History
  • No items yet
midpage
60 F.4th 240
4th Cir.
2023
Read the full case

Background

  • Equifax suffered a data breach; its subsidiary TrustedID hosted a website to tell consumers whether they were impacted.
  • O’Leary used TrustedID’s site, entered six digits of his SSN (site required no password or other authentication), and was told he was “not impacted.”
  • O’Leary alleges TrustedID shared those six SSN digits with Equifax and that requiring six digits violated South Carolina’s Financial Identity Fraud and Identity Theft Protection Act (§ 37-20-180(A)(4)).
  • O’Leary sued in state court; TrustedID removed under CAFA. The district court found (contrary to O’Leary’s uncertainty) that he had Article III standing but dismissed his statutory, privacy, and negligence claims on the merits.
  • On appeal the Fourth Circuit held O’Leary lacked Article III standing because he alleged only a bare statutory violation without a nonspeculative increased risk of identity theft, vacated the judgment, and instructed remand to state court.

Issues

Issue Plaintiff's Argument Defendant's Argument Held
Article III standing: did O’Leary allege a concrete injury? O’Leary: requiring six SSN digits invaded privacy and caused harm; monetization of data TrustedID: at most a statutory/procedural violation; no concrete harm alleged No standing: bare statutory violation without nonspeculative risk of identity theft is insufficient
Merits: does the statutory violation state a claim under the SC Act? O’Leary: the Act was violated by requiring six digits and that suffices TrustedID: claim fails as a matter of law Not decided by the Fourth Circuit — remand to state court for resolution

Key Cases Cited

  • TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (Sup. Ct. 2021) (Article III requires a concrete injury beyond a bare statutory violation)
  • Spokeo, Inc. v. Robins, 578 U.S. 330 (2016) (procedural statutory violations alone typically do not confer Article III standing)
  • Clapper v. Amnesty Int'l USA, 568 U.S. 398 (2013) (speculative chains of future harms insufficient for standing)
  • Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917 (11th Cir. en banc 2020) (FACTA digit-disclosure alone not a concrete injury absent realistic risk)
  • Jeffries v. Volume Servs. Am., Inc., 928 F.3d 1059 (D.C. Cir. 2019) (egregious FACTA exposure can create a non-speculative identity-theft risk)
  • Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017) (data-breach plaintiffs lacked standing where increased-risk allegations were speculative)
  • Hutton v. Nat'l Bd. of Examiners in Optometry, Inc., 892 F.3d 613 (4th Cir. 2018) (actual identity theft traceable to breach sufficed for standing)
  • Ruiz v. Gap, Inc., [citation="380 F. App'x 689"] (9th Cir. 2010) (increased risk of identity theft, supported by affidavit, found non-speculative)
Read the full case

Case Details

Case Name: Brady O'Leary v. TrustedID, Inc.
Court Name: Court of Appeals for the Fourth Circuit
Date Published: Feb 21, 2023
Citations: 60 F.4th 240; 21-2144
Docket Number: 21-2144
Court Abbreviation: 4th Cir.
Log In
    Brady O'Leary v. TrustedID, Inc., 60 F.4th 240