Recently, in an unpublished opinion, the Ninth Circuit affirmed a District of Nevada court’s finding that a class of taxi cab customers lacked standing to bring claims under the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”). Noble v. Nev. Checker Cab Corp., No. 16-16573, 2018 U.S. App. LEXIS 5963, at *4-5 (9th Cir. Mar. 9, 2018). Noble is the latest in a line of Ninth Circuit cases addressing the “injury in fact” requirement of Article III standing in the context of data breach and privacy law violations. Taken together, these recent cases indicate that courts are requiring plaintiffs to allege a specific harm, or specific risk of harm, to sufficiently plead standing. Without an allegation that sensitive information has made it into the hands of someone likely to use it to commit identity fraud, courts have found that the plaintiffs have not sufficiently alleged the “injury in fact” necessary to standing.
Under FACTA, “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.” 15 U.S.C. § 1681c(g). The plaintiffs alleged that certain Nevada cab companies had violated FACTA by printing receipts containing the first digit and last four digits of their customer’s credit cards. The district court granted the defendants’ motion to dismiss on the basis that the plaintiffs did not have standing and not sufficiently alleged a violation of FACTA. Noble v. Nev. Checker Cab Corp., 2016 U.S. Dist. LEXIS 110799, at *10 (D. Nev. Aug. 19, 2016). On appeal, the Ninth Circuit held that the plaintiffs-appellants had sufficiently alleged a violation of FACTA, but had not alleged a sufficiently concrete injury to confer Article III standing. Specifically, the appellants had not alleged that “anyone else had received or would receive a copy of their credit card receipts” or that information printed on the receipts “involve[d] the sort of revelation of information that Congress determined could lead to identity theft.” Id. at *4.
The Ninth Circuit’s analysis in Noble was guided by its recent decision in Bassett v. ABM Parking Servs., 2018 U.S. App. LEXIS 4097 (Feb. 21, 2018). In Bassett, the Ninth Circuit held the defendant violated FACTA when it printed credit card expiration dates on parking garage receipts, but the violation alone did not create a concrete injury necessary for Article III standing. “Bassett did not allege that another copy of the receipt existed, that his receipt was lost or stolen, that he was the victim of identity theft, or even that another person apart from his lawyers viewed the receipt.” Bassett, 2018 U.S. App. LEXIS 4097, at *16 (citations omitted). (citing Meyers v. Nicolet Rest. of De Pere, LLC, 843 F.3d 724, 727 (7th Cir. 2016) (affirming dismissal of claims alleging violation of FACTA expiration date requirement because “without a showing of injury apart from the statutory violation, the failure to truncate a credit card’s expiration date is insufficient to confer Article III standing.”)).
In Bassett, the Ninth Circuit relied on the Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), as well as two post-Spokeo circuit cases in which consumer class actions alleging violations of the FACTA’s redaction requirements were dismissed for lack of standing. See Crupar-Weinmann v. Paris Baguette Am., Inc., 861 F.3d 76 (2d Cir. 2017) and Meyers v. Nicolet Rest. of De Pere, LLC, 843 F.3d 724 (7th Cir. 2016). In Spokeo, the plaintiff claimed that Spokeo, Inc., a consumer reporting agency, had willfully failed to comply with the Fair Credit Reporting Act of 1970 (“FCRA”). The FCRA mandates that consumer reporting agencies “follow reasonable procedures to assure maximum possible accuracy of” consumer reports, 15 U. S. C. §1681e(b), and imposes liability on “[a]ny person who willfully fails to comply with any requirement [of the Act] with respect to any” individual, §1681n(a). Spokeo, Inc. operates a “‘people search engine,’ which searches a wide spectrum of databases to gather and provide personal information about individuals to a variety of users, including employers wanting to evaluate prospective employees.” Spokeo, Inc., 136 S. Ct. at 1543. After the plaintiff discovered that his Spokeo-generated profile was inaccurate, he filed a class action complaint alleging that Spokeo had willfully failed to comply with the requirement that it follow reasonable procedures to assure the maximum possible accuracy of its reports. Spokeo, 136 S. Ct. at 1546. The Supreme Court reversed the Ninth Circuit’s holding that the plaintiff had adequately alleged an injury in fact and held that “Article III standing requires a concrete injury even in the context of a statutory violation . . . [Plaintiffs] cannot satisfy the demands of Article III by alleging a bare procedural violation.” 136 S. Ct. 1540, 1549-50 (2016).
Noble, Bassett, and post-Spokeo decisions in other circuits show that courts are unlikely to find a concrete harm where a plaintiff fails to allege that a bad actor is in possession of data that could lead to identity theft or fraud. In Noble and Bassett, the Ninth Circuit emphasized the fact that the allegedly unlawful receipts never fell into the hands of bad actors. By contrast, in Stevens v. Zappos.com, Inc., 2018 U.S. App. LEXIS 5841, (9th Cir. Mar. 8, 2018) and Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), which I wrote about here, the Ninth Circuit found concrete harms based on the plaintiffs’ allegations that there was an “imminent” risk of future identity theft or fraud. In Stevens, thieves stole an unsecured laptop, and in Krottner, hackers breached a server.
Of additional importance is the extent to which the stolen information could lead to identity theft. The data stolen in Stevens and Krottner included information that could foreseeably lead to identity theft, and, for a class of plaintiffs in Stevens, did lead to identity theft. See Stevens, 2018 U.S. App. LEXIS 5841, at *2 (the hacked information included the “names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information of more than 24 million Zappos customers.”); Krottner, 628 F.3d at 1140 (the stolen information included “names, addresses, and social security numbers of approximately 97,000 Starbucks employees.”).
By contrast, in Noble, the Ninth Circuit explained that “the alleged FACTA violation here does not involve the sort of revelation of information that Congress determined could lead to identity theft.” Noble, at *4. Specifically, “the first digit of a credit card number merely identifies the brand of the card, and Congress has not prohibited printing the identity of the credit card issuer along with the last five digits of the credit card number.” Noble, at *4-5.