Oneal v. First Tennessee Bank (TV1), No. 4:2017cv00003 - Document 19 (E.D. Tenn. 2018)
Court Description: MEMORANDUM AND OPINION as set forth in following order. Signed by Chief District Judge Thomas A Varlan on 3/15/18. (ABF)
Download PDF
<![CDATA[
Oneal v. First Tennessee Bank (TV1) Doc. 19 UNITED STATES DISTRICT COURT EASTERN DISTRICT OF TENNESSEE RAYMOND ONEAL, individually and on behalf of all other similarly situated, Plaintiff, v. FIRST TENNESSEE BANK, Defendant. ) ) ) ) ) ) ) ) ) ) No.: 4:17-CV-3-TAV-SKL MEMORANDUM OPINION This civil action is before the Court on defendant’s Motion to Dismiss Plaintiff’s First Amended Class Action Complaint [Doc. 15]. Defendant seeks the dismissal of this action on three grounds: (1) under Federal Rule of Civil Procedure 12(b)(1), for plaintiff’s alleged failure to plead standing under Article III of the Federal Constitution; (2) under Rule 12(b)(5), for plaintiff’s alleged failure to properly serve defendant with process; and (3) under Rule 12(b)(6), for plaintiff’s alleged failure to state a plausible claim upon which the Court may grant relief [Doc. 16]. Plaintiff responded to this motion [Doc. 17], and defendant replied [Doc. 18]. Defendant’s motion is therefore fully briefed and ready for disposition. See E.D. Tenn. L.R. 7.1(a), 7.2. For the reasons explained below, the Court will grant this motion and dismiss plaintiff’s suit without prejudice. I. Background This case concerns an alleged violation of the federal Fair Credit Reporting Act, 15 U.S.C. §§ 1681–1681x (the “FCRA”). Plaintiff claims defendant negligently and willfully Dockets.Justia.com accessed his Equifax credit report for a purpose not authorized by the FCRA [Doc. 14 ¶¶ 82–83]. The Court will first provide limited background on the FCRA, before turning to the particular factual and procedural history of this case. A. Statutory Background In light of the Court’s later discussion of plaintiff’s standing to bring suit in federal court, see infra Part III, the Court will first describe the pertinent history of the FCRA. The stated purpose of this statute is “to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit . . . in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information.” § 1681(b). In enacting the FCRA, Congress specifically found “a need to insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer’s right to privacy.” § 1681(a)(4). Furthermore, the FCRA’s lead sponsor in the Senate, William Proxmire, remarked at the time of enactment that consumers have “a right to see that the information is kept confidential and is used for the purpose for which it is collected,” as well as “a right to be free from unwarranted invasions of [their] personal privacy.” Fair Credit Reporting: Hearings on S. 823 Before the Subcomm. on Financial Institutions of the Comm. on Banking and Currency, 91st Cong. 2 (1969). The FCRA was “[e]nacted long before the advent of the Internet”—specifically, in 1970—but has assumed an even greater significance in the modern era of Internet-based credit reporting. Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1545 (2016). This statute governs 2 the activity of entities that regularly disseminate “consumer reports”—i.e., “information bearing on an individual’s ‘credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living,’” in the context of specified transactions such as “credit transactions, insurance, licensing, consumer-initiated business transactions, and employment.” Id. (quoting 15 U.S.C. § 1681a(d)(1)). The FCRA imposes on these entities “a host of requirements concerning the creation and use of consumer reports,” three of which are particularly relevant here. Id. First, the FCRA provides an exclusive list of purposes for which consumer reports may be disseminated and prohibits any person1 from using or obtaining such information for any other purpose. 15 U.S.C. § 1681b(a), (f). One permissible purpose is furnishing a consumer report to a person who “intends to use the information in connection with a credit transaction involving the consumer . . . and involving the extension of credit to, or review or collection of an account of, the consumer.” § 1681(a)(1)(3)(A). Second, a consumer may recover actual damages, litigation costs, and attorneys’ fees from any person who negligently fails to comply with the FCRA’s requirements. Id. § 1681o(a). Third, in the event of a “willful” violation, the FRCPA provides for recovery of the greater of actual damages or statutory damages up to $1,000, along with punitive damages “as the court may allow,” litigation costs, and attorneys’ fees. Id. § 1681n(a). Today, the “standard measure of consumer credit risk in the United States” is an individual’s FICO Score, a “three-digit number summarizing a consumer’s credit risk of 1 The statute defines “person” to include both individuals and business entities. § 1681a(b). 3 likelihood to repay a loan” [Doc. 14 ¶¶ 31–32]. The higher an individual’s FICO Score, the lower her estimated credit risk and likelihood of default [Id. ¶ 33]. An individual’s FICO Score is based primarily on the consumer report databases maintained by the three largest American credit reporting agencies—Equifax, TransUnion, and Experian [Id. ¶¶ 36–37]. Furthermore, an individual’s FICO Score is calculated using five factors, each weighted differently: (1) payment history, accounting for 35% of the FICO Score; (2) amount of debt, accounting for 30%; (3) length of credit history, accounting for 15%; (4) new credit information, accounting for 10%; and (5) credit mix, accounting for 10% [Id. ¶ 41]. Credit inquiries from potential lenders and others fall under the fourth factor and come in two varieties: “soft pulls,” or inquiries that do not affect an individual’s FICO Score and that cannot be seen by other lenders, and “hard pulls,” or requests for copies of an individual’s credit report that may affect her FICO Score. Banga v. First USA, NA, 29 F. Supp. 3d 1270, 1274 n.2 (N.D. Cal. 2014); Middleton v. CCB Credit Servs., Inc., 2:12cv-2012, 2014 WL 3513386, at *2 (D. Nev. July 14, 2014). B. Factual History The relevant facts here are not in dispute.2 Plaintiff is a resident of Clark County, Nevada, while defendant is a bank headquartered in Memphis, Tennessee [Doc. 14 ¶¶ 17– 18]. The parties agree that, sometime before 2008, plaintiff incurred financial obligations to defendant [Id. ¶ 47; Doc. 16 p. 2]. Then, in September 2008, plaintiff filed for Chapter 2 And, as discussed further in Part II, infra, the Court takes the material allegations of plaintiff’s amended complaint as true for purposes of deciding defendant’s Rule 12(b)(1) motion. 4 13 bankruptcy in the United States Bankruptcy Court for the District of Nevada [Doc. 14 ¶ 48]. During those proceedings, defendant did not seek to have its indebtedness declared nondischargeable under 11 U.S.C. § 523; nor did defendant seek relief from the automatic stay provided for in 11 U.S.C. § 362 [Id. ¶¶ 50–51]. Plaintiff received a discharge in his bankruptcy case on May 6, 2015 [Id. ¶ 49]. The parties seem to agree that this resulted in a discharge of plaintiff’s debt to defendant [Id. ¶ 52; see Doc. 16 p. 2]. Plaintiff alleges that, on February 15, 2016, he reviewed his Equifax credit report and discovered an unauthorized inquiry by defendant [Doc. 14 ¶ 53]. According to the report, defendant accessed plaintiff’s Equifax credit report on November 30, 2015, for “Account Review” purposes [Id. ¶¶ 53–54]. Plaintiff asserts that, on that date, he did not have any account, debt, or other financial relationship with defendant, all his business with defendant having ended with the bankruptcy discharge [Id. ¶¶ 56–57]. Plaintiff thus alleges that this inquiry constituted impermissible use of or access to a consumer report under the FCRA [Id. ¶¶ 58–59 (citing § 1681b)]. Plaintiff further claims that defendant’s conduct was willful under § 1681n, because defendant “was aware of the FCRA’s prohibitions on impermissibly pulling consumers’ credit reports” [Id. ¶ 61]. Plaintiff alleges that he suffered an invasion of his legally protected privacy interests because of defendant’s credit report inquiry, as well as corresponding mental and emotional distress [Id. ¶¶ 62–64]. Plaintiff further asserts that defendant’s conduct increased the risk that he will “be injured if there is a data breach on [d]efendant’s computer systems,” as a result of defendant “acquiring additional highly sensitive information about [p]laintiff . . . 5 and saving that information on its computer systems” [Id. ¶ 66]. Plaintiff notes that such breaches “are increasingly common, and financial institutions like [d]efendant are frequent targets of cybercriminals” [Id. (citations omitted)]. C. Procedural History On January 18, 2017, plaintiff filed a class action complaint against defendant, seeking class certification, actual and FCRA statutory damages, declaratory and injunctive relief, litigation costs, and attorneys’ fees [Doc. 1]. In lieu of filing an answer, defendant filed a first motion to dismiss under Rules 12(b)(1), 12(b)(5), and 12(b)(6) [Docs. 12–13]. Then, on April 21, Plaintiff filed an amended complaint, as permitted by Rule 15(a)(1)(B) [Doc. 14]. Plaintiff’s amended complaint does not add any new claims or parties, but does provide further background on the FCRA and the credit reporting industry, as well as an additional proposed class [Doc. 14]. As amended, plaintiff’s complaint proposes the following two class definitions: All persons whose consumer credit report from any of the three major credit reporting agencies (Transunion, Equifax, and Experian) reflects an unauthorized consumer credit report inquiry by Defendant after a bankruptcy discharge within the past 2 years (“Class One”). All persons whose consumer credit report from any of the three major credit reporting agencies (Transunion, Equifax, and Experian) reflects an unauthorized consumer credit report inquiry by Defendant after a bankruptcy discharge within the past 5 years (“Class Two”). [Id. ¶ 69]. In response, defendant filed a second motion to dismiss on May 3, arguing that the amended complaint fails to resolve the deficiencies of the original complaint [Doc. 15 ¶ 1]. 6 Plaintiff then filed a response to this motion [Doc. 17], to which defendant replied [Doc. 18]. The Court further notes that defendant’s second motion to dismiss is substantively identical to the first [See Docs. 12–13, 15–16]. Thus, the Court will deny the first motion as moot and will proceed to consider the merits of the second motion. II. Standard of Review Although defendant moves for dismissal under Federal Rules of Civil Procedure 12(b)(1), 12(b)(5), and 12(b)(6), as explained in Part III below, the Court need only address the first of these three grounds—lack of subject-matter jurisdiction. “Federal courts are courts of limited jurisdiction.” Kokkonen v. Guardian Life Ins. Co. of Am., 511 U.S. 375, 377 (1994). In other words, federal courts “have only the power that is authorized by Article III of the Constitution and the statutes enacted by Congress pursuant thereto.” Bender v. Williamsport Area Sch. Dist., 475 U.S. 534, 541 (1986). As such, subject-matter jurisdiction is a threshold issue that the Court must address and resolve prior to reaching the merits of the case. Steel Co. v. Citizens for a Better Env’t, 523 U.S. 83, 94–95 (1998); see also Fed. R. Civ. P. 12(h)(3) (providing that, “[i]f the court determines at any time that it lacks subject-matter jurisdiction, the court must dismiss the action”). Unlike a motion to dismiss for failure to state a claim under Rule 12(b)(6), “where subject matter jurisdiction is challenged under Rule 12(b)(1)[,] . . . the plaintiff has the burden of proving jurisdiction in order to survive the motion.” RMI Titanium Co. v. Westinghouse Elec. Corp., 78 F.3d 1125, 1134 (6th Cir. 1996) (quoting Rogers v. Stratton Indus., 798 F.2d 913, 915 (6th Cir. 1986)). 7 Rule 12(b)(1) motions fall into two categories: “facial attacks and factual attacks.” United States v. Ritchie, 15 F.3d 592, 598 (6th Cir. 1994). “A facial attack is a challenge to the sufficiency of the pleading itself.” Id. In considering whether jurisdiction has been established on the face of the pleading, “the court must take the material allegations of the [pleading] as true and construed in the light most favorable to the nonmoving party.” Id. (citing Scheuer v. Rhodes, 416 U.S. 232, 235–37 (1974)). “A factual attack, on the other hand, is not a challenge to the sufficiency of the pleading’s allegations, but a challenge to the factual existence of subject matter jurisdiction.” Id. In considering whether jurisdiction has been proved as a matter of fact, “a trial court has wide discretion to allow affidavits, documents, and even a limited evidentiary hearing to resolve disputed jurisdictional facts.” Ohio Nat’l Life Ins. Co. v. United States, 922 F.2d 320, 325 (6th Cir. 1990). In evaluating a factual attack, “no presumptive truthfulness applies to the factual allegations, and the court is free to weigh the evidence and satisfy itself as to the existence of its power to hear the case.” Ritchie, 15 F.3d at 598 (internal citation omitted). Here, the parties do not expressly address whether defendant’s Rule 12(b)(1) motion is a facial or factual attack on subject-matter jurisdiction. Plaintiff, however, seems to assume the former [See Doc. 17 pp. 13–14]. The Court agrees with this assessment, as defendant’s stated argument for dismissal under Rule 12(b)(1) is that “[p]laintiff has failed to plead standing as required by Article III of the U.S. Constitution” [Doc. 15 ¶ 2 (emphasis added)]. The Court will thus analyze defendant’s motion as a facial attack and will construe the facts underling this dispute in the light most favorable to plaintiff. 8 III. Analysis Defendant moves for dismissal of this action of three grounds—lack of subject- matter jurisdiction under Rule 12(b)(1), insufficient service of process under Rule 12(b)(5), and failure to state a claim under Rule 12(b)(6). As explained further below, however, the Court concludes that it lacks subject-matter jurisdiction over this action because plaintiff has failed to sufficiently plead Article III standing. Therefore, the Court need not consider defendant’s alternative grounds for dismissal under Rules 12(b)(5) and (b)(6). The Court will first outline the constitutional requirements for standing to sue in federal court, before considering plaintiff’s two asserted injuries in light of those standards. A. Standing Requirements Article III of the Federal Constitution extends the federal judicial power to only a limited set of “cases” and “controversies.” U.S. Const. art. III, § 2. As such, “those who seek to invoke the jurisdiction of the federal courts must satisfy the threshold requirement . . . [of] alleging an actual case or controversy.” City of Los Angeles v. Lyons, 461 U.S. 95, 101 (1983). One aspect of this justiciability question is standing—i.e., whether the parties have “such a personal stake in the outcome of the controversy as to assure that concrete adverseness which sharpens the presentation of issues.” Baker v. Carr, 369 U.S. 186, 204 (1962). The plaintiff bears the burden of proving her standing to bring suit in federal court. Summers v. Earth Island Inst., 555 U.S. 488, 493 (2009). Furthermore, the Supreme Court has clarified that “the irreducible constitutional minimum of standing contains three elements.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992). The plaintiff must have 9 suffered “[1] an injury in fact, [2] fairly traceable to the defendant’s conduct, [3] that is likely to be redressed by a favorable decision from the court.” Fair Elections Ohio v. Husted, 770 F.3d 456, 460 (6th Cir. 2014). While the plaintiff must prove these elements by a preponderance of the evidence, at the pleading stage, “general factual allegations of injury resulting from the defendant’s conduct may suffice.” Lujan, 504 U.S. at 561; see also Lujan v. Nat’l Wildlife Fed’n, 497 U.S. 871, 889 (1990) (noting that, in deciding a Rule 12(b)(1) motion based on standing, the court must “presume[] that general allegations embrace those specific facts that are necessary to support the claim”). At issue here is the first prong of the standing test, injury in fact.3 To establish injury in fact, the plaintiff must show “an invasion of a legally protected interest [that] is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical.” Phillips v. DeWine, 841 F.3d 405, 414 (6th Cir. 2016) (alteration in original) (internal quotation marks omitted) (quoting Lujan, 504 U.S. at 560). The Supreme Court has made clear that these three components—particularization, concreteness, and imminence—are distinct and indispensable requirements. Spokeo, 136 S. Ct. at 1548. First, “[a] ‘concrete’ injury must be ‘de facto’; that is, it must actually exist.” Id. (quoting Black’s Law Dictionary (9th ed. 2009)). “Abstract injury is not enough,” O’Shea v. Littleton, 414 U.S. 488, 494 (1974), though “intangible harms such as those produced by defamation or the denial of individual rights may certainly [suffice],” Crawford v. U.S. Dep’t of Treasury, 3 The parties do not address the causation and redressability prongs, and thus the Court assumes for purposes of this opinion that those requirements are satisfied. 10 868 F.3d 438, 453 (6th Cir. 2017). Second, particularization requires “that the plaintiff ‘personally . . . suffered some actual or threatened injury[,]’ as opposed to bringing a generalized grievance.” Id. (quoting Valley Forge Christian Coll. v. Ams. United for Separation of Church & State, Inc., 454 U.S. 464, 472 (1982)). Third, even if the alleged injury has not yet occurred, “[a] party facing prospective injury has standing to sue where the threatened injury is real, immediate, and direct.” Davis v. FEC, 554 U.S. 724, 734 (2008). This generally requires a showing that the injury is “certainly impending” and “not too speculative for Article III purposes.” Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409 (2013) (emphasis omitted) (quoting Lujan, 504 U.S. at 565 n.2).4 Of particular relevance here is the Supreme Court’s recent decision in Spokeo v. Robins, 136 S. Ct. 1540 (2016). The defendant in Spokeo operated a website that allowed users to search for information on other individuals. Id. at 1546. In response to a search by an unknown user, the website produced a profile for the plaintiff containing inaccurate information. Id. The plaintiff then filed a class action complaint alleging that the defendant willfully violated various FCRA provisions in producing this report. Id. The district court dismissed the case for lack of standing, but the Ninth Circuit reversed, holding that “the 4 Some uncertainty remains as to whether prospective injury must always be “certainly impending,” or whether a lesser probability of injury may suffice in certain cases. See Clapper, 568 U.S. at 414 n.5 (leaving that issue unresolved); id. at 432–33 (Breyer, J., dissenting) (arguing that imminence “is a somewhat elastic concept” and noting that the Court has used various phrases—including “substantial risk” and “reasonable probability”—in its standing cases (quoting Lujan, 504 U.S. at 565 n.2)); see also Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 388 (6th Cir. 2016) (recognizing this unresolved ambiguity). Nonetheless, the Court’s application of the imminence requirement to plaintiff’s alleged data breach injury, see infra Section III.C, would remain the same under any level of probability the Supreme Court has permitted. 11 violation of a statutory right is usually a sufficient injury in fact to confer standing.” Robins v. Spokeo, Inc., 742 F.3d 409, 412, 415 (9th Cir. 2014), rev’d, 136 S. Ct. 1540 (2016). Because the plaintiff had alleged a violation of “his statutory rights, not just the statutory rights of other people,” the court found that the plaintiff had pleaded a sufficiently particularized injury to show Article III standing. Id. at 413. The Supreme Court reversed and remanded, holding that the Ninth Circuit had failed to adequately address concreteness as a requirement distinct from particularization. 136 S. Ct. at 1548–50. The Supreme Court provided some limited guidance in the process. The Supreme Court first made clear that intangible injuries may be sufficiently concrete in some cases. Id. at 1549. “[B]oth history and the judgment of Congress play important roles” in this inquiry. Id. As for the former, “a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts” can help show concreteness. Id. As for the latter, “because Congress is well positioned to identify intangible harms that meet minimum Article III requirements, . . . . [it] may ‘elevat[e] to the status of legally cognizable injuries concrete, de facto injuries that were previously inadequate in law.’” Id. (second alteration in original) (quoting Lujan, 504 U.S. at 578). But that does not mean standing is present “whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate [it].” Id. “[A] bare procedural violation, divorced from any concrete harm,” will not suffice. Id. In the FCRA context, the Court suggested that failing to provide a required notice or producing a wrong ZIP code may not “present any material risk of harm.” Id. at 1550. On the other hand, 12 procedural violations may at times be sufficiently concrete, and “a plaintiff in such a case need not allege any additional harm beyond the one Congress has identified.” Id. at 1549 (citing, inter alia, FEC v. Akins, 524 U.S. 11, 21 (1998) (holding that voters’ inability to obtain information Congress decided to make public was sufficient injury)).5 However, as the various decisions discussed in the next sections of this opinion make clear, the line between sufficient and insufficient procedural injury remains elusive. The Court will now apply these principles to the two forms of injury plaintiff has alleged in this case—an invasion of his legally protected privacy interests and an increased risk of exposure of his personal information via a data breach. B. Invasion of Privacy First, plaintiff alleges that he suffered an invasion of his legally protected privacy interests—along with attending mental and emotional distress—from defendant’s soft-pull inquiry [Doc. 17 pp. 15–21]. Defendant denies that such an alleged injury is sufficient for Article III standing [Doc. 16 pp. 3–10; Doc. 18 pp. 2–7]. For the reasons explained below, the Court agrees with defendant that this alleged injury is insufficiently concrete. Plaintiff first argues that invasion of privacy is a sufficiently particularized injury, as he has claimed he “was personally harmed and offended that his personal information and privacy had been invaded” [Doc. 17 p. 19]. Defendant does not address this prong of 5 On remand, the Ninth Circuit concluded that the plaintiff had alleged a sufficiently concrete injury in light of this guidance. Robins v. Spokeo, Inc., 867 F.3d 1108, 1119 (9th Cir. 2017), cert. denied, 86 U.S.L.W. 3366 (2018). The Court does not discuss this decision further because the FCRA violations alleged in Spokeo are less factually analogous to this case than those in the decisions discussed in Sections III.B and III.C below. 13 the injury-in-fact requirement. Thus, the Court assumes for purposes of this opinion that plaintiff’s first asserted injury meets the particularization requirement. Next, as for concreteness, plaintiff first asserts that a claim based on unlawful access to a consumer report is a “classic invasion of privacy claim[]” with a close relationship to several common law torts, including intrusion upon seclusion and public disclosure of private facts [Doc. 17 p. 16 (citing Restatement (Second) of Torts §§ 652A–652G (Am. Law Inst. 1977))]. Plaintiff notes that courts have applied the latter tort to the publication of debtors’ names and personal information. See, e.g., Trammell v. Citizens News Co., 148 S.W.2d 708, 708–09 (Ky. 1941) (notice published in newspaper); Brents v. Morgan, 299 S.W. 967, 968 (Ky. Ct. App. 1927) (notice posted in store window); Mason v. Williams Disc. Ctr., Inc., 639 S.W.2d 836, 837 (Mo. Ct. App. 1982) (plaintiffs’ names posted in store under the words “no checks” in large print). Additionally, plaintiff asserts that multiple courts have applied the tort of intrusion upon seclusion to the unlawful access of personal information. See, e.g., Bray v. Cadle Co., No. 4:09-cv-663, 2010 WL 4053794, at *16 (S.D. Tex. Oct. 14, 2010) (examining bank records); Kausch v. Wilmore, No. SACV-07-817-AG, 2009 WL 481346, at *4 (C.D. Cal. Feb. 24, 2009) (accessing credit report); Capitol Records, Inc. v. Weed, No. 2:06-cv1124, 2008 WL 1820667, at *6 (D. Ariz. Apr. 22, 2008) (copying files from personal computer); Rodgers v. McCullough, 296 F. Supp. 2d 895, 904 (W.D. Tenn. 2003) (accessing credit report); Smith v. Bob Smith Chevrolet, Inc., 275 F. Supp. 2d 808, 821–22 (W.D. Ky. 2003) (accessing credit report). Thus, plaintiff asserts that the harm he alleges 14 “raises a traditional basis for a lawsuit” [Doc. 17 pp. 17–18 (citing Restatement (Second) of Torts § 652A(1) (“One who invades the right of privacy of another is subject to liability for the resulting harm . . . .”))]. According to plaintiff, “[t]he FCRA built on this traditional right” by attempting to protect consumers’ credit information [Id. at 20]. As for the role of Congress, plaintiff argues that protecting consumer privacy was Congress’s overriding goal in enacting the FCRA. See 15 U.S.C. § 1681(a)(4) (recognizing the need to protect “the consumer’s right to privacy”); TRW Inc. v. Andrews, 534 U.S. 19, 23 (2001) (noting that Congress adopted the FCRA “to promote efficiency in the Nation’s banking system and to protect consumer privacy”). According to plaintiff, Congress “was so concerned with protecting consumers’ privacy against impermissible pulls” that the FCRA provides for actual, statutory, and punitive damages, attorneys’ fees, and even criminal penalties [Doc. 17 p. 18 (citing 15 U.S.C. §§ 1681n, 1681q)]. Plaintiff notes that, in exercising its power to define new substantive rights, Congress must at a minimum “identify the injury it seeks to vindicate and relate the injury to the class of persons entitled to bring suit.” Lujan, 504 U.S. at 580 (Kennedy, J., concurring). Plaintiff asserts that Congress did so in the FCRA by expressly seeking to protect the privacy interests of consumers in their credit information. Thus, plaintiff asserts that both history and the judgment of Congress counsel in favor of a finding of concreteness. Correspondingly, plaintiff submits that many courts have found standing under similar circumstances. See, e.g., Burke v. Fed. Nat’l Mortg. Ass’n, No. 3:16-cv-153, 2016 WL 4249496, at *4 (E.D. Va. Aug. 9, 2016) (finding standing based on an unauthorized 15 credit inquiry that allegedly exposed the plaintiff to an increased risk of identity theft or data breach), vacated, 2016 WL 7451624 (E.D. Va. Dec. 6, 2016); Firneno v. Radner Law Grp., 2:13-cv-10135, 2016 WL 5899762, at *4 (E.D. Mich. Sept. 28, 2016) (relying on Burke to hold that the viewing and retention of the plaintiffs’ financial information caused concrete injury); Perrill v. Equifax Info. Servs., LLC, 205 F. Supp. 3d 869, 873–75 (W.D. Tex. Aug. 31, 2016) (finding standing where the defendant credit bureau disclosed the plaintiff’s credit reports to a third party—a government agency—without authorization); cf. Lavigne v. First Cmty. Bancshares, Inc., 215 F. Supp. 3d 1138, 1147–48 (D.N.M. 2016) (holding that receiving unwanted automated telephone calls in violation of the Telephone Consumer Protection Act constituted a sufficiently concrete injury).6 Defendant responds that plaintiff has failed to identify any concrete injury. First, defendant notes that plaintiff seems to acknowledge that soft-pull credit inquiries “have no effect—negative or otherwise—on a consumer’s creditworthiness or ‘credit score’ and are never visible to lenders” [Doc. 16 p. 5]. Thus, defendant observes, plaintiff never alleges that the soft pull here had any impact on his FICO Score. Furthermore, defendant argues that “[t]he post-Spokeo cases from around the country have uniformly found that, absent disclosure to a third party or an identifiable harm from the statutory violation, there is no privacy violation” from an improper credit pull. Bultemeyer v. CenturyLink, Inc., No. CV- 6 While the Sixth Circuit’s recent decision in Galaria v. Nationwide Mutual Insurance Co., 663 F. App’x 384 (6th Cir. 2016), also bears on this issue, that case fits more neatly into the category of data breach cases discussed below in Section III.C. Thus, the Court defers discussion of Galaria until it addresses plaintiff’s alleged risk of a data breach. 16 14-02530, 2017 WL 634516, at *4 (D. Ariz. Feb. 15, 2017); see also Smith v. Ohio State Univ., 191 F. Supp. 3d 750, 757 (S.D. Ohio 2016) (finding that invasions of privacy resulting from procedural violations of FCRA disclosure and authorization requirements did not constitute “concrete consequential damage” under Spokeo). Defendant relies primarily on several recent decisions finding that the bare assertion of an invasion of privacy is insufficient for Article III standing. First, in Bultemeyer, the plaintiff alleged (as in this case) that the defendant accessed her credit report without a permissible purpose under the FCRA. 2017 WL 634516, at *1. Also like in this case, the plaintiff did not allege that this soft pull affected her credit score, nor that the defendant disseminated this information to a third party. Id. at *2. Rather, she alleged only that the defendant “violated a substantive privacy right.” Id. The District of Arizona held that this did not constitute injury in fact, finding that the plaintiff had asserted nothing more than “a bare procedural violation[,] without identifying any concrete harm”—exactly what the Supreme Court in Spokeo had deemed inadequate. Id. at *4. Defendant also cites Braitberg v. Charter Communications, Inc., where the plaintiff alleged that the defendant had retained his personal information long after he canceled his account, in violation of the Cable Communications Policy Act. 836 F.3d 925, 927 (8th Cir. 2016). Relying on Spokeo, the Eight Circuit held that the plaintiff failed to plead injury in fact because he had “identifie[d] no material risk of harm from the retention [of data].” Id. at 930. The plaintiff had not alleged that his information was ever disclosed to or accessed by an outside party, and “a speculative or hypothetical risk [of such harm] is insufficient.” 17 Id. Furthermore, while acknowledging the “common law tradition of lawsuits for invasion of privacy,” the court observed that “the retention of information lawfully obtained, without further disclosure, traditionally has not provided the basis for a lawsuit in American courts.” Id. (citing Restatement (Second) of Torts § 652A). The Seventh Circuit came to the same conclusion in Gubala v. Time Warner Cable, Inc., finding that a cable company’s failure to destroy a former customer’s information did not constitute a concrete injury. 846 F.3d 909, 910–11 (7th Cir. 2017). The plaintiff had not alleged any disclosure, use, or access of this information; rather, he merely claimed that “the violation of [the statute] has made him feel aggrieved.” Id. at 911. The court rejected the plaintiff’s argument that this amounted to an invasion of his substantive privacy rights, rather than a mere procedural violation. While “[v]iolations of rights of privacy are actionable,” here, there was “no indication of any violation of the plaintiff’s privacy because there [was] no indication that Time Warner [had] released, or allowed anyone to disseminate, any of the plaintiff’s personal information in the company’s possession.” Id. at 912. Neither the technical violation of the statute, nor the mere risk of such disclosure, could satisfy the injury-in-fact prong of standing. Id. Defendant also asserts that these outcomes are consistent with pre-Spokeo federal court decisions holding that the mere access, retention, or loss of data, without more, does not rise to the level of concrete injury. See, e.g., Phillips v. Grendahl, 312 F.3d 357, 373 (8th Cir. 2002) (“The use of improper methods to obtain information, such as a request that violates the [FCRA], does not necessarily make the acquisition of information highly 18 offensive [as required by an intrusion upon seclusion claim], if the information could just as well have been obtained by proper means.”), abrogated on other grounds by Safeco Ins. Co. of Am. v. Burr., 551 U.S. 47 (2007); Saumweber v. Green Tree Servicing, LLC, No. 13-cv-03628, 2015 WL 2381131, at *8 (D. Minn. May 19, 2015) (same); In re Zappos.com, Inc., 104 F. Supp. 3d 949, 962 n.5 (D. Nev. 2015) (rejecting loss of privacy as a basis for standing because the plaintiffs “failed to show how that loss amounts to a concrete and particularized injury”); In re Science Apps. Int’l Corp. Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 19 (D.D.C. 2014) (“[T]he mere loss of data—without evidence that it has been either viewed or misused—does not constitute [injury in fact].”); Eaton v. Cent. Portfolio Control, No. 14-747, 2014 WL 6982807, at *3 (D. Minn. Dec. 9, 2014) (noting that merely accessing a credit report does not give rise to an intrusion claim). As for plaintiff’s comparison of his suit to the common law privacy torts, defendant responds first that, with the exception of intrusion upon seclusion, these causes of action all require some public dissemination of private information. See Restatement (Second) of Torts §§ 652C–652E. But nothing of the sort occurred here. Thus, the public disclosure cases plaintiff cites—Trammell, Brents, and Mason—are inapposite. Second, defendant argues that a plaintiff who brings a privacy-related cause of action must still plead actual harm from the alleged invasion of privacy, which plaintiff has not done here. Third, defendant asserts that one essential element of an intrusion upon seclusion claim is proof that “the intrusion would be highly offensive to a reasonable person.” Restatement (Second) of Torts § 652B. According to defendant, plaintiff has failed to plead any facts 19 to support a finding that the soft pull here would meet this standard. Thus, defendant asserts that the intrusion cases cited by plaintiff do not support his position because those cases featured plausible allegations of highly offensive conduct. See, e.g., Rodgers, 296 F. Supp. 2d at 898 (the defendant attorney obtained the plaintiff’s credit report to use against her in a child custody hearing); Bray, 2010 WL 4053794, at *16 (the defendant hired search firms to obtain the plaintiff’s bank information and hired private investigators to “surveil, harass, and stalk [the p]laintiff at and near his home”).7 And, as noted above, courts have generally found that simply accessing another’s credit report without permission is not highly offensive to a reasonable person. See Grendahl, 312 F.3d at 373. Defendant further argues that the recent decisions cited by plaintiff as factually analogous to this case do not actually support a finding of standing here. First, while the factual allegations and legal arguments in Burke were quite similar to this case, the Eastern District of Virginia later vacated that decision based on the parties’ agreement that subjectmatter jurisdiction was lacking. 2016 WL 7451624, at *1. Next, defendant notes that Firneno both relied heavily on the now-vacated opinion in Burke and featured far more concrete allegations of injury. 2016 WL 5899762, at *4. Specifically, the defendants were alleged to have “illegally obtained private financial data, used it to identify financially distressed consumers, and solicited the plaintiffs via targeted mailers in violation of the [FCRA],” id. at *1—much like the automated telephone calls in Lavigne, 215 F. Supp. 3d 7 In addition, defendant notes that the plaintiffs in these cases alleged actual injury: Ms. Rodgers lost custody of her child, 296 F. Supp. 2d at 903, and $25,836 of Mr. Bray’s bank account funds were seized, 2010 WL 4053794, at *1. 20 at 1140. The quality and quantity of confidential information accessed in Firneno was also more extensive than in this case, consisting of “credit and FICO scores, the amount of debt, and addresses and the last four digits of the social security numbers of thousands of consumers.” 2016 WL 5899762, at *4. Finally, defendant argues that, in light of the insufficiency of plaintiff’s invasionof-privacy injury, his alleged mental and emotional distress cannot serve as a freestanding basis for Article III standing. Defendant notes in particular that “[a]llegations of mental and emotional distress seem far-fetched” because plaintiff has already “made his financial records public in a bankruptcy proceeding” [Do. 16 p. 10]. In response, plaintiff argues that “actual damages [for an FCRA violation] can include recovery for emotional distress” [Doc. 17 p. 10 (quoting Banga v. Chevron U.S.A. Inc., No. C-11-1498, 2013 WL 71772, at *11 (N.D. Cal. Jan. 7, 2013))]. Outside of a single, conclusory sentence in the complaint, however, plaintiff provides no content or context for his allegation of psychic harm [See Doc. 14 ¶ 64 (“Defendant’s behavior caused Plaintiff to suffer mental and emotional distress as a result of Defendant’s invasion of Plaintiff’s privacy.”)]. After carefully considering the parties’ arguments on this issue, the Court finds that an alleged invasion of privacy resulting from an improper credit inquiry, without more, does not constitute a concrete injury in fact. With the exception of his alleged mental and emotional distress, which the Court will address shortly, plaintiff has alleged nothing more than “a bare procedural violation, divorced from any concrete harm.” Spokeo, 136 S. Ct. at 1549. In other words, the amended complaint simply alleges a violation of § 1681b and 21 then attaches the words “invasion of privacy” to that claim. But the invocation of plaintiff’s privacy interests does not alter the underlying substance of the claim to relief he is pressing in this case. Absent an allegation that defendant used or disseminated his credit report in any harmful way—or otherwise exposed this information to a substantial risk of access by others, see infra Section III.C—plaintiff has alleged an injury that is merely “abstract,” rather than “de facto.” Spokeo, 136 S. Ct. at 1548. The Court finds further support for this conclusion in the two spheres in which Spokeo instructs courts to look for guidance. See id. at 1549. First, contrary to his claim that unlawfully accessing a consumer report is a “classic invasion of privacy claim[]” [Doc. 17 p. 16], the Court finds that the common law tort tradition does not support a finding of concreteness here. Plaintiff’s bare assertion of an invasion of privacy would not “provid[e] a basis for a lawsuit in English or American courts” under any of the four privacy torts that courts have come to recognize over the past century. Spokeo, 136 S. Ct. at 1549. This is because, as discussed above, plaintiff has alleged neither public dissemination of his credit information nor conduct highly offensive to a reasonable person—one of which is always an essential element of a cause of action for invasion of privacy. See Restatement (Second) of Torts §§ 652A–652E. And plaintiff does not point to any other common law cause of action that would permit recovery for the injury he alleges here. Thus, the Court agrees with defendant that the public disclosure and intrusion upon seclusion cases plaintiff cites are distinguishable. The public dissemination of private information—e.g., Trammell, 148 S.W.2d at 708–09; Brents, 299 S.W. at 968; Mason, 639 S.W.2d at 837—and the outrage 22 that accompanies conduct highly offensive to a reasonable person—e.g., Bray, 2010 WL 4053794, at *16; Rodgers, 296 F. Supp. 2d at 904—are intangible injuries of a far more concrete character than a soft pull of a credit report. Second, although one of Congress’s central concerns in enacting the FCRA was consumer privacy, the end goal was to ensure “the confidentiality, accuracy, relevancy, and proper utilization” of credit information—not to protect privacy as an abstract, intellectual concept. § 1681(b); see also Jones v. Federated Fin. Res. Corp., 144 F.3d 961, 965 (6th Cir. 1998) (“[T]he FCRA is aimed at protecting consumers from inaccurate information in consumer reports and at the establishment of credit reporting procedures that utilize correct, relevant, and up-to-date information in a confidential and responsible manner.”). But, in any event, Congress’s authority to invent new forms of substantive injury is limited by the case-or-controversy requirement of Article III—a requirement aimed at “assur[ing] that concrete adverseness which sharpens the presentation of issues.” Baker, 369 U.S. at 204. Thus, not all statutory violations for which Congress might elect to provide a remedy can satisfy Article III. For example, while the FCRA requires consumer reporting agencies to “follow reasonable procedures to assure maximum possible accuracy of the information,” 15 U.S.C. § 1681e(b), the Supreme Court in Spokeo noted that “[i]t is difficult to imagine how the dissemination of an incorrect zip code, without more, could work any concrete harm,” 136 S. Ct. at 1550. Here, plaintiff’s alleged injury is no more concrete—it is a mere procedural violation, restyled as a substantive harm. 23 In addition, the Court agrees with defendant that the cases cited by plaintiff as factually analogous to this case are distinguishable. Perrill featured the disclosure of a credit report to a third party—a government agency holding taxing power over the plaintiff. 205 F. Supp. 3d at 871. Further, the defendants in Firneno and Lavigne used the private information they accessed to directly solicit the consumers affected, through targeted mailing lists and automated telephone calls, respectively. Firneno, 2016 WL 5899762, at *1; Lavigne, 215 F. Supp. 3d at 1140. These alleged injuries are all far more substantial— even if intangible—than the amorphous notion of an “invasion of privacy,” standing alone. And, while Burke dealt with the same type of harm alleged here, 2016 WL 4249496, at *1, that decision is not binding on this Court and was vacated after the parties agreed that standing was lacking, 2016 WL 7451624, at *1. In any event, the Court finds the holding in Burke—i.e., that any violation of the FCRA styled as an invasion of privacy would constitute injury in fact—to be plainly inconsistent with the guidance set forth in Spokeo. See 136 S. Ct. at 1550 (positing situations where technical violations of the FCRA would be insufficiently concrete to confer Article III standing). In sum, the Court agrees with the majority of courts to address the question at hand following the Spokeo decision: “[A]bsent disclosure to a third party or an identifiable harm from the statutory violation,” no actionable invasion of privacy results from a technical violation of the FCRA. Bultemeyer, 2017 WL 634516, at *4; accord Gubala, 846 F.3d at 910–11; Braitberg, 836 F.3d at 930; Smith, 191 F. Supp. 3d at 757. Moreover, plaintiff’s additional allegation of psychic harm does not shift the balance. When reviewing a facial 24 attack on subject-matter jurisdiction, the court must accept the factual allegations of the plaintiff’s complaint as true. O’Bryan v. Holy See, 556 F.3d 361, 376 (6th Cir. 2009). At the same time, however, “conclusory allegations or legal conclusions masquerading as factual conclusions will not suffice.” Id. (quoting Mezibov v. Allen, 411 F.3d 712, 716 (6th Cir. 2005)). The one-sentence reference to mental and emotional distress in the amended complaint is the very definition of a legal conclusion masquerading as a factual allegation [See Doc. 14 ¶ 64]. Therefore, this allegation is insufficient to carry plaintiff’s burden of proving Article III standing. Lujan, 504 U.S. at 561. C. Risk of Data Breach Second, plaintiff alleges that defendant’s soft-pull inquiry has exposed him to an increased risk of a data breach and a resulting exposure of his personal information to third parties [Doc. 17 pp. 21–26]. Defendant denies that such an alleged injury is sufficient for Article III standing [Doc. 16 pp. 8–10; Doc. 18 pp. 7–12]. For the reasons explained below, the Court agrees with defendant that this alleged injury is insufficiently concrete. Plaintiff asserts that defendant’s impermissible soft pull of his credit report has “created a particularized and concrete risk of harm [from] a data breach of his personal information” [Doc. 17 p. 22]. Plaintiff notes that he has alleged “the increasingly frequent and common incidents of data breaches of large institutions, similar to [d]efendant” [Id.]. Plaintiff further argues that the Spokeo Court recognized that a “risk of real harm can[] satisfy the requirement of concreteness,” 136 S. Ct. at 1549, “particularly where, as here, that risk carries severe economic consequences” [Doc. 17 p. 22]. And, as for the actual25 or-imminent requirement, plaintiff asserts that he has sufficiently alleged a “substantial risk” of a “certainly impending” data breach. Clapper, 568 U.S. at 409, 414 n.5. Defendant, by contrast, argues that courts have frequently rejected similar attempts to derive standing from the hypothetical risk of a potential data breach. See, e.g., Reilly v. Ceridian Corp., 664 F.3d 38, 44–46 (3d Cir. 2011) (“In data breach cases where no misuse is alleged, however, there has been no injury . . . . [because] there is no quantifiable risk of damage in the future.”); Khan v. Children’s Nat’l Health Sys., 188 F. Supp. 3d 524, 531– 33 (D. Md. 2016) (finding that an increased risk of identity theft following a data breach— along with expenses associated with mitigating this risk—was too speculative to constitute a “certainly impending” injury, as “[t]he majority of district courts faced with challenges to the standing of data breach victims” have found); In re Zappos.com, Inc., 104 F. Supp. 3d at 955 (“The majority of courts dealing with data-breach cases post-Clapper have held that absent allegations of actual identity theft or other fraud, the increased risk of such harm alone is insufficient to satisfy Article III standing.”); Nat’l Council of La Raza v. Gonzales, 468 F. Supp. 2d 429, 444 (E.D.N.Y. 2007) (finding that a speculative risk of future thirdparty access to civil immigration records contained in the NCIC database did not constitute an actual or imminent injury so as to confer standing).8 Plaintiff responds that the data breach cases cited by defendant are distinguishable. First, plaintiff argues that these cases have no bearing here because plaintiff has not brought 8 See also In re Zappos.com, Inc., 104 F. Supp. 3d at 955 (collecting cases that follow this majority approach, while noting that a few district court decisions from the Ninth Circuit have reached the opposite conclusion). 26 a data breach claim—rather, he has alleged an increased risk of identity theft and fraud resulting from a data breach as further evidence of injury. Second, plaintiff argues that the data breach cases are inapposite because they all concern a company’s failure to safeguard data properly within the company’s possession. Here, by contrast, plaintiff has alleged that defendant had no right to access or retain his credit information after May 6, 2015. Third, plaintiff notes that many of the data breach cases were dismissed because of the uncertain legal basis for such a cause of action. See, e.g., Hammond v. Bank of N.Y. Mellon Corp., No. 08 Civ. 6060, 2010 WL 2643307, at *1–2 (S.D.N.Y. June 25, 2010) (noting that courts have generally dismissed data-breach cases either on standing grounds or by finding “that loss of identity information is not a legally cognizable claim”). But here, there is no dispute that the FCRA provides for a private right of action.9 Plaintiff also relies in particular on the Sixth Circuit’s recent decision in Galaria v. Nationwide Mutual Insurance Co., 663 F. App’x 384 (6th Cir. 2016). The defendant, Nationwide, “maintain[ed] records containing sensitive personal information about its customers, as well as potential customers who submit their information to obtain quotes for insurance products.” Id. at 386. Hackers infiltrated Nationwide’s network and were able to retrieve such information for 1.1 million customers, including the plaintiffs. Id. The plaintiffs brought suit, alleging that Nationwide negligently and willfully failed to adopt procedures to protect against this data breach. Id. Regarding standing, the plaintiffs 9 Plaintiff also distinguishes Gonzales on the grounds that that case (1) concerned the standing of an organization to sue on behalf of its members, and (2) did not involve a defendant alleged to have unlawfully accessed private information. 468 F. Supp. 2d at 433–35. 27 argued that data-breach victims are 9.6 times more likely to experience identity fraud and have a fraud incidence rate of 19%. Id. The plaintiffs further alleged they had incurred substantial out-of-pocket expenses to mitigate these risks, e.g., purchasing credit reporting and monitoring services, purchasing and reviewing credit reports and bank statements, instituting or removing credit freezes, and closing or modifying financial accounts. Id. at 386–87. The district court dismissed for lack of standing. Id. at 387. The Sixth Circuit reversed, finding that these “allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, [were] sufficient to establish a cognizable Article III injury at the pleading stage of the litigation.” Id. at 388. The court found that the plaintiffs’ allegation of a “continuing, increased risk of fraud and identity theft” provided a sufficiently definite probability of future injury, noting “[t]here is no need for speculation [when the p]laintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals.” Id. Additionally, the court concluded that “[w]here [the p]laintiffs already know that they have lost control of their data, it would be unreasonable to expect [them] to wait for actual misuse . . . before taking steps to ensure their own personal and financial security.” Id. Thus, unlike cases where “[p]laintiffs seek to ‘manufacture standing by incurring costs in anticipation of non-imminent harm,’” the substantial mitigation expenses the Galaria plaintiffs incurred provided an alternative injury in fact. Id. at 389 (quoting Clapper, 568 U.S. at 422). After carefully considering the parties’ arguments on this issue, the Court finds that plaintiff has failed to plead a concrete risk of harm from a hypothetical future data breach. 28 In particular, plaintiff fails to provide any indication of the actual likelihood of such a risk. The amended complaint alleges only that “[d]ata breaches are increasingly common, and financial institutions like [d]efendant are frequent targets of cybercriminals” [Doc. 1 ¶ 35 (citations omitted)]. Plaintiff does not aver, for example, that defendant has been the target of hackers in the past or lacks the security features necessary to ward off a data breach. Indeed, in his brief responding to defendant’s motion to dismiss, plaintiff merely argues— in a conclusory fashion and without elaboration—that “[t]he risk to [him] is substantial and certainly impending, establishing standing” [Doc. 17 p. 22]. As noted above, “legal conclusions masquerading as factual conclusions will not suffice” when defending a Rule 12(b)(1) motion. O’Bryan, 556 F.3d at 376 (quoting Mezibov, 411 F.3d at 716)). Thus, plaintiff’s alleged injury is even less certainly impending than in the databreach cases cited by defendant. In those cases, at least, third-party hackers had already obtained access to the plaintiffs’ confidential information. See, e.g., In re Zappos.com, Inc., 104 F. Supp. 3d at 955 (collecting cases). Yet “[m]ost courts have held that such plaintiffs lack standing because the harm is too speculative.” Reilly, 664 F.3d at 43. Here, plaintiff’s theory of standing requires one additional probabilistic leap—i.e., he relies on a potential future data breach, which, if it ever occurs, might potentially result in identity theft or fraud. In Clapper, the Supreme Court rejected a similar “highly attenuated chain of possibilities” as sufficient to constitute injury in fact. 568 U.S. at 410–11 (rejecting the “speculative fear” that the government would target the plaintiffs’ foreign contacts for unlawful surveillance, would then receive court approval for such surveillance, and would 29 successfully intercept communications featuring the plaintiffs). The Court finds plaintiff’s alleged injury here to be just as speculative as that in Clapper. The Court further finds plaintiff’s attempts to distinguish the data-breach cases unpersuasive. First, the fact that plaintiff has not asserted a freestanding data-breach claim is immaterial. Regardless of whether a plaintiff relies on the consequences of a data breach as an independent cause of action, or as a form of injury attending an FCRA violation, the critical question for standing purposes remains the same—how substantial is the risk that those consequences will actually occur? See Galaria, 663 F. App’x at 388. Second, the fact that most of the data-breach defendants were lawfully in possession of the plaintiffs’ private information—unlike defendant here, according to plaintiff—does not alter the analysis. Plaintiff has not alleged that defendant has misused, is misusing, or will misuse his credit report in any way. Thus, just like in the data-breach cases, plaintiff is relying entirely on “allegations of hypothetical, future injury” arising from third-party access to defendant’s computer systems. Reilly, 664 F.3d at 42. Finally, the open question whether federal or state law recognizes a freestanding data-breach claim has no bearing on this case. While it is true that some courts have dismissed data-breach cases for lack of a valid cause of action, many others have dismissed these cases on standing grounds. See Hammond, 2010 WL 2643307, at *1–2 (collecting cases following both courses). The Sixth Circuit’s decision in Galaria is not to the contrary. Most obviously, in Galaria a data breach had already occurred, and the plaintiffs’ credit information was “in the hands of ill-intentioned criminals.” 663 F. App’x at 388. Here, plaintiff does not allege 30 that defendant has suffered a data breach or that any third party has attempted to access his credit report—only that such a breach is possible. Moreover, critical to the Galaria holding was the court’s finding that the plaintiffs had reasonably incurred substantial expenses to help mitigate the consequences of a misuse of their information. Id. at 388–89. Here, plaintiff does not allege that he has incurred any mitigation expenses in response to the soft pull of his credit report. But even if he had, such self-imposed injuries would not provide a basis for standing. As the Supreme Court explained in Clapper, plaintiffs seeking access to the federal courts “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” 568 U.S. at 416. Such a theory would fail the causation prong of standing, as expenses unreasonably incurred to prevent uncertain future harms are not “fairly traceable” to the defendant’s allegedly wrongful conduct. Id.; accord Laird v. Tatum, 408 U.S. 1, 13–14 (1972); ACLU v. NSA, 493 F.3d 644, 669–70 (6th Cir. 2007). Because, as explained above, plaintiff has failed to allege either a substantial risk of a data breach or any expenses incurred to mitigate that risk, Galaria does not support plaintiff’s claim of standing. In sum, the Court finds that neither of plaintiff’s asserted injuries constitutes “such a personal stake in the outcome of the controversy” as to ensure an adequately adversarial process. Baker, 369 U.S. at 204. As such, plaintiff has failed to sufficiently plead one of the essential components of Article III standing. The Court therefore lacks subject-matter jurisdiction over this action. 31 IV. Conclusion Accordingly, in a separate order filed contemporaneously with this memorandum opinion, the Court will DENY AS MOOT defendant’s first motion to dismiss [Doc. 12] and GRANT defendant’s second motion to dismiss [Doc. 15]. Plaintiff’s first amended complaint [Doc. 14] will therefore be DISMISSED WITHOUT PREJUDICE, and the Clerk of Court will be DIRECTED to CLOSE this case. ORDER ACCORDINGLY. s/ Thomas A. Varlan CHIEF UNITED STATES DISTRICT JUDGE 32
]]>
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You
should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
