filed an amended complaint which added a claim of negligence.
The company moved to dismiss under Fed. R. Civ. Pro. 12(b)(6) for failure to state a claim. While the motion to dismiss was pending, the Supreme Court of the United States issued its ruling in TransUnion LLC v. Ramirez. The plaintiff openly questioned whether he had standing. Ultimately, the trial court held the plaintiff adequately alleged an intangible concrete injury in the manner of an invasion of privacy, which gave the trial court subject matter jurisdiction. However, the trial court granted the company’s motion to dismiss holding that the plaintiff did not plausibly state a claim under the Act or under common law principles of privacy or negligence.
The plaintiff appealed only the trial court’s decision to dismiss his claim under the Act and requested the Appellate Court affirm the trial court’s ruling affirming that he suffered a concrete injury sufficient to give him standing under Article III.
As you may recall, under Article III, a federal court only hears cases or controversies in which (1) a plaintiff “suffered an injury in fact that is concrete, particularized, and actual or imminent,” (2) “the injury was likely caused by the defendant,” and (3) “the injury would likely be redressed by judicial relief.” TransUnion, 141 S. Ct. at 2203. In examining whether the plaintiff properly alleged an Article III injury in fact, the Fourth Circuit noted that there was no case law interpreting the Act under the Article III framework. However, the Appellate Court examined other jurisdictions involving the federal Fair and Accurate Credit Transactions Act (FACTA).
FACTA forbids merchants from printing more than the last five digits of a credit card number or the card’s expiration date on receipts offered to customers. Even though FACTA contains specific restrictions, federal courts still independently determine whether the plaintiff alleging a FACTA violation suffered a concrete injury. For example, the Eleventh Circuit Court of Appeals previously held that a plaintiff receiving a receipt containing the first six and last four digits of his 16-digit credit card number was not enough to establish a concrete injury because the plaintiff did not plausibly allege a material risk of or realistic danger of identity theft. See Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917, 921. However, the D.C. Circuit Court held that a plaintiff receiving a receipt that exposed the entire credit card number and expiration date constituted a concrete injury because it was sufficient information for a criminal to defraud. See Jeffries v. Volume Servs. Am., Inc., 928 F.3d 1059, 1066 (D.C. Cir. 2019).
The Fourth Circuit also examined its own precedent where plaintiffs whose personal information was compromised in a data breach had not shown an Article III injury based on an alleged “increased risk of future identity theft and the cost of measures to protect against it. See Beck v. McDonald, 848 8 F.3d 262, 267 (4th Cir. 2017). The Fourth Circuit also noted that it previously held that a plaintiff did have Article III standing when the plaintiff was a victim of identity theft traceable to the defendant’s data breach. See Hutton v. National Board of Examiners in Optometry, Inc., 892 F.3d 613, 621–22 (4th Cir. 2018).
The Fourth Circuit noted that Article III excludes plaintiffs who rely on an abstract statutory privacy injury unless it came with a nonspeculative increased risk of identity theft. Here, the plaintiff did not allege that that entering six digits of his SSN on the company’s website or sharing the information with the credit reporting agency somehow raised his risk of identity theft. Because the plaintiff alleged a violation that relied entirely on a procedural violation of a statute, the Fourth Circuit held that this was not sufficient under Article III.
The plaintiff argued further that under the Act he had a privacy interest in his SSN and this right was violated when he gave six digits of his SSN to the company to determine if he was impacted by the credit reporting agency’s data breach. However, the Fourth Circuit distinguished the plaintiff’s allegations of a general right to privacy in his Social Security number coupled with a speculative connection to potential identity theft from other cases where receiving an unwanted telephone call or text message was considered invading the privacy interest in the home. See generally Krakauer v. Dish Network, L.L.C., 925 F.3d 643, 653 (4th Cir. 2019) and Gadelhak v. AT&T Servs., Inc., 950 F.3d 458, 462 (7th Cir. 2020).
The Fourth Circuit held that the plaintiff did not adequately plead that he was injured by the alleged statutory violation of the company at all and he fell short of averring a concrete injury in fact. The Appellate Court did not determine whether the plaintiff stated a claim under the Act.
Because it determined that the plaintiff did not have standing under Article III, the Fourth Circuit vacated and remanded the trial court’s judgment with instructions to remand this case to state court, where the state court could separately determine the merits of the plaintiff’s claims.