Where a man alleged that South Carolina’s Financial Identity Fraud and Identity Theft Protection Acts were violated when he was required to enter six digits of his social security number, or SSN, to access certain information, but he never alleged any facts plausibly suggesting that doing so raised his risk of identity theft, the mere procedural violation of a statute was insufficient to confer Article III standing.
After nonparty Equifax was subject to a data breach, it engaged its subsidiary, TrustedID, to use TrustedID’s website to inform customers whether they were impacted by the data breach. Brady O’Leary alleges that TrustedID’s website required him to enter six digits of his SSN. In exchange for this information, the website informed O’Leary that he was “not impacted” by Equifax’s data breach.
O’Leary sued TrustedID in state court, alleging that TrustedID’s practice of requiring six digits of consumers’ SSNs violated South Carolina’s Financial Identity Fraud and Identity Theft Protection Act and South Carolina’s common-law right to privacy. TrustedID removed the case to federal court under the Class Action Fairness Act.
O’Leary then filed an amended complaint in the federal district court, re-asserting the same claims and adding one for negligence. The district court granted TrustedID’s motion to dismiss, holding that O’Leary had not plausibly stated a claim under the act or under common-law principles of privacy or negligence.
Article III constrains federal courts to hear only cases or controversies in which (1) a plaintiff “suffered an injury in fact that is concrete, particularized, and actual or imminent,” (2) “the injury was likely caused by the defendant,” and (3) “the injury would likely be redressed by judicial relief.” This case implicates the first requirement: whether O’Leary suffered a concrete injury in fact.
The intangible harm of enduring a statutory violation, standing alone, typically won’t suffice under Article III — unless there’s separate harm (or a materially increased risk of another harm) associated with the violation. There don’t appear to be cases interpreting the South Carolina Act under an Article III framework. But several analogous contexts provide guidance.
Cases involving the Fair and Accurate Credit Transactions Act, or FACTA, show that a FACTA digit-truncation violation isn’t a concrete injury unless it creates a nonspeculative risk of identity theft. Also illustrative are this court’s data-breach precedents, which hold that being subjected to a data breach isn’t in and of itself sufficient to establish Article III standing without a nonspeculative, increased risk of identity theft.
Here, O’Leary hasn’t alleged an Article III injury in fact. O’Leary hasn’t alleged — even in a speculative or conclusory fashion—that entering six digits of his SSN on TrustedID’s website has somehow raised his risk of identity theft. Simply put, O’Leary can’t connect the alleged statutory violation to an increased risk of identity theft without a Rube Goldberg-type chain reaction.
For example, crediting his allegation “on information and belief” that TrustedID shared his six SSN digits with Equifax, there would have to be another Equifax data breach, that breach would have to compromise O’Leary’s partial SSN and an identity thief would then have to misappropriate that information to harm O’Leary (presumably by first figuring out the rest of his SSN). That’s the kind of daisy chain of speculation that can’t pass muster under Article III.
O’Leary’s position that it would’ve been fine for TrustedID to require five digits of his SSN — but not six — is telling. He’s failed to explain how entering six digits increased his risk of identity theft (or otherwise concretely injured him) in a way that five digits wouldn’t. This omission betrays the fact that O’Leary relies entirely on a mere procedural violation of a statute, which Article III rejects.
Since O’Leary hasn’t pleaded a nonspeculative connection between the alleged statutory violation and identity theft, he appears to rely on some abstract privacy interest in his SSN itself. But such an injury bears no close relationship to a traditional or common-law analog. The court therefore vacates the district court’s judgment and remands with instructions to remand this case to state court, where it originated.
Vacated and remanded with instructions.
O’Leary v. TrustedID Inc., Case No. 21-2144, Feb. 21, 2023. 4th Cir. (Diaz), from DSC at Columbia (Lydon). David Andrew Maxfield for Appellant. Ashley Charles Parrish for Appellee. VLW 023-2-052. 12 pp.