Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On July 2, the U.S. Court of Appeals for the D.C. Circuit reversed a district court’s ruling that a consumer lacked Article III standing to allege a violation of the Fair and Accurate Credit Transaction Act (FACTA) when a merchant included all 16 digits of her credit card account number, her full name, and the expiration date on a receipt, because the receipt was not thrown away. Under FACTA, merchants are prohibited from including on a receipt (i) more than the last five digits of a consumer’s credit card number; and (ii) a credit card’s expiration date. The consumer alleged that the merchant violated the restriction, but the district court ruled that the consumer lacked standing to sue because she failed to describe a concrete risk of “actual or imminent” injury to a protected interest as defined in the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins. According to the district court, because the consumer did not dispose of the receipt, and was the only person who ever saw the receipt, her risk of identity theft had not increased. Moreover, the district court stated that the burden of protecting the non-compliant receipt did not constitute a concrete injury.
On appeal, the D.C. Circuit reversed, holding that printing a receipt containing all 16 digits of a consumer’s credit card number is an “egregious” enough violation of FACTA to confer standing. According to the panel, the harm inflicted on the consumer by the merchant’s mishandling of her receipt had a “close relationship” to the type of harm that gives rise to a “breach of confidence” claim. Moreover, the panel stated that it was irrelevant that the consumer had been able to protect herself by safeguarding the receipt because: (i) FACTA protects an interest in avoiding an increased risk of identity theft, which the panel considered to be sufficiently concrete; and (ii) under the facts presented, the violation of the truncation requirement created a “risk of real harm” to such concrete interest. The D.C. Circuit remanded the case for further proceedings consistent with its findings. Notwithstanding, the panel was clear that not every violation of FACTA’s truncation requirement creates a risk of identity theft.
Notably, while the D.C. Circuit’s decision is in agreement with an 11th Circuit opinion issued in April (prior InfoBytes coverage here), it conflicts with other appellate decisions, including an opinion issued by the 3rd Circuit in March (covered by InfoBytes here), wherein the 3rd Circuit held that, without concrete evidence of harm, a consumer lacks standing under FACTA to sue a merchant for including too many digits of a credit card account number on a receipt. The D.C. Circuit noted, however, that the 3rd Circuit “recognized its analysis would be different if it were presented with the facts [the consumer] presents to us.”
On April 22, the U.S. Court of Appeals for the 11th Circuit affirmed a district court’s ruling that including too many digits of a consumer’s credit card account number on a receipt was sufficient to constitute a concrete injury even if the consumer’s identity was not stolen. Under the Fair and Accurate Credit Transactions Act (FACTA), merchants are prohibited from including more than the final five digits of a consumer’s credit card number on a receipt. According to the opinion, the consumer filed a class action suit against a chocolate company, alleging that one of its stores printed the first six and last four digits of his account number on a receipt, which exposed the class members “to an elevated risk of identity theft.” When the parties sought approval of a proposed settlement, two unnamed class members contested the settlement on the grounds that, among other things, the consumer/class representative lacked standing to sue because he had not suffered a concrete injury as defined in the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins. The district court, however, approved the settlement.
On appeal, the 11th Circuit held that an increased risk of identity theft is sufficient to bring claims under FACTA, and that the class representative’s “alleged injury is ‘particularized’ because the heightened risk of identity theft affected him ‘in a personal and individual way’—it was his credit card number that appeared on the receipt.” Moreover, the appellate court noted, “In our view, if Congress adopts procedures designed to minimize the risk of harm to a concrete interest, then a violation of that procedure that causes even a marginal increase in the risk of harm to the interest is sufficient to constitute a concrete injury.”
On March 8, the U.S. Court of Appeals for the 3rd Circuit issued a precedential opinion holding that, without concrete evidence of harm, a consumer lacks standing under the Fair and Accurate Credit Transactions Act (FACTA) to sue a merchant for including too many digits of his credit card account number on a receipt. According to the opinion, the plaintiff claimed that he received receipts from three different stores owned by the defendant, all of which included both the final four digits and the first six digits of his account number. The plaintiff filed a class action lawsuit alleging the defendant willfully violated FACTA, which prohibits printing more than the last five digits of credit card number on a receipt. The plaintiff alleged that this violation, which he also claimed increased the risk of identity theft, constituted an injury-in-fact sufficient to confer Article III standing as required under the U.S. Supreme Court’s 2016 ruling in Spokeo v. Robins (covered by a Buckley Special Alert). The district court dismissed the suit.
On appeal, the 3rd Circuit agreed with the lower court, holding that the plaintiff failed to allege actual harm from the defendant’s practice. The appellate court held that the defendant’s technical violation of FACTA did not give the plaintiff standing to sue. Moreover, in the absence of actual harm, or a material risk of actual harm (the plaintiff did not allege that anyone—aside from the cashier—saw the receipt, that his credit card number had been misappropriated, or that his identity was stolen), the plaintiff would not have suffered the injury-in-fact that created federal court jurisdiction.
On September 19, the U.S. Court of Appeals for the Second Circuit issued an opinion ruling that a merchant who had printed the first six numbers of a consumer’s credit card on a receipt violated the Fair and Accurate Credit Transactions Act (FACTA), but that because the violation did not cause a concrete injury, the consumer did not have standing to sue the merchant. Under FACTA, merchants are prohibited from including more than the final five digits of a consumer’s credit card number on a receipt. In this instance, the plaintiff filed a complaint in 2014, followed by an amended complaint later that same year, in which he alleged that he twice received printed receipts containing the first six digits of his credit card number, in violation of FACTA. The plaintiff claimed that the risk of identity theft was a sufficient injury to establish standing. The defendants argued that that the first six digits of the credit card account only identified the card issuer and did not reveal any information about the consumer, which did not “raise a material risk of identity theft.” Citing a Supreme Court ruling in Spokeo v. Robins, the district court opined that a procedural violation of a statute is not enough to allow a consumer to sue, because it must be shown that the violation caused, or at least created a material risk of, harm to the consumer—which, in this case, was not present. Accordingly, the appellate court affirmed the district court’s dismissal for lack of subject matter jurisdiction, but found that the district court erred in dismissing the suit with prejudice.
On June 26, the U.S. Court of Appeals for the Second Circuit held that, without concrete evidence of actual harm, a consumer lacks standing under the Fair and Accurate Credit Transactions Act (FACTA) to sue a merchant for printing credit card expiration dates on receipts. The consumer alleged that printing the expiration date on her credit card receipt led to a material risk of identity theft, and therefore constituted an injury-in-fact sufficient to confer Article III standing. The court disagreed, noting that Congress’s amendments to FACTA belie that expiration dates on credit card receipts increase the risk of identity theft. Moreover, the court held that the consumer failed to allege actual harm from the merchant’s practice.
The court’s decision in Cruper-Wienmann comes approximately one month after the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 194 L. Ed. 2d 635 (2016), as revised (May 24, 2016), which held that “bare procedural violation[s], divorced from any concrete harm” are not enough to establish standing.
On April 18, the U.S. Court of Appeals for the Seventh Circuit dismissed a class action seeking damages against Shell under the Fair and Accurate Credit Transactions Act (FACTA) for displaying four digits of customers’ credit card numbers on receipts printed at Shell gas stations. Van Straaten v. Shell Oil Products Co. LLC, No. 11-8031, 2012 WL 1340111 (7th. Cir. Apr. 18, 2012). FACTA requires that such receipts truncate card numbers to display no more than the last five digits of the card number. Shell’s practice was to print the last four digits of what it calls the “primary account number,” which is the number appearing before the last five digits of the sequence of numbers appearing on the front of the credit card. The plaintiffs did not allege that Shell’s practice created a risk of identity theft, but that Shell violated FACTA by printing the wrong four numbers. Writing for a three-judge panel, Chief Judge Frank Easterbrook indicated that FACTA does not define the term “card number,” but the panel did not have to define the term, “because we can’t see why anyone should care how the term is defined.” He added that ”[a] precise definition does not matter as long as the receipt contains too few digits to allow identity theft.” As to FACTA’s authorization of $100 to $1,000 for each willful violation, Judge Easterbrook noted that “[a]n award of $100 to everyone who has used a Shell Card at a Shell station would exceed $1 billion, despite the absence of a penny’s worth of injury.” Because Shell now prints no such digits on its receipts, “the substantive question in this litigation will not recur for Shell or anyone else; it need never be answered.”
On March 12, the FTC released the results of a survey conducted to gauge consumer experiences in dealing with consumer reporting agencies (CRAs) following an identity theft. While the survey indicates that the majority of consumers were satisfied with their experiences, many consumers were unaware of their rights under the Fair and Accurate Credit Transactions Act (FACTA) before contacting a CRA. In response to concerns raised by consumers in the survey, the report recommends that (i) CRAs make it easier for consumers to reach a live person and (ii) the CFPB use its examination and rulemaking authority, and the FTC employ its enforcement authority, to address CRAs’ practice of attempting to sell identity theft products to consumers reporting identify thefts.
On January 24, the U.S. Court of Appeals for the Third Circuit affirmed a district court holding that printing of partial expiration dates does constitute a Fair and Accurate Credit Transactions Act (FACTA) violation, but held that the merchant, in this case, did not willfully violate FACTA by printing a portion of credit card expiration dates on customer receipts. Long v. Tommy Hilfiger U.S.A., Inc., No. 11-1554, 2012 WL 180874 (3rd Cir. Jan. 24, 2012). The consumer alleged, on behalf of a putative nationwide class, that the merchant’s practice of printing receipts that included the expiration month, but not year, willfully violated FACTA’s prohibition against printing “more than the last five digits of a credit card number or the expiration date upon any receipt provided” at the time of a transaction. On appeal, the court considered two questions: (i) whether the consumer properly alleged a FACTA violation, and (ii) whether the merchant’s alleged conduct constituted a willful violation of FACTA. The court held that FACTA prohibits printing of partial expiration dates, and that therefore plaintiff did properly allege a FACTA violation. The court explained that “expiration date” is not defined in the law, and found that “the most natural reading of the phrase” prohibits merchants from printing any of the numbers that appear in the expiration date field on a credit or debit card. If Congress had intended to allow partial expiration dates, the court stated, it would have used language similar to that used with regard to partial credit card numbers. However, the court held that the consumer could not recover statutory damages of $100 to $1,000 per violation, punitive damages, and attorneys fees, because the merchant’s action was not willful. Relying on a standard set in Safeco Insurance Company of America v Burr, 551 U.S. 47 (2007), the court held that the merchant’s interpretation that the statute permits partial expiration dates was not “objectively unreasonable”, because the statute does not provide a definition for “expiration date” and the interpretation has some foundation in the statutory text. According to the court, although the merchant’s interpretation of FACTA was wrong, it did not constitute a willful violation of the law.
- Amanda R. Lawrence to discuss "Navigating the challenges of the latest data protection regulations and proven protocols for breach prevention and response" at the ACI National Forum on Consumer Finance Class Actions and Government Enforcement
- Tim Lange to discuss "Ease your pain at the state level: Recommendations for navigating the licensing issues in the states" at the Online Lenders Alliance Compliance University
- Amanda R. Lawrence, Aaron C. Mahler, and Jonice Gray Tucker to discuss "Expanded role for the FTC ahead: Implications for bank and nonbank financial institutions" at an American Bar Association Banking Law Committee Webinar
- Buckley Webcast: Flirting with alternatives — Opportunities and challenges created by alternative data, modeling, and technology
- Daniel P. Stipano to discuss "Reporting requirements for credit unions: CTRs and SARs" at the National Association of Federally-Insured Credit Unions BSA Seminar
- Daniel P. Stipano and Moorari K. Shah to discuss "Vendor management: What is the NCUA looking for?" at the National Association of Federally-Insured Credit Unions BSA Seminar
- Sasha Leonhardt and John B. Williams to discuss "Privacy" at the National Association of Federally-Insured Credit Unions Summer Regulatory Compliance School
- Warren W. Traiger to discuss "CRA modernization" at the National Association of Industrial Bankers and the Utah Association of Financial Services Annual Convention
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Hank Asbill to discuss "Ethical guidance in conducting internal investigations – The intersection of Yates and Upjohn" at the American Bar Association Southeastern White Collar Crime Institute
- Brandy A. Hood to discuss "RESPA Section 8/referrals: How do you stay compliant?" at the New England Mortgage Bankers Conference
- Daniel P. Stipano to discuss "Risk management in enforcement actions: Managing risk or micromanaging it" at the American Bar Association Business Law Section Annual Meeting
- Daniel P. Stipano to discuss "Navigating the conflicting federal and state laws for doing business with cannabis companies" at the American Bar Association Business Law Section Annual Meeting
- Tim Lange to discuss "Services and value" at the North American Collection Agency Regulatory Association Annual Conference
- Amanda R. Lawrence to discuss "Data privacy litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Brandy A. Hood to discuss "How to ace your TRID exam" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "HMDA data is out, now what?" at the Mortgage Bankers Association Regulatory Compliance Conference
- Daniel P. Stipano to discuss "Assessing the CDD final rule: A year of transitions" at the ACAMS AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions and CMPs" at the ACAMS AML & Financial Crime Conference
- Melissa Klimkiewicz to discuss "Navigating FHA rules and regs" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "The state’s role in fintech: Providing an industry framework for innovation" at Lend360
- Amanda R. Lawrence to discuss "How to balance a successful (and stressful) career with greater personal well-being" at the American Bar Association Women in Litigation Joint CLE Conference