Please E-mail suggested additions, comments and/or corrections to Kent@MoreLaw.Com.
Help support the publication of case reports on MoreLaw
Ahmed Kamal v. J. Crew Group, Inc.
Case Number: 17-2345
Court: United States Court of Appeals for the Third Circuit on appeal from the District of New Jersey (Essex County)
Plaintiff's Attorney: Marvin L. Frank and Peter Y. Lee
Defendant's Attorney: Andrew O. Bunn, Steven R. Marino and keara M. Gordon
Enacted to combat credit card and identity theft, the Fair and Accurate Credit Transactions Act of 2003 (FACTA) prohibits anyone who accepts credit or debit cards as payment from printing more than the last five digits of a customer’s credit card number on the receipt. 15 U.S.C. § 1681c(g). Plaintiff-Appellant Ahmed Kamal brought this suit after receiving three receipts from Defendants-Appellees J. Crew Group, Inc. (and related entities) that included both the first six and last four digits of his credit card number. The District Court dismissed Kamal’s suit under Federal Rule of Civil Procedure 12(b)(1) for lack of Article III standing based on its determination that Kamal did not suffer a concrete injury from the alleged violation.
We agree, and we will affirm on that issue. We will vacate and remand, however, for the District Court to dismiss Kamal’s complaint without prejudice.
We begin with a review of FACTA’s text and background before turning to the facts and procedural history.
Congress enacted FACTA in 2003 as an amendment to the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681. FACTA was part of Congress’s effort to prevent identity theft. Pub. L. No. 108-159, 117 Stat. 1952. Consistent with that purpose, one of its provisions regulates the information that can be included on receipts given to customers:
Except as otherwise provided in this subsection, no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.
15 U.S.C. § 1681c(g)(1). This provision was “included . . . to limit the number of opportunities for identity thieves to ‘pick off’ key card account information.” S. Rep. No. 108-166, at 13 (2003).
FACTA provides for actual damages and attorneys’ fees and costs to remedy negligent violations. 15 U.S.C. § 1681o(a). Willful violators are liable for “any actual damages . . . or damages of not less than $100 and not more than $1,000,” punitive damages, and attorneys’ fees and costs. Id. § 1681n(a).
In 2008, Congress passed the Credit and Debit Card Receipt Clarification Act (Clarification Act), which provided a
temporary safe harbor to merchants that had violated FACTA by including card expiration dates on receipts. Pub. L. No. 110-241, 122 Stat. 1565. Although FACTA requires truncation of card numbers and removal of expiration dates, Congress found many merchants mistakenly believed it only required card number truncation, leading to “hundreds of lawsuits” alleging these merchants’ willful failure to remove the expiration date. Id. § 2(a)(3)–(4). According to Congress, these suits did not contain “allegation[s] of harm to any consumer’s identity,” and “[e]xperts in the field agree that proper truncation of the card number . . . regardless of the inclusion of the expiration date, prevents a potential fraudster from perpetrating identity theft.” Id. § 2(a)(5)–(6). To ensure “consumers suffering from any actual harm to their credit or identity are protected while simultaneously limiting abusive lawsuits that do not protect consumers,” id. § 2(b), the Clarification Act amended FACTA so merchants who printed expiration dates but otherwise complied with FACTA would not be deemed in willful noncompliance, id. § 3; see also 15 U.S.C. § 1681n(d). This safe harbor covers receipts printed between 2004 and 2008. Clarification Act § 3; 15 U.S.C. § 1681n(d).
On December 18, 2014, Kamal visited a J. Crew retail store in Ocean City, Maryland, and made a purchase with a credit card. Four days later, he went to another J. Crew store in Rehoboth Beach, Delaware, and again made a credit card purchase. Finally, about two weeks later, Kamal went to a J. Crew store in Wayne, New Jersey, and made a third purchase. Each time, Kamal “received an electronically printed receipt,” which he retained, that “display[ed] the first six digits of [his]
credit card number as well as the last four digits.”
1 App. 97, Sec. Am. Compl. ¶ 8. As Kamal notes, the first six digits identify the issuing bank and card type. The receipts he received also identified his card issuer, Discover, by name. Kamal does not allege anyone (other than the cashier) saw his receipts. Neither does he allege his identity was stolen nor that his credit card number was misappropriated.
Six days after the last purchase, Kamal filed his first Class Action Complaint, alleging J. Crew willfully violated FACTA by including on his receipts the first six digits of his credit card number. Kamal sought statutory and punitive damages as well as attorneys’ fees. J. Crew filed a motion to dismiss under Federal Rule of Civil Procedure 12(b)(6), arguing its violations had not been willful. Kamal filed an Amended Complaint, and J. Crew again moved to dismiss on the same grounds. The District Court denied the motion, concluding Kamal plausibly alleged a willful violation. Following the Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), J. Crew moved to dismiss for lack of subject matter jurisdiction under Rule 12(b)(1), contending Kamal lacked standing because he did not suffer a “concrete” injury. The District Court agreed that Kamal had not alleged a sufficiently concrete injury and thus lacked standing under Article III. It granted J. Crew’s motion without prejudice and allowed Kamal to file another amended complaint.
1 We note that Kamal did not attach copies of the receipts to his Second Amended Complaint. But he did attach them to previous Complaints he filed, which are included in the Joint Appendix.
Kamal filed his Second Amended Complaint—the operative complaint in this matter. In an effort to address the deficiencies leading to the dismissal of his Amended Complaint, Kamal alleges two “concrete” harms: “the printing of the prohibited information itself and the harm caused by such printing increasing the risk of identity theft.” App. 104, Sec. Am. Compl. ¶ 36. To support these allegations, Kamal contends “[t]he extensive legislative findings by Congress, the Federal Trade Commission, the Department of Justice, and the industry” demonstrate that J. Crew’s conduct “created a real, non-speculative harm in the form of increased risk of identity theft.” Id. The Complaint accordingly includes statements from Congress, industry experts, and government officials to show FACTA was intended to address identity theft. For example, Kamal notes that “[e]xperts . . . told Congress that both non-redacted Card numbers and expiration dates are particularly dangerous in the hands of sophisticated criminals.” App. 104, Sec. Am. Compl. ¶ 37. Similarly, Kamal says, “the Senate found that the specific provision at issue here protected consumers, like Plaintiff, from an intangible harm in the form of enhanced risk of identity theft.” App. 106, Sec. Am. Compl. ¶ 41.
The Complaint also explains how FACTA’s truncation requirement responds to identity theft. Kamal alleges that “[o]ne common modus operandi of identity thieves is to obtain Card receipts that are lost or discarded, or through theft, and use the information on them to commit fraud and theft.” App. 101, Sec. Am. Compl. ¶ 28. FACTA “makes it more difficult for identity thieves to obtain consumers’ Card information by reducing the amount of information identity thieves could retrieve from found or stolen Card receipts.” App. 103, Sec. Am. Compl. ¶ 33. In other words, Congress was responding to
“the possibility that identity thieves would be able to piece together credit card numbers and expiration dates to invade consumers’ privacy and exploit their financial resources.” App. 106, Sec. Am. Compl. ¶ 42.
Notwithstanding these additional allegations, J. Crew again moved to dismiss on standing grounds. The District Court noted the two injuries alleged in the Second Amended Complaint—the printing of the prohibited information and the increased risk of identity theft—and rejected both in turn. See Kamal v. J. Crew Grp., Inc., No. 15-0190, 2017 WL 2587617, at *3 (D.N.J. June 14, 2017).2
The court first held the printing of the information on the receipt was not itself a concrete injury. J. Crew’s conduct in giving Kamal a receipt that included his credit card’s first six digits did “not implicate traditional common law privacy interests” because “J. Crew did not ‘disclose’ Kamal’s personal information” and “the [card’s] first six digits do not pertain to the customer’s individual bank account.” Id. As to “the judgment of Congress,” Spokeo, 136 S. Ct. at 1549, the court—relying on quoted portions of the Clarification Act—determined that “Congress sought [through FACTA] to ‘ensure that consumers suffering from any actual harm to their credit or identity are protected,’” Kamal, 2017 WL 2587617, at *4 (quoting Clarification Act § 2(b)) (emphasis added in District Court opinion). Because Kamal had not sustained any actual harm, the court held there was no injury in fact.
2 Because the District Court subsequently reissued an identical opinion, dismissing Kamal’s Second Amended Complaint with prejudice, we cite to the reissued opinion.
The District Court next evaluated whether Kamal’s alleged increased risk of identity theft constituted a concrete injury. The court was unable to “reasonably infer that printing the first six and last four digits of [Kamal’s] credit card materially increased the risk of future harm.” Id. at *4. The court stated that the first six digits of a credit card number identify the bank or card issuer, information that permissibly appears elsewhere on a receipt. It also examined the intervening events that must occur for Kamal’s identity to be stolen and found this chain of future events too speculative to constitute a concrete injury.
Accordingly, because Kamal had alleged only a technical violation of FACTA and not a concrete injury, the District Court held Kamal lacked standing and granted J. Crew’s motion, dismissing without prejudice the Second Amended Complaint. The District Court gave Kamal leave to file another amended complaint.
Kamal moved for reconsideration, or alternatively, for amendment of the court’s order “so as to redenominate it final and appealable,” as Kamal intended to stand on the Second Amended Complaint to establish his Article III standing. Pl.’s Mem. of Law Supp. Mot. Reconsider at 5, Kamal v. J. Crew Grp., Inc., D. Ct. Dkt. No. 87-1, Civ. No. 15-0190 (D.N.J. June 8, 2017). The District Court denied the motion for reconsideration but amended its order to provide for a dismissal with prejudice based on Kamal’s intent to stand on his complaint. Kamal appealed, and J. Crew filed a cross-appeal challenging the District Court’s denial of its motion to dismiss under Rule 12(b)(6) for failure to plausibly plead a willful violation.
The District Court had jurisdiction under 28 U.S.C. § 1331 to resolve the question of standing. We have jurisdiction under 28 U.S.C. § 1291.
“Our review of the District Court’s dismissal of a complaint pursuant to Federal Rule of Civil Procedure 12(b)(1) is de novo.” In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 632 (3d Cir. 2017). The District Court properly determined that J. Crew’s Motion was a facial challenge because it did “not dispute what [the] facts are, but rather whether the facts as plead [sic] create standing.” Kamal, 2017 WL 2587617, at *2; see also Constitution Party of Pa. v. Aichele, 757 F.3d 347, 358 (3d Cir. 2014) (“In reviewing a facial attack, ‘the court must only consider the allegations of the complaint and documents referenced therein and attached thereto, in the light most favorable to the plaintiff.’” (quoting In re Schering Plough Corp. Intron/Temodar Consumer Class Action, 678 F.3d 235, 243 (3d Cir. 2012))). “Although ‘general factual allegations of injury resulting from the defendant’s conduct may suffice,’” Reilly v. Ceridian Corp., 664 F.3d 38, 41 (3d Cir. 2011) (quoting Lujan v. Defs. of Wildlife, 504 U.S. 555, 561 (1992)), “the complaint must still ‘clearly and specifically set forth facts sufficient to satisfy’ Article III,” id. (quoting Whitmore v. Arkansas, 495 U.S. 149, 155 (1990)).
Kamal pleaded an injury which no doubt involves a technical violation of FACTA’s ban on printing more than the last five digits of a consumer’s credit card number. We must resolve whether the alleged resulting harm is sufficiently concrete to create an Article III case or controversy.
“Under Article III of the United States Constitution, the power of the judiciary ‘extends only to “Cases” and “Controversies.”’” Long v. Se. Pa. Transp. Auth., 903 F.3d 312, 320 (3d Cir. 2018) (quoting Spokeo, 136 S. Ct. at 1547). “One element of the case-or-controversy requirement is that [plaintiffs], based on their complaint, must establish that they have standing to sue.” Raines v. Byrd, 521 U.S. 811, 818 (1997). The standing doctrine “limits the category of litigants empowered to maintain a lawsuit in federal court” and has “developed in our case law to ensure that federal courts do not exceed their authority as it has been traditionally understood.” Spokeo, 136 S. Ct. at 1547. To maintain a suit, a “plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Id. This appeal involves only the injury-in-fact requirement.
To show injury in fact, a plaintiff must allege “‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” Id. at 1548 (quoting Lujan, 504 U.S. at 560). “Th[e] injury . . . must be concrete in both a qualitative and temporal sense,” and an “abstract” injury will not suffice. Whitmore, 495 U.S. at 155.
In Spokeo, the Supreme Court considered Congress’s ability to confer standing for intangible harms, and it established criteria for evaluating whether those harms satisfy Article III. 136 S. Ct. at 1549. The plaintiff alleged the defendant, which operates a “people search engine,” violated the FCRA when it published inaccurate information about him on the Internet. Id. at 1544. On appeal, the United States Court of Appeals for the Ninth Circuit determined the plaintiff satisfied the injury-in-fact requirement because a “violation of a statutory right is usually a sufficient injury in fact to confer standing.” Robins v. Spokeo, Inc., 742 F.3d 409, 412 (9th Cir. 2014), vacated, 136 S. Ct. 1540 (2016). The Supreme Court vacated and remanded the decision of the Ninth Circuit, explaining that “Article III standing requires a concrete injury even in the context of a statutory violation.” Spokeo, 136 S. Ct. at 1549. To assess whether an intangible harm constitutes an injury in fact, the Supreme Court directed courts to look both at the “judgment of Congress” and at history. Id.
The congressional inquiry considers whether Congress has “identif[ied] and elevat[ed]” an intangible harm because, as the Supreme Court recognized, “Congress is well positioned to identify intangible harms that meet minimum Article III requirements” and “its judgment is . . . instructive and important.” Id. The historical inquiry considers “whether an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” Id. This comparison is useful because the Article III case-or-controversy requirement “is grounded in historical practice.” Id.
The Supreme Court cautioned that a plaintiff does not “automatically satisf[y] the injury-in-fact requirement
whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” Id. Congress cannot statutorily manufacture Article III standing in the case of “a bare procedural violation, divorced from any concrete harm.” Id. Rather, a procedural violation must yield or risk actual harm to meet the requirements of Article III.
The Spokeo Court traced this limitation back to Summers v. Earth Island Institute, 555 U.S. 488 (2009), where the Court explained:
[D]eprivation of a procedural right without some concrete interest that is affected by the deprivation—a procedural right in vacuo—is insufficient to create Article III standing. Only a “person who has been accorded a procedural right to protect his concrete interests can assert that right without meeting all the normal standards for redressability and immediacy.”
Id. at 496 (quoting Lujan, 504 U.S. at 572 n.7) (emphasis added in Summers). When a procedural right protects a concrete interest, a violation of that right may create a sufficient “risk of real harm” to the underlying interest to “satisfy the requirement of concreteness.” Spokeo, 136 S. Ct. at 1549; cf. Strubel v. Comenity Bank, 842 F.3d 181, 190 (2d Cir. 2016). In Spokeo, the Court remanded for the Ninth Circuit to address whether the alleged procedural violations “entail a degree of risk sufficient to meet the concreteness requirement.” 136 S. Ct. at 1550. It explained that some FCRA violations, such as “dissemination of an incorrect zip code,” would not suffice because they do not “present any material risk of harm.” Id.
We have applied these principles in four cases. First, in Horizon, after unencrypted laptop computers containing the plaintiffs’ personal information were stolen from a Horizon facility, the plaintiffs sued under the FCRA. 846 F.3d at 630. They contended the company inadequately safeguarded their personal information. Id. at 630–31. We determined the plaintiffs had standing because their alleged injury—unauthorized dissemination of their personal information—was identified by Congress as a cognizable injury under the FCRA, id. at 639, and involved harm that had “long been seen as injurious,” id. at 638. Under Spokeo, the violation of the plaintiffs’ “statutory right to have their personal information secured against unauthorized disclosure” was, “in and of itself, an injury in fact.” Id. at 634; see also In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262, 274 (3d Cir. 2016) (concluding the “unlawful disclosure of legally protected information” in and of itself constitutes a “de facto injury”).
Second, in Susinno v. Work Out World Inc., 862 F.3d 346 (3d Cir. 2017), the plaintiff alleged a single prerecorded call to her cell phone was a violation of the Telephone Consumer Protection Act (TCPA). Id. at 351. We recognized that Congress had “squarely identified” the plaintiff’s injury in the TCPA. Id. Because the injury was closely related to a common law intrusion upon seclusion claim, Congress was able to elevate the harm—although intangible—to a “legally cognizable injur[y].” Id. at 352 (quoting Spokeo, 136 S. Ct. at 1549).
Third, in St. Pierre v. Retrieval-Masters Creditors Bureau, 898 F.3d 351 (3d Cir. 2018), the plaintiff alleged the defendant debt collection agency violated the Fair Debt Collection Practices Act (FDCPA) when it disclosed his debtor account number through a glassine window on an envelope sent to him through the mail. Id. at 355–56. Noting Horizon’s statement that “unauthorized dissemination of personal information . . . causes an injury in and of itself,” we concluded the plaintiff had standing. Id. at 357 (quoting Horizon, 846 F.3d at 639). The exposure of the account number “‘implicate[d] a core concern animating the FDCPA—the invasion of privacy’—and thus [wa]s closely related to” a traditional harm. Id. at 357–58 (quoting Douglass v. Convergent Outsourcing, 765 F.3d 299, 303 (3d Cir. 2014)).
Finally, in Long, the plaintiffs alleged defendant Southeastern Pennsylvania Transportation Authority (SEPTA) violated the FCRA in two ways. First, “SEPTA did not send [them] copies of their background checks before it decided not to hire them” on the basis of those background checks. Long, 903 F.3d at 317. We determined this injury was sufficiently concrete because the FRCA clearly expressed Congress’s intent to make the injury redressable, and the alleged interference with the plaintiffs’ ability to control their personal information was “analogous” to common law invasions of privacy rights. Id. at 323–24. But the second alleged violation—that SEPTA did not send the plaintiffs notice of their FCRA rights—was a “bare procedural violation” for which there was no standing. Id. at 325 (quoting Spokeo, 136 S. Ct. at 1549). Although the plaintiffs alleged the violation increased the risk that their claims would lapse before they could bring suit, we determined there was no harm because the
plaintiffs “became aware of their FRCA rights and were able to file [a] lawsuit.” Id.
We have not yet had occasion to review standing where a procedural violation allegedly presents a “material risk of harm” because, in these past cases, the underlying harm contemplated by Congress had already materialized or failed to materialize. See Long, 903 F.3d at 324 (plaintiffs alleged the defendant took an adverse employment action without providing the required consumer report, “the very harm that Congress sought to prevent”) (internal quotation omitted); St. Pierre, 898 F.3d at 358 (plaintiff alleged unauthorized disclosure of debtor account number, and “invasion of privacy” was “a core concern animating the FDCPA”) (internal quotation omitted); Susinno, 862 F.3d at 351 (plaintiff asserted nuisance and invasion of privacy, “the very harm that Congress sought to prevent” with the TCPA) (internal quotation omitted); Horizon, 846 F.3d at 640 (plaintiffs alleged the unauthorized dissemination of their own private information, “the very injury that FCRA is intended to prevent”). This was in keeping with the Supreme Court’s statement that if violation of a statutory right itself constitutes injury in fact, “a plaintiff . . . need not allege any additional harm beyond the one Congress has identified.” Spokeo, 136 S. Ct. at 1549.
Our precedent recognizes, though, “that there are some circumstances where the mere technical violation of a procedural requirement of a statute cannot, in and of itself, constitute an injury in fact.” Horizon, 846 F.3d at 638. Although we then had “no occasion to consider” those “limiting circumstances,” we are now presented with a case that requires us to “consider the full reach of congressional power to elevate a procedural violation into an injury in fact.”
Id. We—like several of our sister circuits—understand Spokeo “to instruct that an alleged procedural violation . . . manifest[s] concrete injury” if the violation actually harms or presents a material risk of harm to the underlying concrete interest. Strubel, 842 F.3d at 190 (citing Spokeo, 136 S. Ct. at 1549); see also Robins v. Spokeo, Inc., 867 F.3d 1108, 1115 (9th Cir. 2017), cert. denied, 138 S. Ct. 931 (2018); Braitberg v. Charter Commc’ns, Inc., 836 F.3d 925, 930 (8th Cir. 2016).
3 If the violation does not present a “material risk of harm to that underlying interest,” however, a plaintiff fails to demonstrate concrete injury. Strubel, 842 F.3d at 190 (citing Spokeo, 136 S. Ct. at 1549).4
3 In Horizon, we noted that other courts employed a “material risk of harm” analysis in determining standing after Spokeo. 846 F.3d at 637 n.17. On the facts of Horizon, we did not apply that approach, concluding that Spokeo did not erect “a requirement that a plaintiff show a statutory violation has caused a ‘material risk of harm’ before he can bring suit.” Id. at 637 (quoting Spokeo, 136 S. Ct. at 1550). But Horizon rejected a requirement that a plaintiff show an additional risk of harm when a violation has already harmed a concrete interest identified by Congress. As we have explained, the alleged injury in Horizon—unauthorized dissemination of private information—could “itself constitute a cognizable injury,” id. at 638–39, and was “the very injury that FCRA [was] intended to prevent,” id. at 640.
4 This “material risk of harm” standard also strikes a balance between Congress’s “power to define injuries and articulate chains of causation that will give rise to a case or controversy where none existed before,” Spokeo, 136 S. Ct. at 1549 (quoting Lujan, 504 U.S. at 580 (Kennedy, J., concurring)
Kamal has pleaded two allegedly “concrete” injuries: “the printing of the prohibited information itself,” i.e., a violation of FACTA’s plain text, and the “increas[ed] risk of identity theft” resulting from that printing. App. 104, Sec. Am. Compl. ¶ 36. But the procedural violation is not itself an injury in fact, and Kamal has not otherwise alleged a risk of harm that satisfies the requirement of concreteness.
In Spokeo, the Supreme Court instructed courts determining standing to consider Congress’s judgment, as Congress is “well positioned to identify intangible harms that meet minimum Article III requirements.” 136 S. Ct. at 1549. Based on the plain text of FACTA, which requires truncation of all but the last five digits of a consumer’s credit card number, we recognize Congress identified the violation alleged here. By “creat[ing] a private right of action to enforce” FACTA’s provisions and “allow[ing] for statutory damages for willful violations,” Horizon, 846 F.3d at 639, Congress has “expressed an intent to make [the] injury redressable,” id. at 637. See Long, 903 F.3d at 323–24.
(internal quotation mark omitted)), and the requirement that—absent a statutory right of action—a threatened harm be “certainly impending” or based on a “substantial risk” of harm to amount to injury in fact, Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409, 414 n.5 (2013). See Summers, 555 U.S. at 497 (“[T]he requirement of injury in fact is a hard floor of Article III jurisdiction that cannot be removed by statute.”).
But the Clarification Act also expresses Congress’s judgment that not all procedural violations of FACTA will amount to concrete harm. The congressional findings underlying the Act are directed to the risk incurred by printing the expiration date when the card number is properly truncated. Though expiration date truncation is not at issue here, Congress’s action to limit FACTA liability to those claims implicating actual harm accords with our understanding of Article III. Cf. Spokeo, 136 S. Ct. at 1549 (explaining that a plaintiff does not “automatically satisf[y] the injury-in-fact requirement whenever a statute grants a person a statutory right” because “Article III standing requires a concrete injury even in the context of a statutory violation”). Accordingly, we next consider whether Kamal has pleaded a concrete injury.
As noted, in determining whether “an alleged intangible harm” is concrete, Spokeo directs us to “consider whether [the] harm has a close relationship to a harm that has traditionally been regarded as providing a basis” for a common law action. 136 S. Ct. at 1549; see also Horizon, 846 F.3d at 637 (explaining that if the alleged harm closely relates to a traditional harm, “it is likely to be sufficient to satisfy the injury-in-fact element of standing”). Kamal contends his injury is analogous to common law privacy torts and an action for breach of confidence. Because Kamal’s alleged injury is different in kind than the harms “providing a basis” for these common law actions, we disagree.
Harms actionable under traditional privacy torts include “unreasonable intrusion upon . . . seclusion,” “appropriation of the other’s name or likeness,” “unreasonable publicity given to
the other’s private life,” and “publicity that unreasonably places the other in a false light before the public.” Long, 903 F.3d at 324 (quoting Restatement (Second) of Torts § 652A(2)(a)–(d) (1977)). The most analogous tort here is unreasonable publicity, which, as we explained in Horizon, protects against “unauthorized disclosures of information.” 846 F.3d at 638 (quoting Nickelodeon, 827 F.3d at 274); accord Cox Broad. Corp. v. Cohn, 420 U.S. 469, 489 (1975) (noting that the “gravamen” of the injury in a public disclosure case “is the publication of information”). Similarly, a breach of confidence involves “the unconsented, unprivileged disclosure to a third party of nonpublic information that the defendant has learned within a confidential relationship.” Alan B. Vickery, Note, Breach of Confidence: An Emerging Tort, 82 Colum. L. Rev. 1426, 1455 (1982); see also McGuire v. Shubert, 722 A.2d 1087, 1091 (Pa. Super. Ct. 1998) (breach of confidence requires “banker [to] divulge to third persons, without the consent of the customer . . . any information relating to the customer acquired through the keeping of his account” (quoting Peterson v. Idaho First Nat. Bank, 367 P.2d 284, 290 (Idaho 1961))). Importantly, the harm underlying both of these actions transpires when a third party gains unauthorized access to a plaintiff’s personal information.
Kamal’s injury does not have the requisite “close relationship” with these actions because he does not allege disclosure of his information to a third party. See Spokeo, 136 S. Ct. at 1549. Instead, he pleads only that he “received” a FACTA non-compliant receipt after each transaction. App. 97, Sec. Am. Compl. ¶ 8. As Kamal points out, our precedent does not require an “exact historical analog,” Appellant’s Br. at 20, and we have recognized Congress’s ability to define injuries that would not “give rise to a cause of action under common
law,” Horizon, 846 F.3d at 639. Yet we still require the harm be “of the same character of previously existing ‘legally cognizable injuries.’” Susinno, 862 F.3d at 352 (quoting Spokeo, 136 S. Ct. at 1549). For example, in Susinno, although the alleged single unwanted telephone call was not the persistent hounding required to state a claim for intrusion upon seclusion, the harm was similar and thus appropriate for Congress to elevate to a concrete injury. Id. at 351–52. As Spokeo reminds us, because comparison to “historical practice” helps us understand the type of harm that meets Article III’s case-or-controversy threshold, it is important that the relationship be “close.” Spokeo, 136 S. Ct. at 1549. Absent disclosure to a third party, Kamal’s injury is unlike the harms recognized by traditional causes of action. Accordingly, historical practice does not weigh in favor of finding a concrete injury on the facts pleaded here. See id.
But the Supreme Court has explained that a “risk of real harm” may “satisfy the requirement of concreteness.” Id. Kamal maintains this inquiry is irrelevant because he has pleaded the violation of a “statutory right to remedy an ‘intangible harm,’” itself sufficient to confer standing. Appellant’s Br. at 24. He points to a passage in Spokeo, where the Court explained that “the violation of a procedural right granted by statute can be sufficient in some circumstances to constitute injury in fact. In other words, a plaintiff in such a case need not allege any additional harm beyond the one Congress has identified.” 136 S. Ct at 1549. But this passage lends no help to Kamal. “The emphasized phrase ‘additional harm’ clearly presumes that the putative plaintiff had already suffered a de facto injury resulting from the procedural
violation.” Owner-Operator Indep. Drivers Ass’n v. U.S. Dep’t of Transp., 879 F.3d 339, 343 (D.C. Cir. 2018). Because the FACTA violation alleged by Kamal is not itself a concrete injury, his case does not present the circumstances envisioned by Spokeo. Kamal also points to Horizon, where we said that under the FCRA “Congress established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself—whether or not the disclosure of that information increased the risk of identity theft or some other future harm.” 846 F.3d at 639. Again, in Horizon, it was the alleged injury’s close relationship to a traditional harm that showed it was sufficiently concrete to create standing. Here, absent unauthorized third-party disclosure, Kamal’s alleged FACTA violation is not “an injury in and of itself.” Accordingly, we will evaluate whether the FACTA procedural right protects a concrete interest, and if the violation alleged by Kamal entails a degree of risk sufficient to meet the concreteness requirement. See Spokeo, 136 S. Ct. at 1549–50.
As we have noted, the FACTA provision at issue was part of Congress’s effort to prevent the concrete harm of identity theft. See 117 Stat. at 1952; accord Bassett v. ABM Parking Servs., 883 F.3d 776, 782–83 (9th Cir. 2018) (FACTA’s truncation provision seeks to reduce the risk of identity theft); Katz v. Donna Karan Co., 872 F.3d 114, 116 (2d Cir. 2017) (same); Meyers v. Nicolet Rest. of De Pere, LLC, 843 F.3d 724, 725 (7th Cir. 2016), cert. denied, 137 S. Ct. 2267 (2017) (same). Kamal contends we should defer to what he sees as Congress’s determination that all conduct prohibited by FACTA creates a sufficient risk of identity theft. See Appellant’s Br. at 16. As we have described, Kamal’s Second Amended Complaint devotes much space to showing that
Congress enacted FACTA to combat identity theft. See, e.g., App. 104–06, Sec. Am. Compl. ¶¶ 36–41. But the lesson of Spokeo is that we must confirm a concrete injury or material risk exists even when Congress confers a right of action.
5 Accordingly, we will review the Second Amended Complaint to see if it “clearly and specifically set[s] forth facts” showing a risk of harm particular to Kamal. Reilly, 664 F.3d at 41 (quoting Whitmore, 495 U.S. at 155 (internal quotation mark omitted)).
Kamal’s Second Amended Complaint broadly alleges that J. Crew’s printing of the first six digits of his credit card number “created a real risk of identity theft.” App. 117–18, Sec. Am. Compl. ¶¶ 99, 101, 103; see also App. 104, Sec. Am. Compl. ¶ 36. These conclusory allegations of risk are insufficient. See Horizon, 846 F.3d at 633 (noting “threadbare recitals of the elements of standing, supported by mere conclusory statements” are “disregard[ed]” at the motion to dismiss stage (internal citation omitted)). Instead, Kamal must
5 Furthermore, the congressional “[f]act-[f]inding” Kamal relies on is not particularized to his alleged injury. Appellant’s Br. at 12. Kamal does not point us to any part of the congressional record that considers the risk of identity theft when only the first six and last four digits of a consumer’s credit card are printed on a receipt. Instead, he notes that “[e]xperts . . . recommended [to Congress] that card numbers not be printed in full on receipts, because card numbers are particularly dangerous in the hands of sophisticated criminals.” Id. at 13 (emphasis added); see also App. 104, Sec. Am. Compl. ¶ 37. Because Kamal has not alleged that J. Crew printed his card number “in full,” these congressional findings of risk are not tailored to the FACTA violation he has pleaded.
plausibly aver how J. Crew’s printing of the six digits presents a material risk of concrete, particularized harm.
The closest the Second Amended Complaint comes to alleging material risk of harm is its allegation that “identity thieves . . . obtain Card receipts that are lost or discarded, or through theft, and use the information on them to commit fraud and theft.” App. 101, Sec. Am. Compl. ¶ 28. As the District Court explained, this threat consists of a “highly ‘speculative chain of future events,’” Kamal, 2017 WL 2587617, at *5 (quoting Reilly, 664 F.3d at 46): “Kamal loses or throws away [the receipt], which is then discovered by a hypothetical third party, who then obtains the six remaining truncated digits along with any additional information required to use the card, such as the expiration date, security code or zip code.” Id. Kamal has alleged neither third-party access of his information, nor that the receipt included enough information to likely enable identity theft. Our analysis would be different if, for example, Kamal had alleged that the receipt included all sixteen digits of his credit card number, making the potential for fraud significantly less conjectural. Here, however, we agree with the District Court that this speculative chain of events does not constitute a material risk of harm.6
6 Our opinion in Horizon supports this conclusion. In Horizon, although we did not rely on a “risk of harm” analysis because the unauthorized dissemination of the plaintiffs’ personal information was itself a concrete injury, we also found the alleged data breach created a material risk of identity theft. 846 F.3d at 639 n.19. Specifically, we noted the stolen information was highly personal and could be used to steal one’s identity, and the personal information was easily accessible because
In responding to J. Crew’s motion to dismiss and in his briefing on appeal, Kamal attempts to supplement his Complaint by referring to a study and accompanying press release that he contends shows “the concrete risk that publication of card numbers creates.” Appellant’s Br. at 15 (citing Mohammed Aamir Ali et al., Does the Online Card Payment Landscape Unwittingly Facilitate Fraud?, 15 IEEE Security & Privacy, Mar–Apr. 2017, at 78–86). Because this study was not attached to or referenced in Kamal’s pleadings, we do not consider either the study or Kamal’s “after-the-fact allegations” related to the study “in determining the sufficiency of [the] complaint.” Frederico v. Home Depot, 507 F.3d 188, 201–02 (3d Cir. 2007).
Although we do not consider it, we observe the study is not relevant to Kamal’s allegations. The study describes how hackers—who begin with none of a consumer’s credit card details—can exploit weaknesses in online payment systems to generate usable card payment details, including card numbers, expiration dates, and card verification value (CVV) numbers. Ali et al., supra, at 78. First, the hacker can theoretically obtain a valid full card number using the first six digits and a common algorithm. Id. at 81. Because this method generates a valid card number (as opposed to a random collection of digits), it must
Horizon’s laptops were unencrypted. Id. Here, no information has been stolen or disclosed, and even if there was disclosure, the information could not easily be used to steal Kamal’s identity because, as pleaded, a thief would still need to “pick off” the remaining “different bits of information from different sources.” See App. 106, Sec. Am. Compl. ¶ 43 (internal citation omitted).
also be verified. Id. Once verified, the hacker can use that anonymous card number on multiple merchants’ online payment pages to systematically guess the remaining card data. Id. at 80. In light of these system weaknesses, the study advises online merchants to uniformly require three fields of card data (card number, expiration date, and CVV) for a purchase, as doing so would mean “the difference between a quick and practical attack, and a tedious, close to impractical attack.” Id. The study thus concerns vulnerabilities in online payment systems that allow hackers to obtain a range of credit card data. Kamal’s assertions about the study’s relevance to his claim take its language out of context and distort its conclusions. Compare Appellant’s Br. at 15, with Ali et al., supra, at 80.
In sum, absent a sufficient degree of risk, J. Crew’s alleged violation of FACTA is “a bare procedural violation”
7 Moreover, consideration of the study and accompanying press release would—were it part of our analysis—add additional support for our conclusion that Kamal has not alleged actual harm or material risk of harm. The press release says that “the first six digits” of a credit card “tell you the bank and card type and so are the same for every card from a single provider.” Six Seconds to Hack a Credit Card, Newcastle University (Dec. 2, 2016) (attached as Ex. B. to Frank Decl. Supp. Pl.’s Opp. Defs.’s Mot. Dismiss Sec. Am. Compl., Kamal v. J. Crew Grp., Inc., D. Ct. Dkt. No. 69-3, Civ. No. 15-0190 (D.N.J. Jan. 12, 2017)) (emphasis added). Here, the receipts Kamal received from J. Crew separately identify his card provider, Discover. Taking the press release’s statement as true, the inclusion of the first six digits provides no more information than is already permissibly printed on the receipt, and so could not increase the risk of identity theft.
that does not create Article III standing. Spokeo, 136 S. Ct. at 1549. This result falls within the Supreme Court’s admonition that when Congress “adopt[s] procedures designed to decrease th[e] risk” of harm to a concrete interest, “[a] violation of one of th[ose] procedural requirements may result in no harm.” Id. at 1550.
Our conclusion is in keeping with the decisions of the majority of our sister circuits that have addressed similar issues.
In Katz, the Second Circuit determined a plaintiff lacked standing in a FACTA case based on the improper truncation of the plaintiff’s credit card number. 872 F.3d at 116. The court—which addressed a factual challenge to standing—agreed with the trial court that printing the first six digits was a “bare procedural violation” of FACTA that “did not raise a material risk of harm of identity theft.” Id. at 121. The court deferred to the trial judge’s factual finding that printing the first six digits was “the equivalent of printing the name of the issuing institution, information which need not be truncated under FACTA,” and thus did not increase the risk of harm. Id. at 120.
But in Muransky v. Godiva Chocolatier, Inc., 905 F.3d 1200 (11th Cir. 2018), the Eleventh Circuit found the same alleged FACTA violation “create[d] a concrete injury,” id. at 1211, “the unlawful disclosure of legally protected information,” id. at 1210 (quoting Nickelodeon, 827 F.3d at
8 The court reached this conclusion after finding the FACTA violation was similar to a common law breach of confidence action. Id. at 1209. As we have explained, we do not believe a breach of confidence action is sufficiently analogous absent third-party disclosure. The Eleventh Circuit recognized this incongruity, acknowledging the breach of confidence tort is “complete after the person entrusted with property or information gives it to a third party.” 905 F.3d at 1211.9 Because Kamal has not alleged disclosure to a third
8 In Muransky, the Eleventh Circuit upheld a $6.3 million FACTA class action settlement over an appeal by objecting class members. 905 F.3d at 1204–05. The parties reached the settlement in 2015—before the Supreme Court’s decision in Spokeo—and the defendant never challenged the plaintiff’s standing. Instead, an objecting class member first raised standing at the trial court’s final approval hearing for the settlement. Id. at 1206.
9 Moreover, the sources cited in Muransky recognize that a breach of confidence requires unauthorized disclosure to a third party. See McCormick v. England, 494 S.E.2d 431, 438 (S.C. Ct. App. 1997) (“A confidential relationship is breached if unauthorized disclosure is made to only one person not a party to the confidence.” (quoting Breach of Confidence: An Emerging Tort, 82 Colum. L. Rev. at 1442)); Alicia Solow-Niederman, Beyond the Privacy Torts: Reinvigorating A Common Law Approach for Data Breaches, 127 Yale L.J. Forum 614, 633 (2018) (noting that a breach does not take place until the data holder’s “operations in fact permit a breach of that [personal] data”); Neil M. Richards & Daniel J. Solove, Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Geo. L.J. 123, 135 (2007) (“[D]uties of
party, we disagree that a “close relationship” to a breach of confidence exists, and do not find a concrete injury on this basis.10
Although the Eleventh Circuit did not reach the “risk of harm” analysis, it admonished courts that have “incorporated the fact findings” from other courts’ opinions “into [their own] legal analysis that FACTA violations do not create a concrete injury.” Muransky, 905 F.3d at 1213. The District Court here, in addition to finding the risk of harm too speculative, also found no material risk of harm because printing a credit card’s first six digits “gives an identity thief no more personal information about a person’s account than Congress has permitted to be printed on receipts.” Kamal, 2017 WL
nondisclosure attached to confidential relationships prohibited a person from divulging confidential information to any unauthorized person.”).
10 The Eleventh Circuit held that besides alleging a concrete injury on the basis of the statutory violation, the plaintiff alleged an additional concrete injury: “shouldering the cost of safely keeping or destroying the receipt” to “avoid someone finding [the] credit card number on [the] receipt.” Muransky, 905 F.3d at 1211. This injury was not alleged in Kamal’s Second Amended Complaint and so was not addressed by the District Court’s opinion. Because it was not raised by Kamal, we need not speculate about how such an allegation might change the standing analysis. Cf. Whitmore, 495 U.S. at 155–56 (“A federal court is powerless to create its own jurisdiction by embellishing otherwise deficient allegations of standing.”).
2587617, at *4 (quoting Noble v. Nev. Checker CAB Corp., No. 15-2322, 2016 WL 4432685, at *3 (D. Nev. Aug. 19, 2016)). Because we are presented with a facial challenge to standing, we must consider only the Complaint, viewing it in the light most favorable to Kamal. In this context, we agree with the Eleventh Circuit that we cannot “rely on facts established in . . . older cases.” Muransky, 905 F.3d at 1214; accord S. Cross Overseas Agencies, Inc. v. Wah Kwong Shipping Grp., 181 F.3d 410, 426 (3d Cir. 1999) (“To resolve a 12(b)(6) motion . . . we may [not] take judicial notice of another court’s opinion . . . for the truth of the facts recited therein.”).
11 Accordingly, our determination that Kamal has not alleged a concrete injury does not incorporate this analysis. We instead affirm, as explained above, on the grounds that Kamal’s alleged injury is not itself concrete and the alleged risk of identity theft is too speculative to satisfy the requirement of concreteness.
The Ninth and Seventh Circuits have reached conclusions similar to ours in cases involving violations of FACTA’s ban on including credit card expiration dates on receipts. See Bassett, 883 F.3d at 777; Meyers, 843 F.3d at 725–26.12 As we do here, the Ninth Circuit rejected the
11 As the Eleventh Circuit explained, “[t]here are a number of problems with relying on facts found in another FACTA case to say [a plaintiff] does not have standing.” Muransky, 905 F.3d at 1213. For example, the other plaintiffs “may have done a poor job at proving standing as a factual matter,” and “in light of evolving technology” there are “variations in the amount of risk related to different disclosures or data breaches.” Id.
12 Because these cases involved FACTA’s expiration date requirement, these courts relied in part on Congress’s
plaintiff’s proposed analogy to “privacy-based torts centered on wrongful disclosures of information” because the defendant “did not disclose [the plaintiff’s] information to anyone but [the plaintiff].” Bassett, 883 F.3d at 780. The court also found the risk of identity theft too speculative to amount to a concrete injury, “given that [the plaintiff] could shred the offending receipt along with any remaining risk of disclosure.” Id. at 783. Likewise, in Meyers, the Seventh Circuit determined that a restaurant’s failure to truncate the expiration date from a receipt did not “create any appreciable risk of [identity theft]” when the plaintiff “discovered the violation immediately and nobody else ever saw the non-compliant receipt.” Id. at 727.
Because Kamal lacks standing, we must vacate the District Court’s order dismissing the case with prejudice and remand for the District Court to dismiss without prejudice. The District Court initially dismissed this case without prejudice. After Kamal stated his intention to stand on his Second Amended Complaint and asked the court to amend the disposition to designate it as final, the District Court amended the judgment to dismiss the case with prejudice. Nonetheless, the case should be dismissed without prejudice because the
statement in the Clarification Act that “failure to truncate a card’s expiration date, without more, does not heighten the risk of identity theft.” Meyers, 843 F.3d at 727; see also Bassett, 883 F.3d at 783. As we have stated, these congressional findings in the Clarification Act are not directly relevant to our analysis of Kamal’s standing. But because both Bassett and Meyers reached other pertinent conclusions in applying Spokeo’s framework, we discuss them here.
District Court lacked jurisdiction. See Cottrell v. Alcon Labs., 874 F.3d 154, 164 n.7 (3d Cir. 2017) (stating that “[b]ecause the absence of standing leaves the court without subject matter jurisdiction to reach a decision on the merits, dismissals ‘with prejudice’ for lack of standing are generally improper”). Accordingly, we will remand for this limited purpose.
Outcome: For the foregoing reasons, we will affirm the District Court’s judgment that Kamal lacks standing. But we will vacate and remand for the District Court to dismiss the Second Amended Complaint without prejudice. In light of our decision, we need not reach J. Crew’s cross-appeal, and we will dismiss it as moot.