Stephanie Daniel v. National Park Service

See case details

STEPHANIE DANIEL, on behalf of herself and all others similarly situated, Plaintiff-Appellant, v. NATIONAL PARK SERVICE; DOES, 1-10, Defendants-Appellees.

No. 16-35689

UNITED STATES COURT OF APPEALS FOR THE NINTH CIRCUIT

May 30, 2018

Michael Daly Hawkins, M. Margaret McKeown, and Morgan Christen, Circuit Judges.

D.C. No. 1:16-cv-00018-SPW. Appeal from the United States District Court for the District of Montana. Susan P. Watters, District Judge, Presiding. Argued and Submitted December 5, 2017, Seattle, Washington.

SUMMARY^*

Fair Credit Reporting Act

The panel affirmed the district court‘s dismissal of a suit brought pursuant to the Fair Credit Reporting Act, 15 U.S.C. § 1681c(g), against the National Park Service alleging that the Service violated the Act by failing to redact plaintiff‘s debit card expiration date from her purchase receipt.

Plaintiff alleged that when she purchased an entrance pass to Yellowstone National Park, the Park Service printed a receipt bearing her full debit card expiration date. According to plaintiff, the Park Service violated the Act‘s prohibition that “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.” 15 U.S.C. § 1681c(g) (emphases added). Plaintiff alleged that after the Yellowstone transaction, her debit card was used fraudulently and she suffered damages from her stolen identity. She also alleged that the fraudulent use of her debit card was caused in part by the inclusion of the card‘s expiration date on her Yellowstone receipt.

The panel held as an initial matter, that plaintiff lacked standing because her complaint made only conclusory allegations that her stolen identity was traceable to the Park Service‘s alleged violation of the Act. The panel further held that giving plaintiff leave to amend the complaint would be futile because the Act does not waive the federal government‘s sovereign immunity from plaintiff‘s suit.

COUNSEL

Timothy M. Bechtold (argued), Bechtold Law Firm PLLC, Missoula, Montana, for Plaintiff-Appellant.

Mark B. Stern (argued) and Henry C. Whitaker, Appellate Staff; Michael W. Cotter, United States Attorney; Chad A. Readler, Acting Assistant Attorney General; Civil Division, United States Department of Justice, Washington, D.C.; for Defendant-Appellee.

OPINION

McKEOWN, Circuit Judge:

This appeal is one of many in which plaintiffs seek redress for violation of a federal law that requires redaction of certain credit and debit card information on printed receipts. Stephanie Daniel alleges that identity thieves made fraudulent charges on her debit card at some unspecified time after she visited Yellowstone National Park. Daniel sued the National Park Service for issuing a receipt showing her debit card‘s expiration date, a violation of the Fair Credit Reporting Act (“FCRA“). 15 U.S.C. § 1681c(g).

We affirm the district court‘s dismissal of Daniel‘s suit. As an initial matter, Daniel lacks standing because her complaint makes only conclusory allegations that her stolen identity was traceable to the Park Service‘s alleged FCRA violation. Nonetheless, giving Daniel leave to amend the complaint would be futile because the FCRA does not waive the federal government‘s sovereign immunity from Daniel‘s suit.

Background

When Daniel purchased an entrance pass to Yellowstone National Park, the National Park Service (the “Park Service“) printed a receipt bearing her full debit card expiration date. According to Daniel, the Park Service violated the FCRA‘s prohibition that “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.” 15 U.S.C. § 1681c(g) (emphases added). The receipt otherwise complied with the FCRA‘s card-number redaction requirements—it did not print more than the last five digits of the debit card number.

Daniel sued the Park Service, on behalf of herself and a putative class, under one of the FCRA‘s enforcement provisions: “Any person who willfully fails to comply with [the FCRA] with respect to any consumer is liable to that consumer” for statutory damages of between $100 and $1,000 per violation or “any actual damages sustained by the consumer,” costs and attorneys’ fees, and potential punitive damages. Id. § 1681n. Daniel claimed that after the Yellowstone transaction, her debit card was used fraudulently and she suffered damages from her stolen identity. She also alleged that the fraudulent use of her debit card was caused in part by the inclusion of the card‘s expiration date on her Yellowstone receipt.

The district court granted the Park Service‘s motion to dismiss on the grounds that the FCRA does not waive the U.S. government‘s sovereign immunity. The court concluded that “including the United States as a ‘person’ every time the term is used in the FCRA would lead to inconsistent usage and potentially absurd results.” Accordingly, Congress did not “speak unequivocally” as is required to waive sovereign immunity.¹

Analysis

Both Article III standing and sovereign immunity are threshold jurisdictional issues that we review de novo. See Raines v. Byrd, 521 U.S. 811, 818 (1997); FDIC v. Meyer, 510 U.S. 471, 475 (1994). In this instance, we analyze both issues because dismissal of the case on standing grounds leaves open whether Daniel could amend her complaint to satisfy standing requirements. That route is foreclosed, however, because a suit dismissed on sovereign immunity grounds cannot be salvaged. See United States v. Mitchell, 463 U.S. 206, 212 (1983) (“It is axiomatic that the United States may not be sued without its consent and that the existence of consent is a prerequisite for jurisdiction.“). Daniel‘s complaint fails on both fronts.

I. STANDING

To meet the constitutional threshold of Article III standing, Daniel must allege that she “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of [the Park Service], and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016). Although Daniel alleged a sufficient injury of identity theft, she failed to allege that her injury was “fairly traceable” to the Park Service‘s issuance of the receipt. Without this link, Daniel‘s suit must be dismissed.

A. DANIEL ALLEGED A CONCRETE INJURY OF IDENTITY THEFT

We recently considered whether “receiving an overly revealing credit card receipt—unseen by others and unused by identity thieves—[is] a sufficient injury to confer Article III standing.” See Bassett v. ABM Parking Servs., Inc., 883 F.3d 776, 777 (9th Cir. 2018). Bassett‘s theory of injury—an “exposure” to identity theft “caused by [the issuer‘s] printing of his credit card expiration date on a receipt that he alone viewed“—did not have “a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” Id. (quoting Spokeo, 136 S. Ct. at 1549). Nor did Congress “elevat[e] to the status of legally cognizable injuries concrete, de facto injuries that were previously inadequate in law.” Id. at 781-82 (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 578 (1992)). It was no stretch to conclude that a receipt showing the credit card expiration date, by itself, was not a concrete injury. Id. at 780.

In contrast to Bassett, Daniel alleged a concrete, particularized injury by claiming that after the Yellowstone transaction, her debit card was used fraudulently and she suffered damages from her stolen identity. Identity theft and fraudulent charges are concrete harms particularized to Daniel and establish a sufficient injury at the pleading stage. See generally Spokeo, 136 S. Ct. at 1548-50; In re Zappos.com, Inc., 888 F.3d 1020, 1028 (9th Cir. 2018) (holding that specific allegations of hackers accessing a plaintiff‘s personal information that “could be used to help commit identity fraud or identity theft” are a sufficient injury).

B. DANIEL‘S IDENTITY THEFT IS NOT FAIRLY TRACEABLE TO THE PARK SERVICE‘S RECEIPT

The trickier question is whether the fraudulent charges on Daniel‘s debit card and her stolen identity are “fairly traceable” to the Park Service‘s printing of a receipt showing the expiration date of that debit card. At the pleading stage, Daniel does not need to prove proximate causation. See Lexmark Int‘l, Inc. v. Static Control Components, Inc., 134 S. Ct. 1377, 1391 n.6 (2014). But she still bears the burden of “demonstrating that her injury-in-fact is ... fairly traceable to the challenged action“—here, the Park Service‘s issuance of the receipt. Davidson v. Kimberly-Clark Corp., 889 F.3d 956, 2018 WL 2169784, at *7 (9th Cir. May 9, 2018) (citing Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 149 (2010)). Daniel‘s threadbare allegations fall short of demonstrating that link.

Daniel‘s complaint contains only two generic statements that attempt to draw a connection between the receipt and her later identity theft. She alleged: “After this debit card transaction, Plaintiff Daniel‘s personal debit card was used fraudulently and she suffered damages from the stolen identity.” She went on to claim: “Based on information and belief, the fraudulent use of Plaintiff Daniel‘s debit card was caused in part by the inclusion of the expiration date of her debit card on the receipt of her purchase from Defendant National Park Service.”

The latter statement is a legal conclusion, and is therefore not entitled to an assumption of truth at the pleading stage. See Ashcroft v. Iqbal, 556 U.S. 662, 678–80 (2009). The former statement presents no specific factual allegations plausibly tying the Park Service receipt to her identity theft. These naked assertions fail our edict that a plaintiff may not “rely on a bare legal conclusion to assert injury-in-fact, or engage in an ingenious academic exercise in the conceivable to explain how defendants’ actions caused his injury.” Maya v. Centex Corp., 658 F.3d 1060, 1068 (9th Cir. 2011) (internal quotation marks and footnotes omitted).

Like Bassett, Daniel “did not allege that another copy of the receipt existed, that h[er] receipt was lost or stolen, ... or even that another person apart from h[er] lawyers viewed the receipt.” Bassett, 883 F.3d at 783.² Merely asserting that a theft occurred at an unspecified time “after” the debit card transaction—absent any other details—does not connect the dots. Even crediting that temporal allegation as true, as we must at this stage, Daniel alleged no link between the receipt and the identity theft. See Syed v. M-I, LLC, 853 F.3d 492, 499 n.4 (9th Cir. 2017); Maya, 658 F.3d at 1068–73.

We are left with an allegation of a “bare procedural violation” of the FCRA and a generic allegation of later harm that is “divorced from” that violation. See Spokeo, 136 S. Ct. at 1549; Bassett, 883 F.3d at 781, 783. Because the “fairly traceable” leg of standing is no less essential to the “irreducible constitutional minimum” of standing than the injury leg, Daniel failed to adequately allege standing. Spokeo, 136 S. Ct. at 1547 (quoting Lujan, 504 U.S. at 560).

Our conclusion does not alter the longstanding principle that “the causation and redressability requirements are relaxed” in standing analysis where a plaintiff‘s claims “rest on a procedural injury.” Ctr. for Biological Diversity v. Mattis, 868 F.3d 803, 817 (9th Cir. 2017) (quoting California ex rel. Imperial Cty. Air Pollution Control Dist. v. U.S. Dep‘t of the Interior, 767 F.3d 781, 790 (9th Cir. 2014)). Our usual rule rests on the assumption that by “providing a cause of action” for violations of a statute, “Congress has recognized the harm such violations cause, thereby articulating a ‘chain[] of causation that will give rise to a case or controversy.‘” Syed, 853 F.3d at 499 (quoting Spokeo, 136 S. Ct. at 1549). Such an assumption is unwarranted under these unique circumstances.

The FCRA presents the exceedingly rare case where Congress created a cause of action for violations of a statute, but also concluded that a chain of causation does not cause harm. The FCRA prohibits any “person” from printing a receipt with a card‘s expiration date, and holds liable “[a]ny person who willfully fails to comply with” that requirement. 15 U.S.C. §§ 1681c(g), 1681n. On the surface, the law is “an effort to combat identity theft.” Bateman v. Am. Multi-Cinema, Inc., 623 F.3d 708, 717 (9th Cir. 2010).

Yet after passing the expiration-date requirement, Congress enacted the Credit and Debit Card Receipt Clarification Act, Pub. L. No. 110-241, 122 Stat. 1565 (2008) (the “Clarification Act“). That statute includes express congressional findings that “[e]xperts in the field agree that proper truncation of the card number, by itself as required by the [FCRA], regardless of the inclusion of the expiration date, prevents a potential fraudster from perpetrating identity theft or credit card fraud.” 122 Stat. at 1565 (emphasis added). Accordingly, the Clarification Act set a temporary safe harbor for merchants: “any person who printed an expiration date on any receipt ... between December 4, 2004, and [June 3, 2008],” but otherwise complied with the card number truncation requirements, did not willfully violate the FCRA. Id. at 1566. The Clarification Act left the FCRA untouched for receipts printed after June 3, 2008, like Daniel‘s. Id.

The congressional ambivalence expressed in the statutory prohibition and the Clarification Act produces a peculiar outcome. On the one hand, we have a cause of action to remedy statutory violations that was intended to “combat identity theft,” and we have vague allegations of “identity theft.” On the other hand, we have an express congressional finding that receipts like Daniel‘s “prevent” identity theft and credit card fraud, they do not cause injury. “On balance, congressional judgment weighs against” standing in this case, just as in Bassett. Bassett, 883 F.3d at 782.

The result here does not foreclose future plaintiffs from adequately alleging standing for FCRA violations, even those involving expiration dates on receipts. But such plaintiffs shoulder the burden of meeting each of the elements for standing, including the “fairly traceable” requirements.

In the ordinary appeal, we might consider whether amendment of the complaint could cure the defects in the standing allegations. E.g., Maya, 658 F.3d at 1072. However, we do not reach that question because Daniel‘s suit is also barred by sovereign immunity. Any amendment would be futile. See Mitchell, 463 U.S. at 212.

II. SOVEREIGN IMMUNITY

Sovereign immunity shields the United States from suit “absent a consent to be sued that is ‘unequivocally expressed‘” in the text of a relevant statute. United States v. Bormes, 568 U.S. 6, 9–10 (2012) (quoting United States v. Nordic Village, Inc., 503 U.S. 30, 33-34 (1992)). To maintain a suit against the government for money damages, “the waiver of sovereign immunity must extend unambiguously to such monetary claims,” thus foreclosing an implied waiver. Lane v. Pena, 518 U.S. 187, 192 (1996).

The clear textual waiver rule “ensures that Congress has specifically considered sovereign immunity and has intentionally legislated on the matter.” Sossamon v. Texas, 563 U.S. 277, 290 (2011).³ It also “ensure[s] Congress does not, by broad or general language, legislate on a sensitive topic inadvertently or without due deliberation.” Id. at 291. Key here, “[a]ny ambiguities in the statutory language are to be construed in favor of immunity.” FAA v. Cooper, 566 U.S. 284, 290 (2012) (emphasis added).

A. THE FCRA DOES NOT CLEARLY WAIVE IMMUNITY FOR DANIEL‘S SUIT

We begin with the principle that our duty is “to construe statutes, not isolated provisions.” King v. Burwell, 135 S. Ct. 2480, 2489 (2015). We thus “look to the provisions of the whole law” to determine whether the FCRA‘s “any person” language unambiguously applies to the federal government. Star Athletica, L.L.C. v. Varsity Brands, Inc., 137 S. Ct. 1002, 1010 (2017).

The FCRA broadly defines a “person” as “any individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity.” 15 U.S.C. § 1681a(b) (emphasis added). The National Park Service is an agency of the United States. Hence, the sovereign immunity question boils down to whether the inclusion of “governmental ... agency” in the FCRA‘s definition of “person” constitutes an unequivocal waiver of the federal government‘s immunity from money damages and subjects the United States to the various provisions directed at “any person” who violates the law. Construing the FCRA as a whole—including the different contexts in which “person” is used, and the inclusion of a clear waiver of sovereign immunity in an unrelated provision—we view the statute as ambiguous with respect to whether Congress waived immunity for Daniel‘s suit.

1. The Many Appearances of “Person” in the FCRA

The word “person” appears throughout the FCRA, as amended by the Fair and Accurate Credit Transactions Act (“FACTA“).⁴ The statutory proscription at issue establishes that “no person that accepts credit cards or debit cards for the transaction of business shall print ... the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.” 15 U.S.C. § 1681c(g) (emphasis added).

The FCRA also contains a number of enforcement provisions directed at “any person” who violates the law. Daniel invoked a citizen suit provision that “[a]ny person who willfully fails to comply with [the FCRA] with respect to any consumer is liable to that consumer” for statutory damages of between $100 and $1,000 per violation or “any actual damages sustained by the consumer,” costs and attorneys’ fees, and potential punitive damages. Id. § 1681n. Similarly, “[a]ny person who is negligent in failing to comply with [the FCRA] with respect to any consumer is liable to that consumer” for “any actual damages,” costs and attorneys’ fees. Id. § 1681o. “Any person who knowingly and willfully obtains information on a consumer from a consumer reporting agency under false pretenses shall be fined ..., imprisoned for not more than 2 years, or both.” Id. § 1681q. And, “any person” who violates the FCRA is subject to enforcement actions by the Federal Trade Commission, the Consumer Financial Protection Bureau, and state governments. Id. § 1681s (all emphases added).

2. Reading “the United States” Into Every Iteration of “Person” Leads to Implausible Results

Distilling a clear waiver of sovereign immunity in the FCRA would require us to treat “the United States” as a “person” in each provision. Substituting the sovereign for each of the FCRA‘s iterations of “person” leads to implausible results, however, and underscores that Congress did not intend for the law‘s enforcement provisions to apply against the federal government. Notwithstanding the FCRA‘s broad statutory definition, we note that in other contexts, courts have been “reluctant to read ‘person’ to mean the sovereign where, as here, such a reading is decidedly awkward.” Int‘l Primate Prot. League v. Adm‘rs of Tulane Educ. Fund, 500 U.S. 72, 83 (1991).

Most importantly, treating the United States as a “person” across the FCRA‘s enforcement provisions would subject the United States to criminal penalties. Because “[a]ny person who knowingly and willfully obtains information on a consumer from a consumer reporting agency under false pretenses shall be fined ..., imprisoned for not more than 2 years, or both,” such an interpretation would subject the sovereign to incarceration. 15 U.S.C. § 1681q. As the Supreme Court observed in construing the use of “person” in the Sherman Antitrust Act:

The connotation of a term in one portion of an Act may often be clarified by reference to its use in others. The word “person” is used in several sections other than [this one]. In [the other sections], the phrase designating those liable criminally is “every person who shall” etc. In each instance it is obvious that the term “person” ... cannot embrace the United States.

United States v. Cooper Corp., 312 U.S. 600, 606–07 (1941); see also U.S. Postal Serv. v. Flamingo Indus. (USA) Ltd., 540 U.S. 736, 744–45 (2004) (reinforcing that the United States is not a “person” in the Sherman Act because “if the definition of ‘person’ included the United States, then the Government would be exposed to liability as an antitrust defendant, a result Congress could not have intended“).

It may not be “outlandish” for Congress to subject federal employees to criminal prosecution. See Bormes v. United States, 759 F.3d 793, 796 (7th Cir. 2014). But the statutory definition would read “the United States” into the FCRA‘s enforcement provisions, not “federal employees.” We have recognized the difference between imposing criminal penalties on individuals and government agencies; the latter is “patently absurd.” Al-Haramain Islamic Found., Inc. v. Obama, 705 F.3d 845, 854 (9th Cir. 2012) (quoting United States v. Singleton, 165 F.3d 1297, 1299–1300 (10th Cir. 1999)). Because authorizing criminal penalties against governments rather than individuals would be “unprecedented,” it is highly unlikely that Congress intended to do so obliquely with a broad definition of “person.” Id.

Ascribing personhood to the federal government also would authorize the Federal Trade Commission, the Consumer Financial Protection Bureau, and state governments to launch enforcement actions against the United States for violations of the FCRA. See 15 U.S.C. §§ 1681s(a)(2)(A), 1681s(c)(1)(B). Since Daniel does not identify any other federal statute that applies such an enforcement scheme against the United States, we doubt that Congress meant to build a novel enforcement regime without doing so explicitly.⁵ The spectre of the Federal Trade Commission suing the United States, aka itself, to “recover a civil penalty” from itself makes little sense. See id. § 1681s.

Finally, regarding the United States as a “person” would license substantial potential punitive damages against the federal government when Congress rarely does so. See 15 U.S.C. § 1681n (levying potential punitive damages on “any person” who willfully violates the Act). In waiving the sovereign immunity of the United States for certain tortious acts, the Federal Tort Claims Act prohibits assessment of punitive damages against the United States. See 28 U.S.C. § 2674. Hence, a finding of waiver of sovereign immunity to authorize Daniel‘s suit would require us to believe that Congress chose to prohibit punitive damages against the United States for tortiously killing people, see id., but allowed punitive damages on the government for printing overly revealing debit card receipts.

There is a “presumption against imposition of punitive damages on governmental entities.” Vt. Agency of Nat. Res. v. U.S. ex rel. Stevens, 529 U.S. 765, 785 (2000). Given the presumption, Congress must be explicit in licensing punitive damages against the sovereign, as it was in § 1681u(j),

discussed below. The FCRA‘s assessment of potential punitive damages against “any person” who “willfully fails to comply with” the law is not so lucid. 15 U.S.C. § 1681n.

3. Section 1681u(j)‘s Explicit Waiver of Sovereign Immunity

Equating “the United States” with a “person” in multiple sections of the FCRA also conflicts with a very clear waiver of sovereign immunity elsewhere in the statute. In § 1681u(j), the FCRA provides that “[a]ny agency or department of the United States obtaining or disclosing any consumer reports, records, or information contained therein in violation of this section is liable to the consumer” for statutory and actual damages, and, “if the violation is found to have been willful or intentional, such punitive damages as a court may allow.”⁶ 15 U.S.C. § 1681u(j). As the district court observed, “[t]he fact that Congress explicitly named the United States in the remedial provisions found at § 1681u(j) but not in the remedial provisions found at §§ 1681n and 1681o demonstrates the equivocal nature of any purported waiver of sovereign immunity” in the latter sections. Congress enacted the explicit waiver of sovereign immunity in § 1681u(j) less than one year before Congress expanded liability to “person[s]” under the FCRA. See Intelligence Authorization Act for Fiscal Year 1996, Pub. L. No. 104-93, tit. VI, § 601, 109 Stat. 976–77. Because Congress knew how to explicitly waive sovereign immunity in the FCRA, it could have used that same language when enacting subsequent enforcement provisions. That Congress subjected “person[s]” to liability in those later amendments—not the United States itself or any of its departments or agencies—is telling.

Of course, § 1681u concerns disclosures of information by the Federal Bureau of Investigation and other federal agencies involved in counterintelligence investigations. While the section‘s limited focus on federal agencies might explain the difference in statutory language, § 1681u clouds whether the remedial provisions at §§ 1681o and 1681n extend “unambiguously” to monetary claims against the United States. See Ordonez v. United States, 680 F.3d 1135, 1138 (9th Cir. 2012) (quoting Lane, 518 U.S. at 192). We view the comparison to § 1681u as particularly instructive because “it is useful to benchmark the statutory language against other explicit waivers of sovereign immunity” when determining whether an unequivocal waiver of sovereign immunity exists. Al-Haramain, 705 F.3d at 851.

4. The FCRA‘s Ambiguity Compared with Clear Waivers of Sovereign Immunity

Further to that point, other citizen suit provisions that waive sovereign immunity do so much more explicitly. See, e.g., 33 U.S.C. § 1365 (the “Clean Water Act“) (“any citizen may commence a civil action on his own behalf ... against any person (including (i) the United States, and (ii) any other governmental instrumentality or agency ...)“); 42 U.S.C. § 6972 (RCRA) (“any person may commence a civil action on his own behalf ... against any person, including the United States and any other governmental instrumentality or agency, ...“).⁷ Although Congress need not use “magic words” to waive sovereign immunity, see Cooper, 566 U.S. at 290, most other waivers of sovereign immunity specifically mention the “United States.” See Al-Haramain, 705 F.3d at 851 (collecting examples of waivers). As we have stated, “contrasted against other provisions deemed sufficient to invoke waiver, the lack of an explicit waiver ... is stark, permitting suit only against a ‘person,’ without listing the ‘United States.‘” Id. at 852.

5. Daniel‘s Interpretation of “Person” Overreads the Statute

Glossing over the many statutory indicators to the contrary, Daniel seeks to identify a waiver by focusing exclusively on the FCRA‘s definition of “person.” Because the Park Service is a “governmental ... agency“—her theory goes—the Park Service must be a “person” that is liable to Daniel for statutory damages or “any actual damages,” punitive damages, costs and attorneys’ fees. The Seventh Circuit embraced this theory in Bormes v. United States, 759 F.3d 793, 795 (2014).

We are not convinced by the Seventh Circuit‘s reasoning.⁸ Importantly, the United States conceded in Bormes that it is a “person” for the purpose of the FCRA‘s substantive requirements; the government challenged only that the FCRA authorizes money damages against it. Id. The court seized on that concession, reasoning that “if the United States is a ‘person’ ... for the purpose of duties, how can it not be one for the purpose of remedies? Nothing in the FCRA allows the slightest basis for a distinction.” Id.

Yet the Seventh Circuit‘s logic can just as easily be flipped around.⁹ If the United States cannot be a “person” under the criminal provisions of the FCRA, why must the United States unequivocally be a “person” for the purpose of the other enforcement provisions? See United States v. Nosal, 676 F.3d 854, 857-59 (9th Cir. 2012) (en banc) (observing that “identical words ... within the same statute should normally be given the same meaning” and narrowly construing a term because a broader construction would substantially “expand the scope of criminal liability“). To use the Seventh Circuit‘s words, “[n]othing in the FCRA allows the slightest basis for a distinction.” Bormes, 759 F.3d at 795. That is particularly true when the remedies section also subjects “persons” to punitive damages, and the United States is rarely prone to sweeping punitive liability. See 15 U.S.C. § 1681n. The court in Bormes did not address this important anomaly. Nor did the court consider the clear waiver of sovereign immunity at § 1681u(j) or the unparalleled enforcement regime created by its decision.

Even more curious, the Seventh Circuit has since questioned its own reasoning in Bormes. Notably, the court refused to expand its holding to effect a waiver of tribal sovereign immunity in the FCRA. See Meyers v. Oneida Tribe of Indians of Wis., 836 F.3d 818 (7th Cir. 2016), cert. denied, 137 S. Ct. 1331 (2017). The court emphasized that in Bormes, “the government conceded that it was a ‘person’ for purposes of the Act so the court had no reason to engage in a full analysis of the scope of the term ‘any government.‘” Id. at 826. By contrast, the tribal government made no such concession. Id. Finally grappling with the statutory term, the court concluded that “any government” is equivocal as to whether it includes “Indian tribes” even though Indian tribes are governments:

The district court did not dismiss [Meyers‘s] claim because it concluded that Indian tribes are not governments. It dismissed his claim because it could not find a clear, unequivocal statement in FACTA that Congress meant to abrogate the sovereign immunity of Indian Tribes. Meyers has lost sight of the real question in this sovereign immunity case—whether an Indian tribe can claim immunity from suit. The answer to this question must be “yes” unless Congress has told us in no uncertain terms that it is “no.” Any ambiguity must be resolved in favor of immunity. Abrogation of tribal sovereign immunity may not be implied. Of course Meyers wants us to focus on whether the Oneida Tribe is a government so that we might shoehorn it into FACTA‘s statement that defines liable parties to include “any government.” But when it comes to sovereign immunity, shoehorning is precisely what we cannot do. Congress’ [s] words must fit like a glove in their unequivocality. It must be said with “perfect confidence” that Congress intended to abrogate sovereign immunity and “imperfect confidence will not suffice.” Congress has demonstrated that it knows how to unequivocally abrogate immunity for Indian Tribes. It did not do so in FACTA.

Id. at 826-27 (internal citations omitted).

The same logic in Meyers applies with respect to the United States. The “real question” in this sovereign immunity appeal is not whether the United States is a government; it is whether Congress explicitly waived sovereign immunity or the United States can claim immunity from suit. Having considered the structure of the FCRA as a whole, we cannot say with “perfect confidence” that Congress meant to abrogate the federal government‘s sovereign immunity. And because “[a]ny ambiguities in the statutory language are to be construed in favor of immunity,” Daniel‘s suit was properly dismissed. See Cooper, 566 U.S. at 290.¹⁰

B. THE LEGISLATIVE HISTORY OF THE FCRA IS CONSISTENT WITH OUR INTERPRETATION

During passage of the FCRA and every amendment, Congress never considered subjecting the federal government to liability in suits like the one filed by Daniel. Thus, the legislative history “confirms what we have concluded from the text alone.” Mohamad v. Palestinian Auth., 566 U.S. 449, 460 (2012); see Al-Haramain, 705 F.3d at 852 (considering legislative history to buttress a textual conclusion that a statute does not waive sovereign immunity).

In 1970, Congress passed the Fair Credit Reporting Act, Pub. L. No. 91-508, tit. II, 84 Stat. 1127 (the “original FCRA“). The original FCRA included the definition of “person” that remains today. § 603, 84 Stat. at 1128. The law did not impose civil liability on “any person” for noncompliance with the FCRA; rather, civil suits for “any actual damages,” punitive damages, costs and attorneys’ fees were authorized against “[a]ny consumer reporting agency or user of information” who willfully violated the Act. § 616, 84 Stat. at 1134; see also § 617, 84 Stat. at 1134 (imposing civil liability on “[a]ny consumer reporting agency or user of information” who negligently violated the Act).

The original FCRA did, however, impose criminal fines or imprisonment on “[a]ny person who knowingly and willingly obtains information on a consumer from a consumer reporting agency under false pretenses.” § 619, 84 Stat. at 1134. It would be “patently absurd” to divine that Congress intended to waive sovereign immunity for the sole purpose of imposing criminal sanctions on the United States in the original FCRA. See Al-Haramain, 705 F.3d at 854.

Fast forward to 1996, the Consumer Credit Reporting Reform Act, Pub. L. No. 104-208, §§ 2401-52, 110 Stat. 3009-426-62 (the “1996 Act“), expanded the scope of the FCRA‘s civil damages provisions in four ways relevant to this appeal. The 1996 Act replaced the “any consumer reporting agency” language in the original FCRA with “[a]ny person who fails to comply with any provision of this title with respect to any other person shall be liable ...” § 2412, 110 Stat. at 3009-446 (codified at 15 U.S.C. §§ 1681n, 1681o) (emphasis added). It added statutory damages of between $100 and $1,000 as an alternative to “any actual damages” for each willful violation of the FCRA. Id. (codified at 15 U.S.C. § 1681n). It authorized the Federal Trade Commission to bring civil actions to recover penalties from “any person” who violates the FCRA. § 2416, 110 Stat. at 3009-450 (codified at 15 U.S.C. § 1681s).¹¹ And, it authorized states to seek damages from “any person” who violates the FCRA under certain circumstances. § 2417, 110 Stat. at 3009-451 (codified at 15 U.S.C. § 1681s).

Despite the 1996 Act‘s levy of substantial potential liability on “person[s],” Congress never once mentioned exposing the federal fisc to the same liability. See, e.g., H.R. Rep. No. 103-486, at 49 (1994) (the enforcement provisions target “banks” and “retailers“).¹² To the contrary, Congressional Budget Office analyses of prior versions of the 1996 Act—which also imposed civil liability on “person[s]“—did not anticipate any costs from defending the federal government against private suits. See id. at 62–63; S. Rep. No. 103-209, at 32-34 (1994); H.R. Rep. No. 102-692, at 45-46 (1992). The lack of any reference to potential federal liability is particularly glaring given the federal government‘s role as the nation‘s largest employer, lender, and creditor, and its corresponding vulnerability to suit under the new FCRA provisions.

In 2003, Congress enacted FACTA, Pub. L. No. 108-159, 117 Stat. 1952, which added various prohibitions to the FCRA including the expiration date requirement at issue here. See § 113, 117 Stat. at 1959–60 (codified at 15 U.S.C. § 1681c(g)). FACTA did not amend the FCRA‘s statutory definition of “person” or its provisions related to civil suits, damages, and federal and state enforcement of the law.

Like the 1996 Act, FACTA‘s legislative history establishes that the receipt prohibitions were directed toward “businesses” or “merchants” that accept credit and debit cards, not the federal government. See S. Rep. No. 108-166, at 12 (2003). In fact, the Congressional Budget Office report on FACTA refers to the receipt requirements as a “private-sector mandate” without reference to any cost to the U.S. government. Id. at 28-30.

Taken together, the legislative history demonstrates that Congress never considered extending the enforcement provisions of the FCRA to the federal government. Rather than “specifically consider” sovereign immunity in crafting the enforcement provisions, Congress “legislate[d] on a sensitive topic inadvertently or without due deliberation” when it used “person.” Sossamon, 563 U.S. at 290–91. The explicit waiver rule exists to prevent such inadvertent drafting from exposing the United States to liability. Id.

Daniel‘s suit fails because the Park Service is immune from suit. No amendment of the complaint could remedy the absence of a clear waiver of sovereign immunity in the FCRA.

AFFIRMED.

Notes

1

The district court did not address the second issue raised in the Park Service‘s motion—whether Daniel pled sufficient facts to maintain an action under the FCRA.

2

Daniel alleged that the Park Service printed a merchant copy of the receipt. But since the merchant copy did not contain the card‘s expiration date, such a receipt does not make Daniel‘s stolen identity any more “traceable” to the Park Service‘s violation of the FCRA.

3

Although Sossamon concerns state sovereign immunity, the Court acknowledged that it was applying federal sovereign immunity principles. 563 U.S. at 285 n.4.

4

We use “FCRA” where “FCRA” or “FACTA” could be used interchangeably.

5

The closest analog we found—and not just because the statute bears a similar acronym—is the Resource Conservation and Recovery Act (“RCRA“), 42 U.S.C. § 6901 et seq. Like the FCRA, RCRA provides for broad remedies against “any person” who violates the Act, authorizes citizen suits against “any person” who violates the Act, and deputizes the Environmental Protection Agency (“EPA“) to enforce compliance orders against “any person” who violates the Act. Id. §§ 6928, 6972.

The similarities end there. Although RCRA‘s statutory definition of “person” explicitly includes “the United States,” id. § 6903(15), RCRA also contains a separate section specifically directed at violations of the Act by the federal government and provides a clarion waiver of sovereign immunity. See id. § 6961(a) (“Each department, agency, and instrumentality of ... the Federal Government ... shall be subject to ... such sanctions as may be imposed by a court to enforce such relief . . . in the same manner, and to the same extent, as any person is subject to such requirements . . .. The United States hereby expressly waives any immunity otherwise applicable to the United States . . ..). Even as RCRA authorizes EPA enforcement actions against other federal agencies, it establishes a more collaborative procedure that recognizes the unique posture of one agency punishing another for violations of federal law: the EPA and the violating agency must “confer” before an enforcement order becomes final. Id. § 6961(b).

6

Assessment of punitive damages in this section cuts both ways. It demonstrates that Congress was willing to impose punitive damages on the United States in the FCRA. At the same time, it shows that when Congress intends to impose this rare liability on the United States, Congress does so explicitly.

7

The definition of “person” in the Clean Water Act more clearly excludes the United States than does the definition in the FCRA. See 33 U.S.C. § 1362(5) (“The term ‘person’ means an individual, corporation, partnership, association, State, municipality, commission, or political subdivision of a State, or any interstate body.“). The definition in RCRA, however, expressly includes the United States. See 42 U.S.C. § 6903(15) (“The term ‘person’ means an individual, trust, firm, joint stock company, corporation (including a government corporation), partnership, association, State, municipality, commission, political subdivision of a State, or any interstate body and shall include each department, agency, and instrumentality of the United States.” (emphasis added)). RCRA‘s definition of “person” and its explicit waiver of the United States government‘s sovereign immunity suggest that Congress did not waive sovereign immunity in the FCRA. And if the comparison between the provisions of RCRA and the Clean Water Act and those of the FCRA muddies the water, it simply underscores that Congress knows how to expressly waive immunity when it wants to do so.

8

The Seventh Circuit traveled a long and twisted path in reaching its conclusion. A panel of the court first held that the United States is subject to suits like this one because of the sovereign immunity waiver contained in the Tucker Act, 28 U.S.C. § 1346. See Talley v. U.S. Dep‘t of Agric., 595 F.3d 754, 759 (7th Cir. 2010). The court then granted rehearing en banc, vacated the panel opinion, and affirmed the district court‘s dismissal on sovereign immunity grounds by an equally divided court. See No. 09-2123, 2010 WL 5887796 (7th Cir. Oct. 1, 2010). Soon after, another decision endorsing the Tucker Act theory worked its way to the Supreme Court by way of the U.S. Court of Appeals for the Federal Circuit, which hears Tucker Act appeals. United States v. Bormes, 568 U.S. 6 (2012). The Supreme Court unanimously rejected the Tucker Act theory and remanded Bormes to the Seventh Circuit—because the Federal Circuit no longer had jurisdiction—to consider whether the remedial provisions of the FCRA contain an unequivocal waiver of sovereign immunity. Id. at 20.

9

We observe that “identical language may convey varying content when used in different statutes, sometimes even in different provisions of the same statute.” See Yates v. United States, 135 S. Ct. 1074, 1082 (2015) (collecting cases). What is more, “Congress is free to waive the Federal Government‘s sovereign immunity against liability without waiving its immunity from monetary damages awards.” Lane, 518 U.S. at 196.

10

We cannot “expand [the FCRA‘s] abrogation of immunity” beyond that which is unequivocally expressed. Michigan v. Bay Mills Indian Cmty., 134 S. Ct. 2024, 2034 (2014). Under our reading, the FCRA authorizes money damages against the government only where the “United States” is explicitly referenced in § 1681u(j).

11

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Pub. L. No. 111-203, 124 Stat. 1376, shared authority to initiate such civil actions with the Consumer Financial Protection Bureau. See § 1088(a)(10), 124 Stat. at 2090 (codified at 15 U.S.C. § 1681s(b)(1)(H)).

12

The Seventh Circuit considered the absence of legislative history about waiving sovereign immunity in the 1996 Act “unsurprising” because Congress already had waived sovereign immunity in the original FCRA. Bormes, 759 F.3d at 795. The infirmity of this reasoning is that the original FCRA subjected “person[s]” to only criminal liability, which Congress never would have thought applied to the United States.

*

This summary constitutes no part of the opinion of the court. It has been prepared by court staff for the convenience of the reader.

Case Details

Case Name: Stephanie Daniel v. National Park Service

Court Name: Court of Appeals for the Ninth Circuit

Date Published: May 30, 2018

Citation: 891 F.3d 762

Docket Number: 16-35689

Court Abbreviation: 9th Cir.