60 F.4th 240
4th Cir.2023Background
- Equifax suffered a data breach; its subsidiary TrustedID hosted a website to tell consumers whether they were impacted.
- O’Leary used TrustedID’s site, entered six digits of his SSN (site required no password or other authentication), and was told he was “not impacted.”
- O’Leary alleges TrustedID shared those six SSN digits with Equifax and that requiring six digits violated South Carolina’s Financial Identity Fraud and Identity Theft Protection Act (§ 37-20-180(A)(4)).
- O’Leary sued in state court; TrustedID removed under CAFA. The district court found (contrary to O’Leary’s uncertainty) that he had Article III standing but dismissed his statutory, privacy, and negligence claims on the merits.
- On appeal the Fourth Circuit held O’Leary lacked Article III standing because he alleged only a bare statutory violation without a nonspeculative increased risk of identity theft, vacated the judgment, and instructed remand to state court.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III standing: did O’Leary allege a concrete injury? | O’Leary: requiring six SSN digits invaded privacy and caused harm; monetization of data | TrustedID: at most a statutory/procedural violation; no concrete harm alleged | No standing: bare statutory violation without nonspeculative risk of identity theft is insufficient |
| Merits: does the statutory violation state a claim under the SC Act? | O’Leary: the Act was violated by requiring six digits and that suffices | TrustedID: claim fails as a matter of law | Not decided by the Fourth Circuit — remand to state court for resolution |
Key Cases Cited
- TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (Sup. Ct. 2021) (Article III requires a concrete injury beyond a bare statutory violation)
- Spokeo, Inc. v. Robins, 578 U.S. 330 (2016) (procedural statutory violations alone typically do not confer Article III standing)
- Clapper v. Amnesty Int'l USA, 568 U.S. 398 (2013) (speculative chains of future harms insufficient for standing)
- Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917 (11th Cir. en banc 2020) (FACTA digit-disclosure alone not a concrete injury absent realistic risk)
- Jeffries v. Volume Servs. Am., Inc., 928 F.3d 1059 (D.C. Cir. 2019) (egregious FACTA exposure can create a non-speculative identity-theft risk)
- Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017) (data-breach plaintiffs lacked standing where increased-risk allegations were speculative)
- Hutton v. Nat'l Bd. of Examiners in Optometry, Inc., 892 F.3d 613 (4th Cir. 2018) (actual identity theft traceable to breach sufficed for standing)
- Ruiz v. Gap, Inc., [citation="380 F. App'x 689"] (9th Cir. 2010) (increased risk of identity theft, supported by affidavit, found non-speculative)
