A three-judge panel of the Third Circuit recently affirmed a district court ruling that dismissed a suit for violation of the Fair and Accurate Credit Transaction Act of 2003 (FACTA) for lack of Article III standing. The plaintiff, Ahmed Kamal, alleged that receipts he received from J. Crew showed the first six and last four digits of his credit card number in violation of FACTA. The panel, applying the Supreme Court’s ruling in Spokeo, Inc. v. Robins, ruled that absent more, such an allegation of a “technical violation” is insufficient to demonstrate the concrete harm required to demonstrate Article III standing.
Congress enacted FACTA to combat identity theft. The statute prohibits businesses from printing any more than the last five digits of a credit or debit card number on a receipt provided to the cardholder at the point of sale. FACTA also prohibits businesses from printing the card’s expiration date on the receipt. FACTA provides for actual damages and attorneys’ fees for negligent violations and statutory damages up to $1000, punitive damages, and attorneys’ fees for willful violations.
Kamal alleged that J. Crew willfully violated FACTA. On three separate occasions, at three separate J. Crew stores, he received a receipt that showed the first six and the last four digits of his card number. Kamal did not allege that anyone else saw these receipts, that his identity was stolen, or that his credit card number was compromised. He filed a class action suit against J. Crew, which the district court ultimately dismissed for lack of Article III standing.
Article III standing is a component of the Constitution’s case or controversy requirement. To maintain suit under this requirement, plaintiffs must show that 1) they suffered an injury in fact, 2) it is fairly traceable to the challenged conduct of the defendant, and 3) it is likely to be redressed by a favorable judicial decision.
On appeal, the issue before the panel was whether Kamal had sufficiently pled an injury in fact. To do so, Kamal was required to “allege an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.”
Kamal argued that he had pled concrete injury for two reasons. First, he argued that the violation of FACTA’s plain text was an intangible concrete harm in itself. Second, he argued that the increased risk of identity theft from the violation was concrete harm. After discussing Spokeo and a number of its own decisions, the panel rejected both arguments.
The panel discussed whether the alleged intangible harm had a close relationship to a harm that traditionally formed the basis of a common law action. It discussed a number of privacy torts and concluded that Kamal’s alleged harm did not have a close relationship to them because they all required disclosure of some personal information to a third party. Here, however, Kamal did not allege that any third party saw the offending receipts.
Next, the panel discussed whether Kamal had alleged an increased risk of the concrete harm of identity theft to satisfy Article III standing requirements. The panel noted that the first six digits of a credit card number identify the bank and card type, information that is permitted to be printed elsewhere on the receipt under FACTA. Therefore, J. Crew’s alleged violation did little to increase any risk of identity theft.
The panel also noted that for the alleged harm of identity theft to become realized, Kamal would have to lose or throw away the receipt, and then a would-be identity thief would have to find it and figure out the remaining digits along with additional information such as the expiration date, the Card Verification Value (CVV), or the billing zip code. The panel agreed with the district court that this chain of events was too attenuated and speculative to entail the sufficient degree of risk necessary to meet the concreteness requirement.
The decision puts the Third Circuit in line with the Second Circuit, which ruled in Katz v. Donna Karan Co. that printing the first six credit card digits on a receipt was a “bare procedural violation” that “did not raise a material risk of harm to identity theft.”
The Eleventh Circuit, however, is on the other side of the issue. In Muransky v. Godiva Chocolatier, Inc., it ruled that printing the first six digits on a receipt created concrete injury because it was similar to a common law action for breach of confidence. The Kamal panel expressed its disagreement with the Eleventh Circuit because a breach of confidence action required disclosure to a third party, which Kamal had not alleged.
By requiring disclosure to a third party to show a close relationship to a traditional tort action, however, the panel essentially closed the door on one option to show concrete harm. Under the panel’s reasoning, even printing the full credit card number on the receipt would not have a close relationship to traditional privacy torts so long as the merchant gave the receipt to only the customer.
Even so, under that set of facts, the plaintiff would likely be able to show concrete harm through the increased risk of identity theft. The panel admitted that its “analysis would be different” had Kamal “alleged that the receipt included all sixteen digits of his credit card number, making the potential for fraud significantly less conjectural.” But that raises the question of where courts should draw the line. What about a receipt that shows 12 or 13 digits? Is the risk of identity theft that much more appreciable to satisfy the concrete harm requirement? And will this standard shift as identity thieves employ more sophisticated means to get the information they need?
Stay tuned, as this issue of FACTA standing is sure to get murkier as lower courts continue to grapple with the Supreme Court’s Spokeo decision.
