Baysal v. Midvale Indemnity Co., No. 22-1892 (7th Cir. 2023)
Annotate this Case
Justia Opinion Summary
Want to stay in the know about new opinions from the Seventh Circuit US Court of Appeals?
Sign up for free summaries delivered directly to your inbox. Learn More ›
You already receive new opinion summaries from Seventh Circuit US Court of Appeals. Did you know we offer summary newsletters for even more practice areas and jurisdictions? Explore them here.
Midvale created an “instant quote” feature on their websites. Anyone who supplied basic identifying information could receive a quote for auto insurance. Each site would auto-fill some information, including the number of the applicant’s driver’s license. Anyone could enter a stranger’s name and home address, which caused the form to disclose the number of the stranger’s driver’s license. Midvale discontinued the autofill feature after observing unusual activity suggesting misuse, and notified people whose information had been disclosed improperly. Three people who received Midvale’s notice filed a purported class action under the Driver’s Privacy Protection Act, 18 U.S.C. 2721–25.
The district court held that the plaintiffs lacked standing, having failed to show a concrete injury traceable to the disclosure. The Seventh Circuit affirmed, noting that whether the Act applies at all is questionable. Its principal rule is directed to state officials rather than private actors. A driver’s-license number is not potentially embarrassing or an intrusion on seclusion. It is a neutral fact derived from public records, a fact legitimately known to many private actors and freely revealed to banks, insurers, hotels, and others. Plaintiffs have not plausibly alleged that Midvale’s disclosure of their numbers caused them any injury, and the disclosure of a number in common use by both public and private actors does not correspond to any tort.
Download PDF
In the United States Court of Appeals For the Seventh Circuit ____________________ No. 22-1892 ALP BAYSAL, THOMAS MAXIM, and SANDRA ITALIANO, Plaintiffs-Appellants, v. MIDVALE INDEMNITY COMPANY and AMERICAN FAMILY MUTUAL INSURANCE COMPANY, S.I., Defendants-Appellees. ____________________ Appeal from the United States District Court for the Western District of Wisconsin. No. 21-cv-394-wmc — William M. Conley, Judge. ____________________ ARGUED JANUARY 12, 2023 — DECIDED AUGUST 22, 2023 ____________________ Before SYKES, Chief Judge, and EASTERBROOK and RIPPLE, Circuit Judges. EASTERBROOK, Circuit Judge. Midvale Indemnity and American Family Mutual (collectively Midvale) created an “instant quote” feature on their websites. Anyone who supplied basic identifying information could receive a quote for auto insurance. To simplify this process, each site would auto- 2 No. 22-1892 ll some information, including the number of the applicant’s driver’s license. Problem: anyone could enter a stranger’s name and home address, which would lead the form to disclose the number of the stranger’s driver’s license. Midvale discontinued the auto ll feature after observing unusual activity suggesting misuse, and it noti ed people whose information had been disclosed improperly. Three people who received Midvale’s notice then led this suit under the Driver’s Privacy Protection Act, 18 U.S.C. §§ 2721–25 (DPPA or the Act), and state negligence law. Plainti s style themselves as class representatives, but a class was not certi ed, so we treat this as an individual suit. Whether the Act applies at all is questionable. Its principal rule is directed to state o cials rather than private actors. 18 U.S.C. §2721(a). If an insurer obtains drivers’ information from a state under §2721(b)(6), then dissemination of that information is limited by §2721(c). This record does not reveal how Midvale came by the information. The district court did not address the merits, because it concluded that the three plainti s have not been injured and therefore lack standing to sue. 2022 U.S. Dist. LEXIS 71414 (W.D. Wis. Apr. 19, 2022). The judge recognized that people injured by leaked or hacked data can have standing. See Die enbach v. Barnes & Noble, Inc., 887 F.3d 826 (7th Cir. 2018); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016); Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015). But all of these decisions hold that litigants must show concrete injury traceable to the disclosure. The district judge concluded that plainti s had not done so. For example, Remijas holds that the need to pay for a credit-monitoring service is a form of injury because the cost No. 22-1892 3 is money out of pocket. Similarly, loss of access to a credit card for even a few days is an injury. One of our three plainti s asserts that she paid for a credit-monitoring service, and another contends that a fraudulent brokerage account was opened in his name, but the district judge observed that neither the complaint nor any of the other papers shows how these events can be traced to the disclosure of drivers’-license numbers. Social Security numbers can be used to open brokerage accounts, but drivers’-license numbers cannot. Likewise with credit cards—and if a driver’s-license number cannot be used to obtain credit in someone else’s name, what’s the point of credit monitoring? That step entails expense, but the expense does not stem from the asserted wrong. Plainti s try to bridge this gap by contending that the disclosure caused worry and anxiety, which led to other steps such as credit monitoring. Yet we have held that worry and anxiety are not the kind of concrete injury essential to standing. E.g., Wadsworth v. Kross, Lieberman & Stone, Inc., 12 F.4th 665, 668–69 (7th Cir. 2021); Gunn v. Thrasher, Buschmann & Voelkel, P.C., 982 F.3d 1069, 1071–72 (7th Cir. 2020). If they were, almost everyone could litigate about almost anything, because just about everything anyone does causes some other people to fret. Imagine someone who asserts: “The disclosure of my license number made me sad, and to cheer myself up I ate a chocolate bar.” The price of candy would be money out of pocket, but eating chocolate is not a normal consequence of disclosures except through the bridge of worry. The cost of a credit-monitoring service is no di erent, when the disclosed information does not facilitate credit-related frauds. As the Supreme Court put it in Clapper v. Amnesty International USA, 568 U.S. 398, 416 (2013): 4 No. 22-1892 “Respondents’ contention that they have standing because they incurred certain costs as a reasonable reaction to a risk of harm is unavailing—because the harm respondents seek to avoid is not certainly impending. In other words, [people] cannot manufacture standing merely by in icting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” On appeal, plainti s stress one possibility that the district judge did not mention: they say that bogus unemploymentinsurance claims were led in New York in the names of two plainti s. A phony claim could cause injury—having a fraud attributed to one’s name could a ect a credit rating or make it harder to obtain unemployment compensation following the real loss of a job. Plainti s do not contend, however, that either of these things happened to them. Nor do they contend that knowledge of a driver’s-license number could facilitate such a bogus claim, or indeed that New York State asked for a claimant’s driving information. The complaint is silent on these matters, and at oral argument counsel for the plainti s conceded that she had never looked at the application form New York uses for unemployment bene ts and does not know what role, if any, a driver’s-license number plays. Yet a suit fails for lack of standing unless the complaint plausibly alleges concrete injury caused by the asserted wrong. See, e.g., Department of Education v. Brown, 143 S. Ct. 2343 (2023). This complaint does not do so. If a license number could have contributed to an unemployment-insurance scam under the complaint’s allegations, then we would need an evidentiary hearing to learn whether it did contribute, to plainti s’ detriment (and whether the number came from Midvale rather than some other source)—for No. 22-1892 5 standing must be demonstrated as well as alleged. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560–61 (1992). But plainti s’ complaint did not allege any link between drivers’ licenses and unemployment-compensation applications in New York, so a hearing is unnecessary. We do not doubt that it is possible in principle for drivers’-license numbers to play a role in unemployment insurance, and it may have been prudent for Midvale to warn plainti s about this possibility. But a possible route for a loss does not su ce for standing; the complaint must allege that what is possible actually happened or was “certainly impending”. That’s Clapper’s main holding. Plainti s’ submission boils down to an assertion that there might be a connection. Guesswork of that kind is not enough, however; the injury must be traceable to the asserted wrong and likely rather than speculative. Lujan, 504 U.S. at 560–61. Plainti s’ complaint does not even try to explain how, if at all, New York uses a driver’s-license number in acting on requests for unemployment compensation. (What other states may do is neither here nor there for our plainti s.) New York State may have su ered a concrete injury when it had to devote resources to nding and denying false claims (our plainti s do not allege that the bogus claims in their names were allowed), but New York’s loss does not supply a footing for plainti s’ standing. Only injury to plainti s counts. Perhaps anticipating that we would reach this conclusion, plainti s maintain that a violation of the Act is enough by itself to establish standing, because Congress provided for an award of “liquidated damages” when actual damages cannot be shown. 18 U.S.C. §2724(b)(1). This line of argument, though, is incompatible with many decisions, including TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021); Spokeo, Inc. 6 No. 22-1892 v. Robins, 578 U.S. 330 (2016); and Summers v. Earth Island Institute, 555 U.S. 488, 496–97 (2009). See also United States v. Texas, 143 S. Ct. 1964 (2023) (no standing despite the Court’s assumption that the defendant had violated a statute). Spokeo and TransUnion reject the proposition that Congress can create standing just by requiring payment in the absence of an injury. These decisions add, however, that courts must respect a legislative determination that concrete harms need remedies. The Act does not identify any particular compensable harm (§2724(b)(1) refers to “actual damages” but does not enumerate them). TransUnion and Spokeo say that, in this situation, courts should inquire whether what the plainti asserts as injury has a historical or common-law analog. So we ask: Does any state make disclosure of a driver’slicense number tortious? Not that we can see (and not that plainti s have found). Between the invention of the motor car in the nineteenth century and the adoption of the Act in 1994, license numbers were freely available from many sources, including states’ departments of motor vehicles. Even after the Act directed states to limit the dissemination of information about drivers (“limit,” not “forbid”; the Act has a long list of exceptions in §2721(b)), many businesses—not just insurers such as Midvale—continued to require it. Auto-rental companies won’t hand over a car without this information; banks may seek copies of drivers’ licenses to open accounts; hotels require them to check in; many hospitals and medical practices demand them; and the normal way to get onto an airplane is to present a driver’s license and step through a metal detector. Drivers’ licenses often are used as ID for voting, and a voter’s registration may be linked to the license through the No. 22-1892 7 motor-voter process. (Section 5 of the National Voter Registration Act, 52 U.S.C. §20504.) Many people thus know the numbers on strangers’ licenses. A license number is not viewed as embarrassing (as a low grade point average or a poor credit score would be) or private (as medical details are) but as neutral: most adults have these numbers, which are neither good nor bad. Social Security numbers are unique personal identi ers that can be used for identity theft, but license numbers change over time as people move to di erent states or licenses are renewed. When TransUnion spoke of “reputational harms, disclosure of private information, and intrusion upon seclusion” (141 S. Ct. at 2204) as examples of situations in which the common law often provided redress, the Court had in mind the sort of potentially embarrassing or intimate details we have mentioned. License numbers are not in that set. Since TransUnion was decided, we have classi ed many potential disclosures on one side of the Court’s divide or another. For example, Ewing v. MED-1 Solutions, LLC, 24 F.4th 1146 (7th Cir. 2022), holds that a credit report’s failure to disclose the disputed status of a debt amounts to the release of false information, analogous to the tort of defamation. Cothron v. White Castle System, Inc., 20 F.4th 1156 (7th Cir. 2021), treats unlawful collection and disclosure of biometric information as equivalent to the tort of trespass—while explaining that some other violations of the Illinois Biometric Privacy Act are not actionable in federal court because the injury is neither concrete nor similar to a tort. Persinger v. Southwest Credit Systems, L.P., 20 F.4th 1184 (7th Cir. 2021), holds that obtaining a propensity-to-pay score (in a credit report) without a permissible purpose is akin to the crime of wrongfully opening 8 No. 22-1892 someone else’s mail to obtain derogatory information and can be classed with the tort of wrongful intrusion on seclusion. But other credit-related events lack common-law analogs and do not support standing. See, e.g., Pierre v. Midland Credit Management, Inc., 29 F.4th 934 (7th Cir. 2022) (sending a deceptive debt-collection letter); Wadsworth, 12 F.4th 665 (failing to provide a debtor with required notice). See also Dinerstein v. Google, LLC, 73 F.4th 502 (7th Cir. 2023) (disclosure of anonymous medical records is not analogous to any tort); Choice v. Kohn Law Firm, S.C., No. 21-2288 (7th Cir. Aug. 11, 2023) (same with contradictory statements about attorneys’ fees). Plainti s have pointed to only one decision after TransUnion in which a court found standing for persons complaining about a violation of the Driver’s Privacy Protection Act: Garey v. James S. Farrin, P.C., 35 F.4th 917 (4th Cir. 2022). That decision illustrates the need to be precise when thinking about invasion of privacy. Plainti s in Garey alleged that the defendants disclosed, not license numbers, but home addresses, which attorneys then used to send unsolicited ads. As in junkfax and robocall cases, the analogous tort is intrusion on seclusion. Our plainti s, by contrast, do not allege that any of the information that Midvale leaked has had a similar result. We have explained why a driver’s-license number is not potentially embarrassing or an intrusion on seclusion. It is a neutral fact derived from a public records system, a fact legitimately known to many private actors and freely revealed to banks, insurers, hotels, and others. Plainti s have not plausibly alleged that Midvale’s disclosure of their numbers caused them any injury, and the disclosure of a number in common use by both public and private actors does not correspond to any tort. It follows that plainti s lack standing to sue, and No. 22-1892 9 plainti s who lack standing cannot receive either damages or an injunction. AFFIRMED. 10 No. 22-1892 RIPPLE, Circuit Judge, dissenting. The panel affirms the district court’s dismissal of the plaintiffs’ claims for lack of standing. Because the plaintiffs plausibly alleged injuries in fact that are fairly traceable to the insurance companies, I respectfully dissent. The majority opinion commits at least three errors. The opinion first fails to grapple with the substance of the plaintiffs’ complaint and brushes aside the most natural inferences to be drawn from their allegations. Then, it continues down our court’s ill-advised march to restructure standing doctrine, and in particular the concrete-injury analysis for statutory claims, in ways that move far beyond the Supreme Court’s guidance. Finally, the opinion fails to address the plaintiffs’ standing to seek injunctive relief. I begin with the question of concreteness and statutory rights under recent Supreme Court precedent. I then turn to the sufficiency of the pleadings and, finally, to the request for injunctive relief. I A The law of standing is rooted in Article III’s case-or-controversy requirement and in the Constitution’s scheme of separated powers. Raines v. Byrd, 521 U.S. 811, 818–20 (1997); Lujan v. Defs. of Wildlife, 504 U.S. 555, 559–60 (1992). By limiting federal courts to adjudicating legal disputes between parties with genuine stakes in the matter, standing doctrine aims to prevent the judiciary from straying into open-ended policy concerns that the Constitution reserves to the executive and legislative branches of the Government. Lujan, 504 U.S. at 576–78; Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016). No. 22-1892 11 To enforce the case-or-controversy requirement, the Supreme Court has instructed federal courts to apply the familiar three-part test of injury in fact, causation, and redressability. See Spokeo, 578 U.S. at 338. The present case centers on the injury-in-fact requirement and in particular on the requirement that an injury be concrete. In Spokeo, the Court explained that a concrete injury “must be ‘de facto’; that is, it must actually exist.” Id. at 340. In other words, an injury must be “real” rather than “abstract.” Id. “‘Concrete’ is not, however, necessarily synonymous with ‘tangible.’” Id. “Various intangible harms can also be concrete. Chief among them are injuries with a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts.” TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2204 (2021). A difficult and recurring theme in standing jurisprudence is the significance of congressional action. The Supreme Court has gone to some lengths to explain what bearing Congress’s creation of a statutory right and cause of action has on the standing analysis. Its basic teaching is that Congress may “elevat[e] to the status of legally cognizable injuries concrete, de facto injuries that were previously inadequate in law,” Lujan, 504 U.S. at 578, but it may not “‘enact an injury into existence,’” TransUnion, 141 S. Ct. at 2205 (quoting Hagy v. Demers & Adams, 882 F.3d 616, 622 (6th Cir. 2018)). In sum, the Supreme Court has told us that the violation of a statutory right is not always sufficient to establish standing. Spokeo, 578 U.S. at 341. Rather, when a federal court assesses a plaintiff’s standing to sue to vindicate a statutory right, it must assure itself that a concrete injury beyond a bare statutory violation exists. TransUnion, 141 S. Ct. at 2205. 12 No. 22-1892 When the violation of a plaintiff’s statutory rights entails a tangible injury to the plaintiff, the injury is plainly adequate to confer standing. But when the injury allegedly attending a statutory violation is intangible, the Supreme Court has told us, our assessment of concreteness must look to “both history and the judgment of Congress.” Spokeo, 578 U.S. at 340. Under the historical prong, we ask whether the claimed injury has “a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts.” TransUnion, 141 S. Ct. at 2204. The identification of a historical or common-law analog will be useful to demonstrate the concreteness of the alleged injury, but, as the Court has made clear, we are not looking for “an exact duplicate.” Id. at 2209. We are looking, simply, for injuries that are similar in kind, but not necessarily in degree, to the plaintiff’s alleged injury. Gadelhak v. AT&T Servs., Inc., 950 F.3d 458, 462 (7th Cir. 2020); Ewing v. MED-1 Solutions, LLC, 24 F.4th 1146, 1151 (7th Cir. 2022). Our assessment of the concreteness of an alleged injury must also consider the judgment of Congress, which, after all, enjoys the constitutional authority to define the jurisdiction of the federal courts and “to create statutory rights and obligations.” Ewing, 24 F.4th at 1151. As our polity changes and becomes more complex, “Congress is well-positioned to identify intangible harms that meet minimum Article III requirements,” Spokeo, 578 U.S. at 341, and “we must be sensitive to the articulation of new rights of action that do not have clear analogs in our common-law tradition,” Lujan, 504 U.S. at 580 (Kennedy, J., concurring in part and concurring in the judgment). The legislative function, as conceived by our Constitution, vests in Congress the responsibility and the authority “‘to define injuries and articulate chains of causation that will give rise to a case or controversy where none existed before.’” No. 22-1892 13 Spokeo, 578 U.S. at 341 (quoting Lujan, 504 U.S. at 580 (Kennedy, J., concurring in part and concurring in the judgment)). B History and congressional judgment both make clear that the plaintiffs’ alleged statutory injuries are adequately concrete to establish Article III standing. The plaintiffs allege a violation of their rights under the Driver’s Privacy Protection Act (“DPPA”), 18 U.S.C. §§ 2721–25, which “regulates the disclosure of personal information contained in the records of state motor vehicle departments.” Reno v. Condon, 528 U.S. 141, 143 (2000). Specifically, they claim that, in allowing their driver’s license numbers to be accessed improperly by strangers, the insurance companies violated their right not to have their “personal information[] from a motor vehicle record” “disclose[d]” for unauthorized purposes. 18 U.S.C. § 2724(a); see also id. § 2722(a) (making it “unlawful for any person knowingly to obtain or disclose personal information, from a motor vehicle record, for any use not permitted” by the statute). 1 1 The majority opinion suggests that the DPPA may not be applicable here at all because “[i]ts principal rule is directed to state officials rather than private actors” and insurance companies are subject to it only to the extent that they obtained the driver’s license numbers from state agencies. Majority Op. 2. At this stage, I see no grounds for this speculation on the merits of the plaintiffs’ claims. The majority states that “[t]his record does not reveal how [the companies] came by the information.” Id. Of course, at the pleading stage, we are looking at a complaint, not an evidentiary record. And, indeed, the complaint expressly alleged that the insurance companies “obtain motor vehicle records directly from state agencies or through resellers who sell such records.” R.27 ¶ 103. To the extent the companies’ conduct comes within the scope of the DPPA, they can be held liable under § 2724(a)’s private right of action, which applies to “[a] person who 14 No. 22-1892 1 Consider first Congress’s action. In enacting the DPPA, Congress acted on its legislative judgment that certain disclosures, sales, and uses of personal information in motor vehicle records were causing serious harms to the American public. Congress saw a need “to protect the personal privacy and safety of all American licensed drivers.” 140 Cong. Rec. 7929 (1994) (statement of Rep. Porter Goss). The statute accordingly has “a chief aim of privacy protection” and is “predominantly … a public safety measure.” Senne v. Vill. of Palatine, 695 F.3d 597, 606–07 (7th Cir. 2012) (en banc). The legislative history reveals that “safety and security concerns associated with excessive disclosures of personal information held by the State in motor vehicle records were the primary issue to be remedied by the legislation.” Id. at 607. As the sponsor of the bill, Representative Moran, emphasized, with “[a]dvances in technology,” personal information can be accessed “with the click of a button,” making it all the “more important that safeguards are in place to protect personal information.” Protecting Driver Privacy: Hearing on H.R. 3365 Before the Subcomm. on Civ. & Const. Rts. of the H. Comm. on the Judiciary, 1994 WL 2 212698 (Feb. 4, 1994) (statement of Rep. James P. Moran). Made freely available to an individual with malicious intent, knowingly” engages in conduct that violates the statute. See also § 2725(2) (“‘person’ means an individual, organization or entity”). 2 Representative Moran further observed that disclosure of personal information even to relatively harmless recipients like marketers “present[s], to some people, an invasion of privacy.” Hearing on H.R. 3365, 1994 WL 212698. He accordingly urged Congress to adopt the legislation to “reaffirm that privacy is … a basic human right to which every person is entitled.” Id. No. 22-1892 15 an address, phone number, photograph, or driver’s license number, see § 2725(3), can pose problems for the subject of the information—problems ranging from simple annoyance and irritation to serious harms such as stalking, threats, fraud, or physical violence. Cf. Senne, 695 F.3d at 609 (“The possibilities for identity theft are obvious.”). Recognizing that “open access to” personal information can be a resource to bad actors, with “grave consequences” to the subjects of the information, Congress determined that it was appropriate to impose restrictions on the disclosure and sale of information contained in motor vehicle records. Id. at 607. Its decision to make persons who flout the substantive restrictions of the DPPA subject to civil actions by affected individuals was within its sound discretion to regulate interstate commerce. See Condon, 528 U.S. at 148 (“[The] sale or release [of drivers’ information] into the interstate stream of business is sufficient to support congressional regulation.”). In providing a cause of action for such harms, Congress acted within its powers to “‘define [an] injur[y] and articulate [a] chain[] of causation that will give rise to a case or controversy where none existed before.’” Spokeo, 578 U.S. at 341. Congress’s judgment on this matter, in other words, is highly “‘instructive’” for our consideration of the concreteness of the alleged injury. TransUnion, 141 S. Ct. at 2204 (quoting Spokeo, 578 U.S. at 341). We “must afford due respect to Congress’s decision to impose a statutory prohibition or obligation on a defendant, and to grant a plaintiff a cause of action to sue over the defendant’s violation of that statutory prohibition or obligation.” Id. The majority opinion, however, has little to say about the place of legislative judgment in the standing analysis. Rather, 16 No. 22-1892 the majority opinion seems to rest on its own impressionistic surmise about the public character of driver’s license numbers, the lack of any expectation of privacy in this information, and the general harmlessness of disclosure of this information. See Majority Op. 5–7. Common everyday experience casts doubt on these personal impressions. But, accurate or not, such conclusions are the prerogative and responsibility of Congress, not a panel of a court of appeals. By failing to recognize and respect Congress’s legislative authority, we undermine the very purpose of standing law—preserving the separation of powers—and “effect[] a direct and complete frustration of Congress’s attempt to regulate commerce in the manner that it has chosen.” Markakos v. Medicredit, Inc., 997 F.3d 778, 783 (7th Cir. 2021) (Ripple, J., concurring). It is enough that this injury is real and that, even if it may have been “previously inadequate in law,” Congress has chosen to “elevat[e]” it to a “legally cognizable” injury. Lujan, 504 U.S. at 578; see also Ewing, 24 F.4th at 1151 (“Congress may elevate de facto injuries that once were thought to be insufficiently injurious to form the basis of a federal lawsuit … .”); Carey v. James S. Farrin, P.C., 35 F.4th 917, 921 (4th Cir. 2022) (a plaintiff who identifies a historical or common-law analog for his injury “has standing even if the precise injury would not, absent the statute, be sufficient for Article III standing purposes”). 2 Congress’s judgment on this matter does not stand, moreover, unsupported by history. To the contrary, in enacting the DPPA cause of action, Congress has authorized us to provide a remedy for violations of a statutory right that cause intangible injuries “with a close relationship to harms traditionally recognized as providing a basis for lawsuits in American No. 22-1892 17 courts.” TransUnion, 141 S. Ct. at 2204. TransUnion’s examples of traditional intangible injuries are highly suggestive in this case: “reputational harms, disclosure of private information, and intrusion upon seclusion.” Id. The common-law analog that immediately comes to mind in this case is the tort of invasion of privacy. Cf. U.S. Dep’t of Just. v. Reporters Comm. for Freedom of the Press, 489 U.S. 749, 763 (1989) (“[B]oth the common law and the literal understandings of privacy encompass the individual’s control of information concerning his or her person.”). A claim for invasion of privacy can proceed under one of four basic theories, the most relevant of which is unreasonable publicity given to private life. Restatement (Second) of Torts §§ 652A, 652D (Am. L. Inst. 1977). Under this invasion-of-privacy theory, a defendant is liable for “g[iving] publicity to a matter concerning the private life of another … if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public.” Id. § 652D. The injury recognized by this common-law tort is analogous to the injury Congress elevated to legally cognizable status in the DPPA: the unwanted and unauthorized disclosure of information that tends to be held privately. It may well be that, as a matter of tort law, disclosure of a driver’s license number would not likely suffice to make out an invasion-of-privacy claim. But that observation is of no moment: “[A]n exact duplicate [injury] in American history and tradition” is not required. TransUnion, 141 S. Ct. at 2204; see also Persinger v. Southwest Credit Sys., L.P., 20 F.4th 1184, 1192 (7th Cir. 2021) (“Whether Persinger would prevail in a lawsuit for common law invasion of privacy is irrelevant. It is enough to say that the harm alleged in her complaint resembles 18 No. 22-1892 the harm associated with intrusion upon seclusion.” (emphasis added) (footnote omitted)). Indeed, the Supreme Court hardly could have been clearer on this point when it recognized as sufficiently concrete an injury that plainly lacked an essential element of the analog tort. See TransUnion, 141 S. Ct. at 2209 (“[T]he harm from a misleading statement of this kind bears a sufficiently close relationship to the harm from a false and defamatory statement.” (emphases added)). What we must look for is a “‘close relationship’ in kind, not degree,” to a common-law analog. Gadelhak, 950 F.3d at 462 (quoting Spokeo, 578 U.S. at 341). The unwanted and improper disclosure of personal information, such as a driver’s license number, represents an injury that is similar in kind to the tort of invasion of privacy. As the Supreme Court has recognized, “private” is often a characterization of degree: “In an organized society, there are few facts that are not at one time or another divulged to another. Thus the extent of the protection accorded a privacy right at common law rested in part on the degree of dissemination of the allegedly private fact … .” Reporters Comm. for Freedom of the Press, 489 U.S. at 763 (footnote omitted). In providing a cause of action for statutory violations that entail disclosure of information that sits along the general spectrum of “private,” Congress has elevated to legally cognizable status the kind of harm that “traditionally … provid[ed] a basis for lawsuits in American courts,” a harm “associated with the tort of” invasion of privacy. TransUnion, 141 S. Ct. at 2208. The majority opinion declines to pursue any analysis along these lines. Instead, the majority opinion revises the standard that the Supreme Court has said must guide our inquiry: Despite the Court’s admonition not to seek “an exact No. 22-1892 19 duplicate” to the harm alleged by the plaintiffs, the majority opinion suggests that the standard, in fact, is just that. In the majority’s view, the analysis in this case comes down to one question: “Does any state make disclosure of a driver’s license number tortious?” Majority Op. 6. As the foregoing discussion makes clear, the operative standard under the Supreme Court’s case law is not whether state tort law covers the precise harm underlying the plaintiffs’ statutory claim. Indeed, if that were the standard, one would be left to wonder what was left of Congress’s legislative power to define the rights and remedies to be had in the courts of the United States; Congress would seem to be left to operate within the strictures of the pre-statutory common law, unable to move beyond those boundaries to recognize the new and evolving harms experienced by the American people. Cf. Krakauer v. Dish Network, L.L.C., 925 F.3d 643, 653–54 (4th Cir. 2019) (explaining that Spokeo did not endorse a project of “judicial grafting” in which courts must “import the elements of common law torts, piece by piece, into any scheme Congress may devise”). The proper inquiry is, instead, whether “the harm alleged in [the] complaint resembles the harm associated with” a traditionally recognized basis for suit. Persinger, 20 F.4th at 1192 (emphasis added). Moreover, the majority’s belief that disclosure of driver’s license numbers is ultimately a trivial matter is misguided. Logically, it does not follow from the fact that driver’s license numbers must be disclosed to some businesses, hotels, hospitals, or airport security agencies that individuals are indifferent to the indiscriminate disclosure of this information or to its disclosure to actors who deliberately seek it with malicious intent. A driver’s license number is, in fact, at least moderately sensitive, cf. id. (describing the injury of an “unlawful 20 No. 22-1892 inspection of one’s mail, wallet, or bank account”), and as the sources quoted in the plaintiffs’ complaint suggest, a driver’s license number in the wrong hands can cause serious prob3 lems for an affected person. It seems that the majority’s real problem with the plaintiffs’ position is that driver’s license numbers are not sensitive or private enough to be analogous to any historical or common-law injury traditionally recognized in American courts. Again, however, that is not our judgment to make, and it oversteps the instructions of the Supreme Court: “[W]hen Spokeo instructs us to analogize to harms recognized by the common law, we are meant to look 3 The complaint quotes a Forbes article stating: “Hackers harvest license numbers because they’re a very valuable piece of information. A driver’s license can be a critical part of a fraudulent, synthetic identity—which go for about $1200 on the Dark Web. On its own, a forged license can sell for around $200.” R.27 ¶ 36 (quoting Lee Matthews, Hackers Stole Customers’ License Numbers from Geico in Months-Long Breach, Forbes (Apr. 20, 2021)). The complaint also quotes at length from a post on Experian’s webpage: If someone gets your driver’s license number, it is also concerning because it’s connected to your vehicle registration and insurance policies, as well as records on file with the Department of Motor Vehicles, place of employment (that keep copy of your driver’s license on file), doctor’s office, government agencies, and other entities. Having access to that one number can provide an identity thief with several pieces of information they want to know about you. Next to your Social Security number, your driver’s license is one of the most important pieces to keep safe from thieves. Id. ¶ 37 (emphasis added). No. 22-1892 21 for a ‘close relationship’ in kind, not degree.” Gadelhak, 950 F.3d at 462 (quoting Spokeo, 578 U.S. at 341). A person’s privacy interest in a driver’s license number may be different in degree, but it is not different in kind, from the privacy interests historically protected in American law; the disclosure of this information in violation of statute inflicts a harm closely related to the harms traditionally recognized at common law. By imposing a standard of concreteness that is not only more restrictive than, but contrary to, the guidance given by the Supreme Court, our circuit today advances its ongoing “invasion into the congressional domain while continuing to provide no real precedential justification for doing so.” Markakos, 997 F.3d at 784 (Ripple, J., concurring). In light of controlling Supreme Court precedent, I would hold that the alleged violations of the DPPA establish sufficiently concrete injuries to support the plaintiffs’ standing to sue. II The panel’s decision errs in a second, independent way in its treatment of the tangible injuries alleged to have resulted from the disclosure of the plaintiffs’ driver’s license numbers. The plaintiffs plausibly alleged injuries in the form of identity theft, lost time and effort in working to prevent fraudulent unemployment-benefits applications, and lost time and effort in responding to actual fraudulent applications made in their names, but the majority opinion holds that the complaint did not plausibly trace these harms to the actions of the insurance companies. I respectfully disagree. At the pleading stage, “the plaintiff must ‘clearly … allege facts demonstrating’ each element” of standing. Spokeo, 578 22 No. 22-1892 U.S. at 338 (quoting Warth v Seldin, 422 U.S. 490, 518 (1975)). In ruling on a motion to dismiss, “‘the district court must accept as true all material allegations of the complaint, drawing all reasonable inferences therefrom in the plaintiff’s favor, unless standing is challenged as a factual matter.’” Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 691 (7th Cir. 2015). The plaintiffs plausibly alleged concrete injuries traceable to the insurance companies’ public disclosure of their driver’s license numbers. In assessing this aspect of the case, there are several background allegations that are important to bear in mind, before we turn to the allegations of specific injuries. The complaint alleged that, after the insurance companies learned that their websites were being used improperly to obtain driver’s license numbers, the companies sent notification letters to the thousands of affected individuals. These letters stated, in relevant part: To the extent you were affected by this incident, unauthorized parties may have obtained your driver’s license number. We have reason to believe this data may be used to fraudulently apply for unemployment benefits in your name. Please carefully review any written communications you receive from your state’s unemployment agency, especially if you have not applied for unemployment benefits. If you suspect that your data has been used to fraudulently apply for unemployment benefits, you should contact the relevant state unemployment agency immediately. … No. 22-1892 23 To help protect you, we are offering you [credit monitoring] services free of charge. These services … will provide you with alerts for twelve months from the date of enrollment whenever changes occur to your Experian credit file. … If you wish to monitor your own credit report for unauthorized activity, you may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting agencies: Equifax, Experian, and TransUnion. … Additional information on identity theft protection is also provided in the enclosed pages … . 4 Elsewhere in the complaint, the plaintiffs alleged that the driver’s license numbers were “taken for the purpose of committing fraud in the name of the person whose license infor5 mation is taken,” and they provided extensive descriptions of the risks that attend compromised personal information such as driver’s license numbers. 6 Describing the plaintiffs’ specific injuries, the complaint alleged, as to two plaintiffs, that “[f]ollowing the Unauthorized Data Disclosure,” these plaintiffs “received notice from the New York State Department of Labor that a claim for unemployment insurance benefits was filed” using their 4 R.27 ¶¶ 25, 26. 5 Id. ¶ 28. 6 Id. ¶¶ 29–39. 24 No. 22-1892 7 identities. Both plaintiffs “spent time researching … options to respond to the theft of [their] driver’s license[s], and the use of same to commit identity fraud,” and they “spent time contacting the New York State Department of Labor to deal with the fraudulent application[s] [for] unemployment insurance 8 benefits.” A third plaintiff, after receiving the insurance companies’ notification letter, “contacted the Florida Reemployment Assistance Program to notify them that she was a victim of a data breach and to place a fraud alert to mitigate the unauthorized application [for] unemployment benefits in her name.” 9 The majority opinion first downplays the plaintiffs’ allegations as merely “contending that the disclosure caused worry and anxiety,” harms which our circuit has found to be insufficient to establish a concrete injury. Majority Op. 3; see Wadsworth v. Kross, Lieberman & Stone, Inc., 12 F.4th 665, 668– 10 69 (7th Cir. 2021). But the plaintiffs do not simply rely on 7 Id. ¶¶ 54, 61. 8 Id. ¶¶ 55, 64. 9 Id. ¶ 70. 10 As one of our colleagues has explained elsewhere, however, the Supreme Court appears to have “left open the possibility that a plaintiff could show standing by showing that her knowledge of a serious risk caused its own emotional or psychological harm.” Pierre v. Midland Credit Mgmt., Inc., 29 F.4th 934, 946 n.6 (7th Cir. 2022) (Hamilton, J., dissenting). Specifically, in TransUnion, the Court mentioned the possibility that “a plaintiff’s knowledge that he or she is exposed to a risk of future physical, monetary, or reputational harm could cause its own current emotional or psychological harm,” but it “t[ook] no position on whether or how such an emotional or psychological harm could suffice for Article III purposes.” No. 22-1892 25 worry and anxiety. Two plaintiffs experienced actual identity theft in the form of fraudulent unemployment-benefits applications, and they spent time and effort to address and remediate this fraud. We have recognized actual identity theft and the attendant mitigation efforts as a concrete injury. See Remijas, 794 F.3d at 692 (“[T]here are identifiable costs associated with the process of sorting things out [after fraudulent activity].”); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016) (“Even if those fraudulent charges did not result in injury to his wallet (he stated that his bank stopped the charges before they went through), he spent time and effort resolving them.”). Moreover, as the plaintiffs point out in their brief, it is reasonable to infer that they have suffered injury in the form of an impaired ability to access unemployment benefits due to the presence of fraudulent claims made in their names in the State’s records. Additionally, the third plaintiff’s expense of time and effort to take preventive action with the Florida unemployment agency constitutes a concrete injury. TransUnion, 141 S. Ct. at 2211 (although the risk of future harm is not a concrete injury in a suit for damages, “the exposure to the risk of future harm” may “itself cause[] a separate concrete harm”). 11 141 S. Ct. at 2211 n.7 (emphasis added). Judge Hamilton detailed several doctrinal reasons for why, contrary to our circuit’s restrictive approach to this question, certain emotional and psychological harms should be adequate to support standing. See Pierre, 29 F.4th at 947–50 (Hamilton, J., dissenting). 11 See also In re Equifax Inc. Customer Data Security Breach Litig., 999 F.3d 1247, 1262–63 (11th Cir. 2021) (describing “actual identity theft” and its resulting harms, including “time, money, and effort trying to mitigate … injuries,” as an injury in fact); Hutton v. Nat’l Bd. of Examiners in Optometry, Inc., 892 F.3d 613, 622 (4th Cir. 2018) (“The Plaintiffs have been concretely 26 No. 22-1892 The majority opinion nonetheless concludes that, even if there is some harm related to the fraudulent applications, the plaintiffs failed to allege in sufficiently explicit terms that these fraudulent applications could be traced to the insurance companies’ disclosure of their driver’s license numbers. This is an unacceptably parsimonious reading of the complaint, which, under well-established principles governing the assessment of complaints, we must “accept as true,” “drawing all reasonable inferences” in the plaintiffs’ favor. Remijas, 794 F.3d at 691 (internal quotation marks omitted). “It is certainly plausible for pleading purposes” that the plaintiffs’ injuries— identity theft and lost time and effort responding to fraudulent unemployment-benefits applications—“are ‘fairly traceable’ to the data breach.” Id. at 696. It is crucial to remember that the insurance companies themselves warned the affected individuals that they suspected malicious actors intended to use their driver’s license numbers to apply for unemployment benefits and further advised the affected individuals to review communications from their state unemployment agencies and alert those agencies to suspected fraud. The complaint alleged that the driver’s license numbers were “deliberately targeted” for a specific purpose and that, within six months of the data breach, the anticipated harm materialized for at least two affected individuals. Id. at 693 (emphasis added). In the majority opinion’s view, the plaintiffs failed to allege specifically that New York’s unemployment agency requires an applicant to provide a driver’s license number. To injured by the data breach because the fraudsters used—and attempted to use—the Plaintiffs’ personal information to open Chase Amazon Visa credit card accounts without their knowledge or approval.”). No. 22-1892 27 treat this omission as fatal to the traceability analysis is an exceedingly narrow manner of reading the complaint. The notification letters from the insurance companies—reproduced at length in the complaint—stated that the companies “believe this data may be used to fraudulently apply for unemployment benefits” and advised affected individuals to “contact the relevant state unemployment agency immediately” if the 12 recipient had any suspicion of fraud. Later, the complaint repeated the point again, noting that “bad actors” often “us[e] these driver’s license numbers to fraudulently apply for un13 employment benefits.” The complaint even referred expressly to “the use of [the driver’s license] to commit identity theft” in connection with the unemployment-benefits appli14 cation in one plaintiff’s name. These allegations give rise to the natural inference that it is standard practice for state unemployment agencies to require driver’s license numbers in these applications and that New York’s unemployment agency likewise did so. 15 12 R.27 ¶¶ 25, 26. 13 Id. ¶ 38. 14 Id. ¶ 55. 15 The defendants could have challenged the factual accuracy of this point before the district court. “Where standing is challenged as a factual matter, the plaintiff bears the burden of supporting the allegations necessary for standing with ‘competent proof.’” Retired Chicago Police Ass’n v. City of Chicago, 76 F.3d 856, 862 (7th Cir. 1996). In that event, “the district court may find the facts.” Reid L. v. Ill. State Bd. of Educ., 358 F.3d 511, 515 (7th Cir. 2004). 28 No. 22-1892 Finally, for good measure, the complaint alleged that none of the three plaintiffs had “knowingly transmitted unencrypted [personal information] over the internet or any other unsecured source,” strengthening the inference that the unauthorized users of the driver’s license numbers obtained that information from the insurance companies. 16 It is certainly conceivable that “the plaintiffs may eventually not be able to provide an adequate factual basis for the inference[s]” tracing their injuries to the insurance companies’ disclosures, “but they had no such burden at the pleading stage.” Id. at 694. The “admissions and actions by” the insurance companies, coupled with the actual materialization of the specific risk that the companies anticipated, “adequately raise the plaintiffs’ right to relief above the speculative level.” Id. at 696 (citing Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). Under the well-established rules governing pleading, the plaintiffs have alleged plausibly concrete injuries in the form of identity theft and lost time and effort to mitigate identity theft and that these injuries are fairly traceable to the insurance companies. III A word remains to be said about the plaintiffs’ standing to seek injunctive relief, which the majority opinion does not address. Presumably, the majority thinks the plaintiffs lack standing for this form of relief for two reasons: (a) the majority does not believe the unauthorized disclosure of the plaintiffs’ driver’s license numbers constitutes an injury or poses a sufficient risk of future injury, and (b) the majority does not 16 Id. ¶¶ 57, 66, 72. No. 22-1892 29 think the plaintiffs have traced any actual or potential injury to the insurance companies. For substantially the same reasons that I have already given, I believe the majority is mistaken on each point. In fact, the plaintiffs’ allegations in support of standing for injunctive relief are likely even stronger than for purposes of seeking damages. As TransUnion explained, “a person exposed to a risk of future harm may pursue forward-looking, injunctive relief to prevent the harm from occurring, at least so long as the risk of harm is sufficiently imminent and substantial.” 141 S. Ct. at 2210 (citing Clapper v. Amnesty Int’l USA, 568 U.S. 398, 414 n.5 (2013)). At the very least, the plaintiffs have plausibly alleged future injuries of unemployment-benefits fraud (with its related harms) resulting from the insurance companies’ failure to protect their driver’s license numbers. For purposes of these future injuries, it was sufficient for the plaintiffs to allege that a driver’s license number may be used by a fraudulent actor to obtain unemployment benefits from state unemployment agencies, that several fraudulent actors have indeed sought this information and attempted to use it for that purpose, and that the insurance companies failed to secure the plaintiffs’ information and continue to fail to take adequate measures to secure it in the future. See, e.g., Remijas, 794 F.3d at 692–94. Accordingly, I would hold that the plaintiffs have standing to pursue injunctive relief. Conclusion Because I believe the plaintiffs’ allegations are adequate to support standing for their requests for damages and injunctive relief, I would reverse the judgment of the district court and remand for further proceedings. I respectfully dissent.
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
