Oneal v. First Tennessee Bank (TV1)
Filing
19
MEMORANDUM AND OPINION as set forth in following order. Signed by Chief District Judge Thomas A Varlan on 3/15/18. (ABF)
UNITED STATES DISTRICT COURT
EASTERN DISTRICT OF TENNESSEE
RAYMOND ONEAL, individually and
on behalf of all other similarly situated,
Plaintiff,
v.
FIRST TENNESSEE BANK,
Defendant.
)
)
)
)
)
)
)
)
)
)
No.:
4:17-CV-3-TAV-SKL
MEMORANDUM OPINION
This civil action is before the Court on defendant’s Motion to Dismiss Plaintiff’s
First Amended Class Action Complaint [Doc. 15]. Defendant seeks the dismissal of this
action on three grounds: (1) under Federal Rule of Civil Procedure 12(b)(1), for plaintiff’s
alleged failure to plead standing under Article III of the Federal Constitution; (2) under
Rule 12(b)(5), for plaintiff’s alleged failure to properly serve defendant with process; and
(3) under Rule 12(b)(6), for plaintiff’s alleged failure to state a plausible claim upon which
the Court may grant relief [Doc. 16]. Plaintiff responded to this motion [Doc. 17], and
defendant replied [Doc. 18]. Defendant’s motion is therefore fully briefed and ready for
disposition. See E.D. Tenn. L.R. 7.1(a), 7.2. For the reasons explained below, the Court
will grant this motion and dismiss plaintiff’s suit without prejudice.
I.
Background
This case concerns an alleged violation of the federal Fair Credit Reporting Act, 15
U.S.C. §§ 1681–1681x (the “FCRA”). Plaintiff claims defendant negligently and willfully
accessed his Equifax credit report for a purpose not authorized by the FCRA [Doc. 14
¶¶ 82–83]. The Court will first provide limited background on the FCRA, before turning
to the particular factual and procedural history of this case.
A.
Statutory Background
In light of the Court’s later discussion of plaintiff’s standing to bring suit in federal
court, see infra Part III, the Court will first describe the pertinent history of the FCRA. The
stated purpose of this statute is “to require that consumer reporting agencies adopt
reasonable procedures for meeting the needs of commerce for consumer credit . . . in a
manner which is fair and equitable to the consumer, with regard to the confidentiality,
accuracy, relevancy, and proper utilization of such information.” § 1681(b). In enacting
the FCRA, Congress specifically found “a need to insure that consumer reporting agencies
exercise their grave responsibilities with fairness, impartiality, and a respect for the
consumer’s right to privacy.” § 1681(a)(4). Furthermore, the FCRA’s lead sponsor in the
Senate, William Proxmire, remarked at the time of enactment that consumers have “a right
to see that the information is kept confidential and is used for the purpose for which it is
collected,” as well as “a right to be free from unwarranted invasions of [their] personal
privacy.” Fair Credit Reporting: Hearings on S. 823 Before the Subcomm. on Financial
Institutions of the Comm. on Banking and Currency, 91st Cong. 2 (1969).
The FCRA was “[e]nacted long before the advent of the Internet”—specifically, in
1970—but has assumed an even greater significance in the modern era of Internet-based
credit reporting. Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1545 (2016). This statute governs
2
the activity of entities that regularly disseminate “consumer reports”—i.e., “information
bearing on an individual’s ‘credit worthiness, credit standing, credit capacity, character,
general reputation, personal characteristics, or mode of living,’” in the context of specified
transactions such as “credit transactions, insurance, licensing, consumer-initiated business
transactions, and employment.” Id. (quoting 15 U.S.C. § 1681a(d)(1)). The FCRA
imposes on these entities “a host of requirements concerning the creation and use of
consumer reports,” three of which are particularly relevant here. Id.
First, the FCRA provides an exclusive list of purposes for which consumer reports
may be disseminated and prohibits any person1 from using or obtaining such information
for any other purpose. 15 U.S.C. § 1681b(a), (f). One permissible purpose is furnishing a
consumer report to a person who “intends to use the information in connection with a credit
transaction involving the consumer . . . and involving the extension of credit to, or review
or collection of an account of, the consumer.” § 1681(a)(1)(3)(A). Second, a consumer
may recover actual damages, litigation costs, and attorneys’ fees from any person who
negligently fails to comply with the FCRA’s requirements. Id. § 1681o(a). Third, in the
event of a “willful” violation, the FRCPA provides for recovery of the greater of actual
damages or statutory damages up to $1,000, along with punitive damages “as the court may
allow,” litigation costs, and attorneys’ fees. Id. § 1681n(a).
Today, the “standard measure of consumer credit risk in the United States” is an
individual’s FICO Score, a “three-digit number summarizing a consumer’s credit risk of
1
The statute defines “person” to include both individuals and business entities. § 1681a(b).
3
likelihood to repay a loan” [Doc. 14 ¶¶ 31–32]. The higher an individual’s FICO Score,
the lower her estimated credit risk and likelihood of default [Id. ¶ 33]. An individual’s
FICO Score is based primarily on the consumer report databases maintained by the three
largest American credit reporting agencies—Equifax, TransUnion, and Experian [Id.
¶¶ 36–37]. Furthermore, an individual’s FICO Score is calculated using five factors, each
weighted differently: (1) payment history, accounting for 35% of the FICO Score;
(2) amount of debt, accounting for 30%; (3) length of credit history, accounting for 15%;
(4) new credit information, accounting for 10%; and (5) credit mix, accounting for 10%
[Id. ¶ 41]. Credit inquiries from potential lenders and others fall under the fourth factor
and come in two varieties: “soft pulls,” or inquiries that do not affect an individual’s FICO
Score and that cannot be seen by other lenders, and “hard pulls,” or requests for copies of
an individual’s credit report that may affect her FICO Score. Banga v. First USA, NA, 29
F. Supp. 3d 1270, 1274 n.2 (N.D. Cal. 2014); Middleton v. CCB Credit Servs., Inc., 2:12cv-2012, 2014 WL 3513386, at *2 (D. Nev. July 14, 2014).
B.
Factual History
The relevant facts here are not in dispute.2 Plaintiff is a resident of Clark County,
Nevada, while defendant is a bank headquartered in Memphis, Tennessee [Doc. 14 ¶¶ 17–
18]. The parties agree that, sometime before 2008, plaintiff incurred financial obligations
to defendant [Id. ¶ 47; Doc. 16 p. 2]. Then, in September 2008, plaintiff filed for Chapter
2
And, as discussed further in Part II, infra, the Court takes the material allegations of
plaintiff’s amended complaint as true for purposes of deciding defendant’s Rule 12(b)(1) motion.
4
13 bankruptcy in the United States Bankruptcy Court for the District of Nevada [Doc. 14
¶ 48]. During those proceedings, defendant did not seek to have its indebtedness declared
nondischargeable under 11 U.S.C. § 523; nor did defendant seek relief from the automatic
stay provided for in 11 U.S.C. § 362 [Id. ¶¶ 50–51]. Plaintiff received a discharge in his
bankruptcy case on May 6, 2015 [Id. ¶ 49]. The parties seem to agree that this resulted in
a discharge of plaintiff’s debt to defendant [Id. ¶ 52; see Doc. 16 p. 2].
Plaintiff alleges that, on February 15, 2016, he reviewed his Equifax credit report
and discovered an unauthorized inquiry by defendant [Doc. 14 ¶ 53]. According to the
report, defendant accessed plaintiff’s Equifax credit report on November 30, 2015, for
“Account Review” purposes [Id. ¶¶ 53–54]. Plaintiff asserts that, on that date, he did not
have any account, debt, or other financial relationship with defendant, all his business with
defendant having ended with the bankruptcy discharge [Id. ¶¶ 56–57]. Plaintiff thus alleges
that this inquiry constituted impermissible use of or access to a consumer report under the
FCRA [Id. ¶¶ 58–59 (citing § 1681b)]. Plaintiff further claims that defendant’s conduct
was willful under § 1681n, because defendant “was aware of the FCRA’s prohibitions on
impermissibly pulling consumers’ credit reports” [Id. ¶ 61].
Plaintiff alleges that he suffered an invasion of his legally protected privacy interests
because of defendant’s credit report inquiry, as well as corresponding mental and emotional
distress [Id. ¶¶ 62–64]. Plaintiff further asserts that defendant’s conduct increased the risk
that he will “be injured if there is a data breach on [d]efendant’s computer systems,” as a
result of defendant “acquiring additional highly sensitive information about [p]laintiff . . .
5
and saving that information on its computer systems” [Id. ¶ 66]. Plaintiff notes that such
breaches “are increasingly common, and financial institutions like [d]efendant are frequent
targets of cybercriminals” [Id. (citations omitted)].
C.
Procedural History
On January 18, 2017, plaintiff filed a class action complaint against defendant,
seeking class certification, actual and FCRA statutory damages, declaratory and injunctive
relief, litigation costs, and attorneys’ fees [Doc. 1]. In lieu of filing an answer, defendant
filed a first motion to dismiss under Rules 12(b)(1), 12(b)(5), and 12(b)(6) [Docs. 12–13].
Then, on April 21, Plaintiff filed an amended complaint, as permitted by Rule 15(a)(1)(B)
[Doc. 14]. Plaintiff’s amended complaint does not add any new claims or parties, but does
provide further background on the FCRA and the credit reporting industry, as well as an
additional proposed class [Doc. 14]. As amended, plaintiff’s complaint proposes the
following two class definitions:
All persons whose consumer credit report from any of the three major credit
reporting agencies (Transunion, Equifax, and Experian) reflects an
unauthorized consumer credit report inquiry by Defendant after a bankruptcy
discharge within the past 2 years (“Class One”).
All persons whose consumer credit report from any of the three major credit
reporting agencies (Transunion, Equifax, and Experian) reflects an
unauthorized consumer credit report inquiry by Defendant after a bankruptcy
discharge within the past 5 years (“Class Two”).
[Id. ¶ 69].
In response, defendant filed a second motion to dismiss on May 3, arguing that the
amended complaint fails to resolve the deficiencies of the original complaint [Doc. 15 ¶ 1].
6
Plaintiff then filed a response to this motion [Doc. 17], to which defendant replied [Doc.
18]. The Court further notes that defendant’s second motion to dismiss is substantively
identical to the first [See Docs. 12–13, 15–16]. Thus, the Court will deny the first motion
as moot and will proceed to consider the merits of the second motion.
II.
Standard of Review
Although defendant moves for dismissal under Federal Rules of Civil Procedure
12(b)(1), 12(b)(5), and 12(b)(6), as explained in Part III below, the Court need only address
the first of these three grounds—lack of subject-matter jurisdiction.
“Federal courts are courts of limited jurisdiction.” Kokkonen v. Guardian Life Ins.
Co. of Am., 511 U.S. 375, 377 (1994). In other words, federal courts “have only the power
that is authorized by Article III of the Constitution and the statutes enacted by Congress
pursuant thereto.” Bender v. Williamsport Area Sch. Dist., 475 U.S. 534, 541 (1986). As
such, subject-matter jurisdiction is a threshold issue that the Court must address and resolve
prior to reaching the merits of the case. Steel Co. v. Citizens for a Better Env’t, 523 U.S.
83, 94–95 (1998); see also Fed. R. Civ. P. 12(h)(3) (providing that, “[i]f the court
determines at any time that it lacks subject-matter jurisdiction, the court must dismiss the
action”). Unlike a motion to dismiss for failure to state a claim under Rule 12(b)(6), “where
subject matter jurisdiction is challenged under Rule 12(b)(1)[,] . . . the plaintiff has the
burden of proving jurisdiction in order to survive the motion.” RMI Titanium Co. v.
Westinghouse Elec. Corp., 78 F.3d 1125, 1134 (6th Cir. 1996) (quoting Rogers v. Stratton
Indus., 798 F.2d 913, 915 (6th Cir. 1986)).
7
Rule 12(b)(1) motions fall into two categories: “facial attacks and factual attacks.”
United States v. Ritchie, 15 F.3d 592, 598 (6th Cir. 1994). “A facial attack is a challenge
to the sufficiency of the pleading itself.” Id. In considering whether jurisdiction has been
established on the face of the pleading, “the court must take the material allegations of the
[pleading] as true and construed in the light most favorable to the nonmoving party.” Id.
(citing Scheuer v. Rhodes, 416 U.S. 232, 235–37 (1974)). “A factual attack, on the other
hand, is not a challenge to the sufficiency of the pleading’s allegations, but a challenge to
the factual existence of subject matter jurisdiction.” Id. In considering whether jurisdiction
has been proved as a matter of fact, “a trial court has wide discretion to allow affidavits,
documents, and even a limited evidentiary hearing to resolve disputed jurisdictional facts.”
Ohio Nat’l Life Ins. Co. v. United States, 922 F.2d 320, 325 (6th Cir. 1990). In evaluating
a factual attack, “no presumptive truthfulness applies to the factual allegations, and the
court is free to weigh the evidence and satisfy itself as to the existence of its power to hear
the case.” Ritchie, 15 F.3d at 598 (internal citation omitted).
Here, the parties do not expressly address whether defendant’s Rule 12(b)(1) motion
is a facial or factual attack on subject-matter jurisdiction. Plaintiff, however, seems to
assume the former [See Doc. 17 pp. 13–14]. The Court agrees with this assessment, as
defendant’s stated argument for dismissal under Rule 12(b)(1) is that “[p]laintiff has failed
to plead standing as required by Article III of the U.S. Constitution” [Doc. 15 ¶ 2 (emphasis
added)]. The Court will thus analyze defendant’s motion as a facial attack and will construe
the facts underling this dispute in the light most favorable to plaintiff.
8
III.
Analysis
Defendant moves for dismissal of this action of three grounds—lack of subject-
matter jurisdiction under Rule 12(b)(1), insufficient service of process under Rule 12(b)(5),
and failure to state a claim under Rule 12(b)(6). As explained further below, however, the
Court concludes that it lacks subject-matter jurisdiction over this action because plaintiff
has failed to sufficiently plead Article III standing. Therefore, the Court need not consider
defendant’s alternative grounds for dismissal under Rules 12(b)(5) and (b)(6). The Court
will first outline the constitutional requirements for standing to sue in federal court, before
considering plaintiff’s two asserted injuries in light of those standards.
A.
Standing Requirements
Article III of the Federal Constitution extends the federal judicial power to only a
limited set of “cases” and “controversies.” U.S. Const. art. III, § 2. As such, “those who
seek to invoke the jurisdiction of the federal courts must satisfy the threshold requirement
. . . [of] alleging an actual case or controversy.” City of Los Angeles v. Lyons, 461 U.S. 95,
101 (1983). One aspect of this justiciability question is standing—i.e., whether the parties
have “such a personal stake in the outcome of the controversy as to assure that concrete
adverseness which sharpens the presentation of issues.” Baker v. Carr, 369 U.S. 186, 204
(1962). The plaintiff bears the burden of proving her standing to bring suit in federal court.
Summers v. Earth Island Inst., 555 U.S. 488, 493 (2009). Furthermore, the Supreme Court
has clarified that “the irreducible constitutional minimum of standing contains three
elements.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992). The plaintiff must have
9
suffered “[1] an injury in fact, [2] fairly traceable to the defendant’s conduct, [3] that is
likely to be redressed by a favorable decision from the court.” Fair Elections Ohio v.
Husted, 770 F.3d 456, 460 (6th Cir. 2014). While the plaintiff must prove these elements
by a preponderance of the evidence, at the pleading stage, “general factual allegations of
injury resulting from the defendant’s conduct may suffice.” Lujan, 504 U.S. at 561; see
also Lujan v. Nat’l Wildlife Fed’n, 497 U.S. 871, 889 (1990) (noting that, in deciding a
Rule 12(b)(1) motion based on standing, the court must “presume[] that general allegations
embrace those specific facts that are necessary to support the claim”).
At issue here is the first prong of the standing test, injury in fact.3 To establish injury
in fact, the plaintiff must show “an invasion of a legally protected interest [that] is (a)
concrete and particularized and (b) actual or imminent, not conjectural or hypothetical.”
Phillips v. DeWine, 841 F.3d 405, 414 (6th Cir. 2016) (alteration in original) (internal
quotation marks omitted) (quoting Lujan, 504 U.S. at 560). The Supreme Court has made
clear that these three components—particularization, concreteness, and imminence—are
distinct and indispensable requirements. Spokeo, 136 S. Ct. at 1548. First, “[a] ‘concrete’
injury must be ‘de facto’; that is, it must actually exist.” Id. (quoting Black’s Law
Dictionary (9th ed. 2009)). “Abstract injury is not enough,” O’Shea v. Littleton, 414 U.S.
488, 494 (1974), though “intangible harms such as those produced by defamation or the
denial of individual rights may certainly [suffice],” Crawford v. U.S. Dep’t of Treasury,
3
The parties do not address the causation and redressability prongs, and thus the Court
assumes for purposes of this opinion that those requirements are satisfied.
10
868 F.3d 438, 453 (6th Cir. 2017). Second, particularization requires “that the plaintiff
‘personally . . . suffered some actual or threatened injury[,]’ as opposed to bringing a
generalized grievance.” Id. (quoting Valley Forge Christian Coll. v. Ams. United for
Separation of Church & State, Inc., 454 U.S. 464, 472 (1982)). Third, even if the alleged
injury has not yet occurred, “[a] party facing prospective injury has standing to sue where
the threatened injury is real, immediate, and direct.” Davis v. FEC, 554 U.S. 724, 734
(2008). This generally requires a showing that the injury is “certainly impending” and “not
too speculative for Article III purposes.” Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409
(2013) (emphasis omitted) (quoting Lujan, 504 U.S. at 565 n.2).4
Of particular relevance here is the Supreme Court’s recent decision in Spokeo v.
Robins, 136 S. Ct. 1540 (2016). The defendant in Spokeo operated a website that allowed
users to search for information on other individuals. Id. at 1546. In response to a search
by an unknown user, the website produced a profile for the plaintiff containing inaccurate
information. Id. The plaintiff then filed a class action complaint alleging that the defendant
willfully violated various FCRA provisions in producing this report. Id. The district court
dismissed the case for lack of standing, but the Ninth Circuit reversed, holding that “the
4
Some uncertainty remains as to whether prospective injury must always be “certainly
impending,” or whether a lesser probability of injury may suffice in certain cases. See Clapper,
568 U.S. at 414 n.5 (leaving that issue unresolved); id. at 432–33 (Breyer, J., dissenting) (arguing
that imminence “is a somewhat elastic concept” and noting that the Court has used various
phrases—including “substantial risk” and “reasonable probability”—in its standing cases (quoting
Lujan, 504 U.S. at 565 n.2)); see also Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 388
(6th Cir. 2016) (recognizing this unresolved ambiguity). Nonetheless, the Court’s application of
the imminence requirement to plaintiff’s alleged data breach injury, see infra Section III.C, would
remain the same under any level of probability the Supreme Court has permitted.
11
violation of a statutory right is usually a sufficient injury in fact to confer standing.” Robins
v. Spokeo, Inc., 742 F.3d 409, 412, 415 (9th Cir. 2014), rev’d, 136 S. Ct. 1540 (2016).
Because the plaintiff had alleged a violation of “his statutory rights, not just the statutory
rights of other people,” the court found that the plaintiff had pleaded a sufficiently
particularized injury to show Article III standing. Id. at 413. The Supreme Court reversed
and remanded, holding that the Ninth Circuit had failed to adequately address concreteness
as a requirement distinct from particularization. 136 S. Ct. at 1548–50.
The Supreme Court provided some limited guidance in the process. The Supreme
Court first made clear that intangible injuries may be sufficiently concrete in some cases.
Id. at 1549. “[B]oth history and the judgment of Congress play important roles” in this
inquiry. Id. As for the former, “a close relationship to a harm that has traditionally been
regarded as providing a basis for a lawsuit in English or American courts” can help show
concreteness. Id. As for the latter, “because Congress is well positioned to identify
intangible harms that meet minimum Article III requirements, . . . . [it] may ‘elevat[e] to
the status of legally cognizable injuries concrete, de facto injuries that were previously
inadequate in law.’” Id. (second alteration in original) (quoting Lujan, 504 U.S. at 578).
But that does not mean standing is present “whenever a statute grants a person a
statutory right and purports to authorize that person to sue to vindicate [it].” Id. “[A] bare
procedural violation, divorced from any concrete harm,” will not suffice. Id. In the FCRA
context, the Court suggested that failing to provide a required notice or producing a wrong
ZIP code may not “present any material risk of harm.” Id. at 1550. On the other hand,
12
procedural violations may at times be sufficiently concrete, and “a plaintiff in such a case
need not allege any additional harm beyond the one Congress has identified.” Id. at 1549
(citing, inter alia, FEC v. Akins, 524 U.S. 11, 21 (1998) (holding that voters’ inability to
obtain information Congress decided to make public was sufficient injury)).5 However, as
the various decisions discussed in the next sections of this opinion make clear, the line
between sufficient and insufficient procedural injury remains elusive.
The Court will now apply these principles to the two forms of injury plaintiff has
alleged in this case—an invasion of his legally protected privacy interests and an increased
risk of exposure of his personal information via a data breach.
B.
Invasion of Privacy
First, plaintiff alleges that he suffered an invasion of his legally protected privacy
interests—along with attending mental and emotional distress—from defendant’s soft-pull
inquiry [Doc. 17 pp. 15–21]. Defendant denies that such an alleged injury is sufficient for
Article III standing [Doc. 16 pp. 3–10; Doc. 18 pp. 2–7]. For the reasons explained below,
the Court agrees with defendant that this alleged injury is insufficiently concrete.
Plaintiff first argues that invasion of privacy is a sufficiently particularized injury,
as he has claimed he “was personally harmed and offended that his personal information
and privacy had been invaded” [Doc. 17 p. 19]. Defendant does not address this prong of
5
On remand, the Ninth Circuit concluded that the plaintiff had alleged a sufficiently
concrete injury in light of this guidance. Robins v. Spokeo, Inc., 867 F.3d 1108, 1119 (9th Cir.
2017), cert. denied, 86 U.S.L.W. 3366 (2018). The Court does not discuss this decision further
because the FCRA violations alleged in Spokeo are less factually analogous to this case than those
in the decisions discussed in Sections III.B and III.C below.
13
the injury-in-fact requirement. Thus, the Court assumes for purposes of this opinion that
plaintiff’s first asserted injury meets the particularization requirement.
Next, as for concreteness, plaintiff first asserts that a claim based on unlawful access
to a consumer report is a “classic invasion of privacy claim[]” with a close relationship to
several common law torts, including intrusion upon seclusion and public disclosure of
private facts [Doc. 17 p. 16 (citing Restatement (Second) of Torts §§ 652A–652G (Am.
Law Inst. 1977))]. Plaintiff notes that courts have applied the latter tort to the publication
of debtors’ names and personal information. See, e.g., Trammell v. Citizens News Co., 148
S.W.2d 708, 708–09 (Ky. 1941) (notice published in newspaper); Brents v. Morgan, 299
S.W. 967, 968 (Ky. Ct. App. 1927) (notice posted in store window); Mason v. Williams
Disc. Ctr., Inc., 639 S.W.2d 836, 837 (Mo. Ct. App. 1982) (plaintiffs’ names posted in
store under the words “no checks” in large print).
Additionally, plaintiff asserts that multiple courts have applied the tort of intrusion
upon seclusion to the unlawful access of personal information. See, e.g., Bray v. Cadle
Co., No. 4:09-cv-663, 2010 WL 4053794, at *16 (S.D. Tex. Oct. 14, 2010) (examining
bank records); Kausch v. Wilmore, No. SACV-07-817-AG, 2009 WL 481346, at *4 (C.D.
Cal. Feb. 24, 2009) (accessing credit report); Capitol Records, Inc. v. Weed, No. 2:06-cv1124, 2008 WL 1820667, at *6 (D. Ariz. Apr. 22, 2008) (copying files from personal
computer); Rodgers v. McCullough, 296 F. Supp. 2d 895, 904 (W.D. Tenn. 2003)
(accessing credit report); Smith v. Bob Smith Chevrolet, Inc., 275 F. Supp. 2d 808, 821–22
(W.D. Ky. 2003) (accessing credit report). Thus, plaintiff asserts that the harm he alleges
14
“raises a traditional basis for a lawsuit” [Doc. 17 pp. 17–18 (citing Restatement (Second)
of Torts § 652A(1) (“One who invades the right of privacy of another is subject to liability
for the resulting harm . . . .”))]. According to plaintiff, “[t]he FCRA built on this traditional
right” by attempting to protect consumers’ credit information [Id. at 20].
As for the role of Congress, plaintiff argues that protecting consumer privacy was
Congress’s overriding goal in enacting the FCRA. See 15 U.S.C. § 1681(a)(4) (recognizing
the need to protect “the consumer’s right to privacy”); TRW Inc. v. Andrews, 534 U.S. 19,
23 (2001) (noting that Congress adopted the FCRA “to promote efficiency in the Nation’s
banking system and to protect consumer privacy”). According to plaintiff, Congress “was
so concerned with protecting consumers’ privacy against impermissible pulls” that the
FCRA provides for actual, statutory, and punitive damages, attorneys’ fees, and even
criminal penalties [Doc. 17 p. 18 (citing 15 U.S.C. §§ 1681n, 1681q)]. Plaintiff notes that,
in exercising its power to define new substantive rights, Congress must at a minimum
“identify the injury it seeks to vindicate and relate the injury to the class of persons entitled
to bring suit.” Lujan, 504 U.S. at 580 (Kennedy, J., concurring). Plaintiff asserts that
Congress did so in the FCRA by expressly seeking to protect the privacy interests of
consumers in their credit information. Thus, plaintiff asserts that both history and the
judgment of Congress counsel in favor of a finding of concreteness.
Correspondingly, plaintiff submits that many courts have found standing under
similar circumstances. See, e.g., Burke v. Fed. Nat’l Mortg. Ass’n, No. 3:16-cv-153, 2016
WL 4249496, at *4 (E.D. Va. Aug. 9, 2016) (finding standing based on an unauthorized
15
credit inquiry that allegedly exposed the plaintiff to an increased risk of identity theft or
data breach), vacated, 2016 WL 7451624 (E.D. Va. Dec. 6, 2016); Firneno v. Radner Law
Grp., 2:13-cv-10135, 2016 WL 5899762, at *4 (E.D. Mich. Sept. 28, 2016) (relying on
Burke to hold that the viewing and retention of the plaintiffs’ financial information caused
concrete injury); Perrill v. Equifax Info. Servs., LLC, 205 F. Supp. 3d 869, 873–75 (W.D.
Tex. Aug. 31, 2016) (finding standing where the defendant credit bureau disclosed the
plaintiff’s credit reports to a third party—a government agency—without authorization);
cf. Lavigne v. First Cmty. Bancshares, Inc., 215 F. Supp. 3d 1138, 1147–48 (D.N.M. 2016)
(holding that receiving unwanted automated telephone calls in violation of the Telephone
Consumer Protection Act constituted a sufficiently concrete injury).6
Defendant responds that plaintiff has failed to identify any concrete injury. First,
defendant notes that plaintiff seems to acknowledge that soft-pull credit inquiries “have no
effect—negative or otherwise—on a consumer’s creditworthiness or ‘credit score’ and are
never visible to lenders” [Doc. 16 p. 5]. Thus, defendant observes, plaintiff never alleges
that the soft pull here had any impact on his FICO Score. Furthermore, defendant argues
that “[t]he post-Spokeo cases from around the country have uniformly found that, absent
disclosure to a third party or an identifiable harm from the statutory violation, there is no
privacy violation” from an improper credit pull. Bultemeyer v. CenturyLink, Inc., No. CV-
6
While the Sixth Circuit’s recent decision in Galaria v. Nationwide Mutual Insurance Co.,
663 F. App’x 384 (6th Cir. 2016), also bears on this issue, that case fits more neatly into the
category of data breach cases discussed below in Section III.C. Thus, the Court defers discussion
of Galaria until it addresses plaintiff’s alleged risk of a data breach.
16
14-02530, 2017 WL 634516, at *4 (D. Ariz. Feb. 15, 2017); see also Smith v. Ohio State
Univ., 191 F. Supp. 3d 750, 757 (S.D. Ohio 2016) (finding that invasions of privacy
resulting from procedural violations of FCRA disclosure and authorization requirements
did not constitute “concrete consequential damage” under Spokeo).
Defendant relies primarily on several recent decisions finding that the bare assertion
of an invasion of privacy is insufficient for Article III standing. First, in Bultemeyer, the
plaintiff alleged (as in this case) that the defendant accessed her credit report without a
permissible purpose under the FCRA. 2017 WL 634516, at *1. Also like in this case, the
plaintiff did not allege that this soft pull affected her credit score, nor that the defendant
disseminated this information to a third party. Id. at *2. Rather, she alleged only that the
defendant “violated a substantive privacy right.” Id. The District of Arizona held that this
did not constitute injury in fact, finding that the plaintiff had asserted nothing more than “a
bare procedural violation[,] without identifying any concrete harm”—exactly what the
Supreme Court in Spokeo had deemed inadequate. Id. at *4.
Defendant also cites Braitberg v. Charter Communications, Inc., where the plaintiff
alleged that the defendant had retained his personal information long after he canceled his
account, in violation of the Cable Communications Policy Act. 836 F.3d 925, 927 (8th Cir.
2016). Relying on Spokeo, the Eight Circuit held that the plaintiff failed to plead injury in
fact because he had “identifie[d] no material risk of harm from the retention [of data].” Id.
at 930. The plaintiff had not alleged that his information was ever disclosed to or accessed
by an outside party, and “a speculative or hypothetical risk [of such harm] is insufficient.”
17
Id. Furthermore, while acknowledging the “common law tradition of lawsuits for invasion
of privacy,” the court observed that “the retention of information lawfully obtained,
without further disclosure, traditionally has not provided the basis for a lawsuit in
American courts.” Id. (citing Restatement (Second) of Torts § 652A).
The Seventh Circuit came to the same conclusion in Gubala v. Time Warner Cable,
Inc., finding that a cable company’s failure to destroy a former customer’s information did
not constitute a concrete injury. 846 F.3d 909, 910–11 (7th Cir. 2017). The plaintiff had
not alleged any disclosure, use, or access of this information; rather, he merely claimed
that “the violation of [the statute] has made him feel aggrieved.” Id. at 911. The court
rejected the plaintiff’s argument that this amounted to an invasion of his substantive
privacy rights, rather than a mere procedural violation. While “[v]iolations of rights of
privacy are actionable,” here, there was “no indication of any violation of the plaintiff’s
privacy because there [was] no indication that Time Warner [had] released, or allowed
anyone to disseminate, any of the plaintiff’s personal information in the company’s
possession.” Id. at 912. Neither the technical violation of the statute, nor the mere risk of
such disclosure, could satisfy the injury-in-fact prong of standing. Id.
Defendant also asserts that these outcomes are consistent with pre-Spokeo federal
court decisions holding that the mere access, retention, or loss of data, without more, does
not rise to the level of concrete injury. See, e.g., Phillips v. Grendahl, 312 F.3d 357, 373
(8th Cir. 2002) (“The use of improper methods to obtain information, such as a request that
violates the [FCRA], does not necessarily make the acquisition of information highly
18
offensive [as required by an intrusion upon seclusion claim], if the information could just
as well have been obtained by proper means.”), abrogated on other grounds by Safeco Ins.
Co. of Am. v. Burr., 551 U.S. 47 (2007); Saumweber v. Green Tree Servicing, LLC, No.
13-cv-03628, 2015 WL 2381131, at *8 (D. Minn. May 19, 2015) (same); In re Zappos.com,
Inc., 104 F. Supp. 3d 949, 962 n.5 (D. Nev. 2015) (rejecting loss of privacy as a basis for
standing because the plaintiffs “failed to show how that loss amounts to a concrete and
particularized injury”); In re Science Apps. Int’l Corp. Backup Tape Data Theft Litig., 45
F. Supp. 3d 14, 19 (D.D.C. 2014) (“[T]he mere loss of data—without evidence that it has
been either viewed or misused—does not constitute [injury in fact].”); Eaton v. Cent.
Portfolio Control, No. 14-747, 2014 WL 6982807, at *3 (D. Minn. Dec. 9, 2014) (noting
that merely accessing a credit report does not give rise to an intrusion claim).
As for plaintiff’s comparison of his suit to the common law privacy torts, defendant
responds first that, with the exception of intrusion upon seclusion, these causes of action
all require some public dissemination of private information. See Restatement (Second) of
Torts §§ 652C–652E. But nothing of the sort occurred here. Thus, the public disclosure
cases plaintiff cites—Trammell, Brents, and Mason—are inapposite. Second, defendant
argues that a plaintiff who brings a privacy-related cause of action must still plead actual
harm from the alleged invasion of privacy, which plaintiff has not done here. Third,
defendant asserts that one essential element of an intrusion upon seclusion claim is proof
that “the intrusion would be highly offensive to a reasonable person.” Restatement
(Second) of Torts § 652B. According to defendant, plaintiff has failed to plead any facts
19
to support a finding that the soft pull here would meet this standard. Thus, defendant asserts
that the intrusion cases cited by plaintiff do not support his position because those cases
featured plausible allegations of highly offensive conduct. See, e.g., Rodgers, 296 F. Supp.
2d at 898 (the defendant attorney obtained the plaintiff’s credit report to use against her in
a child custody hearing); Bray, 2010 WL 4053794, at *16 (the defendant hired search firms
to obtain the plaintiff’s bank information and hired private investigators to “surveil, harass,
and stalk [the p]laintiff at and near his home”).7 And, as noted above, courts have generally
found that simply accessing another’s credit report without permission is not highly
offensive to a reasonable person. See Grendahl, 312 F.3d at 373.
Defendant further argues that the recent decisions cited by plaintiff as factually
analogous to this case do not actually support a finding of standing here. First, while the
factual allegations and legal arguments in Burke were quite similar to this case, the Eastern
District of Virginia later vacated that decision based on the parties’ agreement that subjectmatter jurisdiction was lacking. 2016 WL 7451624, at *1. Next, defendant notes that
Firneno both relied heavily on the now-vacated opinion in Burke and featured far more
concrete allegations of injury. 2016 WL 5899762, at *4. Specifically, the defendants were
alleged to have “illegally obtained private financial data, used it to identify financially
distressed consumers, and solicited the plaintiffs via targeted mailers in violation of the
[FCRA],” id. at *1—much like the automated telephone calls in Lavigne, 215 F. Supp. 3d
7
In addition, defendant notes that the plaintiffs in these cases alleged actual injury: Ms.
Rodgers lost custody of her child, 296 F. Supp. 2d at 903, and $25,836 of Mr. Bray’s bank account
funds were seized, 2010 WL 4053794, at *1.
20
at 1140. The quality and quantity of confidential information accessed in Firneno was also
more extensive than in this case, consisting of “credit and FICO scores, the amount of debt,
and addresses and the last four digits of the social security numbers of thousands of
consumers.” 2016 WL 5899762, at *4.
Finally, defendant argues that, in light of the insufficiency of plaintiff’s invasionof-privacy injury, his alleged mental and emotional distress cannot serve as a freestanding
basis for Article III standing. Defendant notes in particular that “[a]llegations of mental
and emotional distress seem far-fetched” because plaintiff has already “made his financial
records public in a bankruptcy proceeding” [Do. 16 p. 10]. In response, plaintiff argues
that “actual damages [for an FCRA violation] can include recovery for emotional distress”
[Doc. 17 p. 10 (quoting Banga v. Chevron U.S.A. Inc., No. C-11-1498, 2013 WL 71772, at
*11 (N.D. Cal. Jan. 7, 2013))]. Outside of a single, conclusory sentence in the complaint,
however, plaintiff provides no content or context for his allegation of psychic harm [See
Doc. 14 ¶ 64 (“Defendant’s behavior caused Plaintiff to suffer mental and emotional
distress as a result of Defendant’s invasion of Plaintiff’s privacy.”)].
After carefully considering the parties’ arguments on this issue, the Court finds that
an alleged invasion of privacy resulting from an improper credit inquiry, without more,
does not constitute a concrete injury in fact. With the exception of his alleged mental and
emotional distress, which the Court will address shortly, plaintiff has alleged nothing more
than “a bare procedural violation, divorced from any concrete harm.” Spokeo, 136 S. Ct.
at 1549. In other words, the amended complaint simply alleges a violation of § 1681b and
21
then attaches the words “invasion of privacy” to that claim. But the invocation of plaintiff’s
privacy interests does not alter the underlying substance of the claim to relief he is pressing
in this case. Absent an allegation that defendant used or disseminated his credit report in
any harmful way—or otherwise exposed this information to a substantial risk of access by
others, see infra Section III.C—plaintiff has alleged an injury that is merely “abstract,”
rather than “de facto.” Spokeo, 136 S. Ct. at 1548.
The Court finds further support for this conclusion in the two spheres in which
Spokeo instructs courts to look for guidance. See id. at 1549. First, contrary to his claim
that unlawfully accessing a consumer report is a “classic invasion of privacy claim[]” [Doc.
17 p. 16], the Court finds that the common law tort tradition does not support a finding of
concreteness here. Plaintiff’s bare assertion of an invasion of privacy would not “provid[e]
a basis for a lawsuit in English or American courts” under any of the four privacy torts that
courts have come to recognize over the past century. Spokeo, 136 S. Ct. at 1549. This is
because, as discussed above, plaintiff has alleged neither public dissemination of his credit
information nor conduct highly offensive to a reasonable person—one of which is always
an essential element of a cause of action for invasion of privacy. See Restatement (Second)
of Torts §§ 652A–652E. And plaintiff does not point to any other common law cause of
action that would permit recovery for the injury he alleges here. Thus, the Court agrees
with defendant that the public disclosure and intrusion upon seclusion cases plaintiff cites
are distinguishable. The public dissemination of private information—e.g., Trammell, 148
S.W.2d at 708–09; Brents, 299 S.W. at 968; Mason, 639 S.W.2d at 837—and the outrage
22
that accompanies conduct highly offensive to a reasonable person—e.g., Bray, 2010 WL
4053794, at *16; Rodgers, 296 F. Supp. 2d at 904—are intangible injuries of a far more
concrete character than a soft pull of a credit report.
Second, although one of Congress’s central concerns in enacting the FCRA was
consumer privacy, the end goal was to ensure “the confidentiality, accuracy, relevancy, and
proper utilization” of credit information—not to protect privacy as an abstract, intellectual
concept. § 1681(b); see also Jones v. Federated Fin. Res. Corp., 144 F.3d 961, 965 (6th
Cir. 1998) (“[T]he FCRA is aimed at protecting consumers from inaccurate information in
consumer reports and at the establishment of credit reporting procedures that utilize correct,
relevant, and up-to-date information in a confidential and responsible manner.”). But, in
any event, Congress’s authority to invent new forms of substantive injury is limited by the
case-or-controversy requirement of Article III—a requirement aimed at “assur[ing] that
concrete adverseness which sharpens the presentation of issues.” Baker, 369 U.S. at 204.
Thus, not all statutory violations for which Congress might elect to provide a remedy can
satisfy Article III. For example, while the FCRA requires consumer reporting agencies to
“follow reasonable procedures to assure maximum possible accuracy of the information,”
15 U.S.C. § 1681e(b), the Supreme Court in Spokeo noted that “[i]t is difficult to imagine
how the dissemination of an incorrect zip code, without more, could work any concrete
harm,” 136 S. Ct. at 1550. Here, plaintiff’s alleged injury is no more concrete—it is a mere
procedural violation, restyled as a substantive harm.
23
In addition, the Court agrees with defendant that the cases cited by plaintiff as
factually analogous to this case are distinguishable. Perrill featured the disclosure of a
credit report to a third party—a government agency holding taxing power over the plaintiff.
205 F. Supp. 3d at 871. Further, the defendants in Firneno and Lavigne used the private
information they accessed to directly solicit the consumers affected, through targeted
mailing lists and automated telephone calls, respectively. Firneno, 2016 WL 5899762, at
*1; Lavigne, 215 F. Supp. 3d at 1140. These alleged injuries are all far more substantial—
even if intangible—than the amorphous notion of an “invasion of privacy,” standing alone.
And, while Burke dealt with the same type of harm alleged here, 2016 WL 4249496, at *1,
that decision is not binding on this Court and was vacated after the parties agreed that
standing was lacking, 2016 WL 7451624, at *1. In any event, the Court finds the holding
in Burke—i.e., that any violation of the FCRA styled as an invasion of privacy would
constitute injury in fact—to be plainly inconsistent with the guidance set forth in Spokeo.
See 136 S. Ct. at 1550 (positing situations where technical violations of the FCRA would
be insufficiently concrete to confer Article III standing).
In sum, the Court agrees with the majority of courts to address the question at hand
following the Spokeo decision: “[A]bsent disclosure to a third party or an identifiable harm
from the statutory violation,” no actionable invasion of privacy results from a technical
violation of the FCRA. Bultemeyer, 2017 WL 634516, at *4; accord Gubala, 846 F.3d at
910–11; Braitberg, 836 F.3d at 930; Smith, 191 F. Supp. 3d at 757. Moreover, plaintiff’s
additional allegation of psychic harm does not shift the balance. When reviewing a facial
24
attack on subject-matter jurisdiction, the court must accept the factual allegations of the
plaintiff’s complaint as true. O’Bryan v. Holy See, 556 F.3d 361, 376 (6th Cir. 2009). At
the same time, however, “conclusory allegations or legal conclusions masquerading as
factual conclusions will not suffice.” Id. (quoting Mezibov v. Allen, 411 F.3d 712, 716 (6th
Cir. 2005)). The one-sentence reference to mental and emotional distress in the amended
complaint is the very definition of a legal conclusion masquerading as a factual allegation
[See Doc. 14 ¶ 64]. Therefore, this allegation is insufficient to carry plaintiff’s burden of
proving Article III standing. Lujan, 504 U.S. at 561.
C.
Risk of Data Breach
Second, plaintiff alleges that defendant’s soft-pull inquiry has exposed him to an
increased risk of a data breach and a resulting exposure of his personal information to third
parties [Doc. 17 pp. 21–26]. Defendant denies that such an alleged injury is sufficient for
Article III standing [Doc. 16 pp. 8–10; Doc. 18 pp. 7–12]. For the reasons explained below,
the Court agrees with defendant that this alleged injury is insufficiently concrete.
Plaintiff asserts that defendant’s impermissible soft pull of his credit report has
“created a particularized and concrete risk of harm [from] a data breach of his personal
information” [Doc. 17 p. 22]. Plaintiff notes that he has alleged “the increasingly frequent
and common incidents of data breaches of large institutions, similar to [d]efendant” [Id.].
Plaintiff further argues that the Spokeo Court recognized that a “risk of real harm can[]
satisfy the requirement of concreteness,” 136 S. Ct. at 1549, “particularly where, as here,
that risk carries severe economic consequences” [Doc. 17 p. 22]. And, as for the actual25
or-imminent requirement, plaintiff asserts that he has sufficiently alleged a “substantial
risk” of a “certainly impending” data breach. Clapper, 568 U.S. at 409, 414 n.5.
Defendant, by contrast, argues that courts have frequently rejected similar attempts
to derive standing from the hypothetical risk of a potential data breach. See, e.g., Reilly v.
Ceridian Corp., 664 F.3d 38, 44–46 (3d Cir. 2011) (“In data breach cases where no misuse
is alleged, however, there has been no injury . . . . [because] there is no quantifiable risk of
damage in the future.”); Khan v. Children’s Nat’l Health Sys., 188 F. Supp. 3d 524, 531–
33 (D. Md. 2016) (finding that an increased risk of identity theft following a data breach—
along with expenses associated with mitigating this risk—was too speculative to constitute
a “certainly impending” injury, as “[t]he majority of district courts faced with challenges
to the standing of data breach victims” have found); In re Zappos.com, Inc., 104 F. Supp.
3d at 955 (“The majority of courts dealing with data-breach cases post-Clapper have held
that absent allegations of actual identity theft or other fraud, the increased risk of such harm
alone is insufficient to satisfy Article III standing.”); Nat’l Council of La Raza v. Gonzales,
468 F. Supp. 2d 429, 444 (E.D.N.Y. 2007) (finding that a speculative risk of future thirdparty access to civil immigration records contained in the NCIC database did not constitute
an actual or imminent injury so as to confer standing).8
Plaintiff responds that the data breach cases cited by defendant are distinguishable.
First, plaintiff argues that these cases have no bearing here because plaintiff has not brought
8
See also In re Zappos.com, Inc., 104 F. Supp. 3d at 955 (collecting cases that follow
this majority approach, while noting that a few district court decisions from the Ninth
Circuit have reached the opposite conclusion).
26
a data breach claim—rather, he has alleged an increased risk of identity theft and fraud
resulting from a data breach as further evidence of injury. Second, plaintiff argues that the
data breach cases are inapposite because they all concern a company’s failure to safeguard
data properly within the company’s possession. Here, by contrast, plaintiff has alleged that
defendant had no right to access or retain his credit information after May 6, 2015. Third,
plaintiff notes that many of the data breach cases were dismissed because of the uncertain
legal basis for such a cause of action. See, e.g., Hammond v. Bank of N.Y. Mellon Corp.,
No. 08 Civ. 6060, 2010 WL 2643307, at *1–2 (S.D.N.Y. June 25, 2010) (noting that courts
have generally dismissed data-breach cases either on standing grounds or by finding “that
loss of identity information is not a legally cognizable claim”). But here, there is no dispute
that the FCRA provides for a private right of action.9
Plaintiff also relies in particular on the Sixth Circuit’s recent decision in Galaria v.
Nationwide Mutual Insurance Co., 663 F. App’x 384 (6th Cir. 2016). The defendant,
Nationwide, “maintain[ed] records containing sensitive personal information about its
customers, as well as potential customers who submit their information to obtain quotes
for insurance products.” Id. at 386. Hackers infiltrated Nationwide’s network and were
able to retrieve such information for 1.1 million customers, including the plaintiffs. Id.
The plaintiffs brought suit, alleging that Nationwide negligently and willfully failed to
adopt procedures to protect against this data breach. Id. Regarding standing, the plaintiffs
9
Plaintiff also distinguishes Gonzales on the grounds that that case (1) concerned the
standing of an organization to sue on behalf of its members, and (2) did not involve a defendant
alleged to have unlawfully accessed private information. 468 F. Supp. 2d at 433–35.
27
argued that data-breach victims are 9.6 times more likely to experience identity fraud and
have a fraud incidence rate of 19%. Id. The plaintiffs further alleged they had incurred
substantial out-of-pocket expenses to mitigate these risks, e.g., purchasing credit reporting
and monitoring services, purchasing and reviewing credit reports and bank statements,
instituting or removing credit freezes, and closing or modifying financial accounts. Id. at
386–87. The district court dismissed for lack of standing. Id. at 387.
The Sixth Circuit reversed, finding that these “allegations of a substantial risk of
harm, coupled with reasonably incurred mitigation costs, [were] sufficient to establish a
cognizable Article III injury at the pleading stage of the litigation.” Id. at 388. The court
found that the plaintiffs’ allegation of a “continuing, increased risk of fraud and identity
theft” provided a sufficiently definite probability of future injury, noting “[t]here is no need
for speculation [when the p]laintiffs allege that their data has already been stolen and is
now in the hands of ill-intentioned criminals.” Id. Additionally, the court concluded that
“[w]here [the p]laintiffs already know that they have lost control of their data, it would be
unreasonable to expect [them] to wait for actual misuse . . . before taking steps to ensure
their own personal and financial security.” Id. Thus, unlike cases where “[p]laintiffs seek
to ‘manufacture standing by incurring costs in anticipation of non-imminent harm,’” the
substantial mitigation expenses the Galaria plaintiffs incurred provided an alternative
injury in fact. Id. at 389 (quoting Clapper, 568 U.S. at 422).
After carefully considering the parties’ arguments on this issue, the Court finds that
plaintiff has failed to plead a concrete risk of harm from a hypothetical future data breach.
28
In particular, plaintiff fails to provide any indication of the actual likelihood of such a risk.
The amended complaint alleges only that “[d]ata breaches are increasingly common, and
financial institutions like [d]efendant are frequent targets of cybercriminals” [Doc. 1 ¶ 35
(citations omitted)]. Plaintiff does not aver, for example, that defendant has been the target
of hackers in the past or lacks the security features necessary to ward off a data breach.
Indeed, in his brief responding to defendant’s motion to dismiss, plaintiff merely argues—
in a conclusory fashion and without elaboration—that “[t]he risk to [him] is substantial
and certainly impending, establishing standing” [Doc. 17 p. 22]. As noted above, “legal
conclusions masquerading as factual conclusions will not suffice” when defending a Rule
12(b)(1) motion. O’Bryan, 556 F.3d at 376 (quoting Mezibov, 411 F.3d at 716)).
Thus, plaintiff’s alleged injury is even less certainly impending than in the databreach cases cited by defendant. In those cases, at least, third-party hackers had already
obtained access to the plaintiffs’ confidential information. See, e.g., In re Zappos.com,
Inc., 104 F. Supp. 3d at 955 (collecting cases). Yet “[m]ost courts have held that such
plaintiffs lack standing because the harm is too speculative.” Reilly, 664 F.3d at 43. Here,
plaintiff’s theory of standing requires one additional probabilistic leap—i.e., he relies on a
potential future data breach, which, if it ever occurs, might potentially result in identity
theft or fraud. In Clapper, the Supreme Court rejected a similar “highly attenuated chain
of possibilities” as sufficient to constitute injury in fact. 568 U.S. at 410–11 (rejecting the
“speculative fear” that the government would target the plaintiffs’ foreign contacts for
unlawful surveillance, would then receive court approval for such surveillance, and would
29
successfully intercept communications featuring the plaintiffs). The Court finds plaintiff’s
alleged injury here to be just as speculative as that in Clapper.
The Court further finds plaintiff’s attempts to distinguish the data-breach cases
unpersuasive. First, the fact that plaintiff has not asserted a freestanding data-breach claim
is immaterial. Regardless of whether a plaintiff relies on the consequences of a data breach
as an independent cause of action, or as a form of injury attending an FCRA violation, the
critical question for standing purposes remains the same—how substantial is the risk that
those consequences will actually occur? See Galaria, 663 F. App’x at 388. Second, the
fact that most of the data-breach defendants were lawfully in possession of the plaintiffs’
private information—unlike defendant here, according to plaintiff—does not alter the
analysis. Plaintiff has not alleged that defendant has misused, is misusing, or will misuse
his credit report in any way. Thus, just like in the data-breach cases, plaintiff is relying
entirely on “allegations of hypothetical, future injury” arising from third-party access to
defendant’s computer systems. Reilly, 664 F.3d at 42. Finally, the open question whether
federal or state law recognizes a freestanding data-breach claim has no bearing on this case.
While it is true that some courts have dismissed data-breach cases for lack of a valid cause
of action, many others have dismissed these cases on standing grounds. See Hammond,
2010 WL 2643307, at *1–2 (collecting cases following both courses).
The Sixth Circuit’s decision in Galaria is not to the contrary. Most obviously, in
Galaria a data breach had already occurred, and the plaintiffs’ credit information was “in
the hands of ill-intentioned criminals.” 663 F. App’x at 388. Here, plaintiff does not allege
30
that defendant has suffered a data breach or that any third party has attempted to access his
credit report—only that such a breach is possible. Moreover, critical to the Galaria holding
was the court’s finding that the plaintiffs had reasonably incurred substantial expenses to
help mitigate the consequences of a misuse of their information. Id. at 388–89. Here,
plaintiff does not allege that he has incurred any mitigation expenses in response to the soft
pull of his credit report. But even if he had, such self-imposed injuries would not provide
a basis for standing. As the Supreme Court explained in Clapper, plaintiffs seeking access
to the federal courts “cannot manufacture standing merely by inflicting harm on themselves
based on their fears of hypothetical future harm that is not certainly impending.” 568 U.S.
at 416. Such a theory would fail the causation prong of standing, as expenses unreasonably
incurred to prevent uncertain future harms are not “fairly traceable” to the defendant’s
allegedly wrongful conduct. Id.; accord Laird v. Tatum, 408 U.S. 1, 13–14 (1972); ACLU
v. NSA, 493 F.3d 644, 669–70 (6th Cir. 2007). Because, as explained above, plaintiff has
failed to allege either a substantial risk of a data breach or any expenses incurred to mitigate
that risk, Galaria does not support plaintiff’s claim of standing.
In sum, the Court finds that neither of plaintiff’s asserted injuries constitutes “such
a personal stake in the outcome of the controversy” as to ensure an adequately adversarial
process. Baker, 369 U.S. at 204. As such, plaintiff has failed to sufficiently plead one of
the essential components of Article III standing. The Court therefore lacks subject-matter
jurisdiction over this action.
31
IV.
Conclusion
Accordingly, in a separate order filed contemporaneously with this memorandum
opinion, the Court will DENY AS MOOT defendant’s first motion to dismiss [Doc. 12]
and GRANT defendant’s second motion to dismiss [Doc. 15]. Plaintiff’s first amended
complaint [Doc. 14] will therefore be DISMISSED WITHOUT PREJUDICE, and the
Clerk of Court will be DIRECTED to CLOSE this case.
ORDER ACCORDINGLY.
s/ Thomas A. Varlan
CHIEF UNITED STATES DISTRICT JUDGE
32
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?