Alp Baysal v. Midvale Indemnity Company
78f4th976
7th Cir.2023Background
- Midvale Indemnity and American Family added an “instant quote” web feature that autofilled some fields (including driver’s-license numbers) when users entered a name and address; this allowed anyone to retrieve a stranger’s license number.
- Midvale stopped the autofill after detecting misuse and sent breach-notification letters to affected individuals warning the data "may be used to fraudulently apply for unemployment benefits" and offering credit monitoring.
- Three recipients (Baysal, Maxim, Italiano) sued under the Driver’s Privacy Protection Act (DPPA) and state-law negligence; no class was certified, so the appeal concerns individual standing.
- The district court dismissed for lack of Article III standing, concluding plaintiffs failed to allege a concrete injury traceable to Midvale’s disclosure; it noted that anxiety and precautionary expenses alone are insufficient without a plausible nexus to actual harm.
- The Seventh Circuit majority affirmed: it held plaintiffs had not plausibly alleged concrete, traceable injury from disclosure of license numbers and viewed license numbers as neutral, commonly shared data lacking a close common-law analog.
- Judge Ripple dissented, arguing plaintiffs plausibly alleged identity-fraud harms and mitigation burdens traceable to Midvale; he emphasized Congress’s DPPA judgment and analogies to invasion-of-privacy harms, and he would find standing for damages and injunctive relief.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether plaintiffs have Article III standing based on DPPA violation (concrete injury) | DPPA violation and resulting risk/mitigation costs (credit monitoring, time spent responding to fraud) are concrete injuries; two plaintiffs received unemployment-fraud notices traceable to the breach | Mere disclosure of a neutral license number causes only worry; intangible or speculative harms and precautionary expenses do not satisfy concreteness | Majority: No standing — plaintiffs failed to allege a concrete injury traceable to disclosure; license numbers are neutral and lack a common-law analog. Dissent: Plaintiffs plausibly alleged concrete, traceable harms. |
| Traceability — were the alleged harms plausibly caused by Midvale’s disclosure? | Plaintiffs point to Midvale’s notice warning that license numbers might be used for fraudulent unemployment claims and allege actual fraudulent claims in two plaintiffs’ names | Defendants note complaint lacks factual detail linking license numbers to state unemployment forms and to the specific fraudulent filings | Majority: Traceability not plausibly alleged; plaintiffs didn’t show how license numbers could cause the harms. Dissent: Notice + actual fraudulent claims create a reasonable inference of traceability at pleading stage. |
| Whether a statutory violation (and DPPA’s liquidated damages) alone confers standing | Congress created a private right under DPPA and provided damages for violations; that statutory judgment should suffice to establish standing | Supreme Court precedent (Spokeo, TransUnion) forbids Congress from creating Article III standing solely by statute without concrete injury | Majority: Statutory violation alone insufficient under Spokeo/TransUnion; must show concrete injury with a common-law analogue — none here. Dissent: Congressional judgment is entitled to weight; DPPA protects privacy harms analogous to invasion-of-privacy and supports standing. |
| Standing for injunctive relief (risk of future harm) | Plaintiffs face imminent risk (fraudulent unemployment applications) and seek forward-looking relief to prevent recurrence | Defendants: Risk is speculative and not plausibly tied to Midvale’s conduct | Majority: Did not reach injunctive-relief claim because no standing for damages; dismissal affirmed. Dissent: Allegations support imminent risk and thus standing for injunctive relief. |
Key Cases Cited
- TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021) (concrete-injury requirement for statutory harms; courts must look for historical/common-law analogs)
- Spokeo, Inc. v. Robins, 578 U.S. 330 (2016) (statutory violations do not automatically confer Article III standing; injury must be concrete)
- Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013) (no standing based on speculative future harms or self-inflicted mitigation costs)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (standing requires concrete injury, traceability, and redressability)
- Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015) (data breaches can produce concrete injury via mitigation costs and identity-theft harms if traceable)
- Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826 (7th Cir. 2018) (standing principles in data-breach contexts)
- Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016) (time and effort in remedying fraud can be concrete injury)
- Reno v. Condon, 528 U.S. 141 (2000) (DPPA regulates disclosure of state motor-vehicle records and implicates Congress’s authority over interstate information commerce)
- Senne v. Vill. of Palatine, 695 F.3d 597 (7th Cir. 2012) (en banc) (DPPA’s privacy and safety purposes and remedial scope)
- Garey v. James S. Farrin, P.C., 35 F.4th 917 (4th Cir. 2022) (post-TransUnion DPPA standing found where addresses—not license numbers—were disclosed and used for targeted solicitations)