A new Fourth Circuit decision has thrown out of federal court a state-law privacy claim where the plaintiff alleged only a bare statutory violation without alleging “a nonspeculative, increased risk of identity theft,” holding that the plaintiff alleged no Article III injury.

As background to the February 21, 2023 decision in O’Leary v. TrustedID, Inc., the plaintiff alleged that when a consumer reporting agency was subject to a data breach it engaged TrustedID to inform consumers whether they were impacted by the breach. The plaintiff further alleged that TrustedID’s website prompted him to enter six digits of his social security number (SSN) to determine whether he had been impacted, but did not use any other security precautions, such as a password, unique personal identification number, or another authentication device. The plaintiff filed a complaint in state court, alleging that TrustedID’s practice of requiring six digits of consumers’ SSNs violated South Carolina’s Financial Identity Fraud and Identity Theft Protection Act (the Act) and the common law right to privacy. The Act prohibits “requir[ing] a consumer to use his [SSN] or a portion of it containing six digits or more to access an Internet web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet web site.” S.C. Code Ann. § 37-20-180(A)(4).

TrustedID removed the case to federal court and moved to dismiss. While TrustedID’s motion was pending, the plaintiff filed a motion asking the district court to “inquire before reaching the merits into whether it has subject matter jurisdiction” under Article III given TransUnion LLC v. Ramirez. The district court denied the plaintiff’s motion, holding that the plaintiff had alleged Article III standing, but granted TrustedID’s motion to dismiss on the merits holding that the plaintiff had not plausibly stated a claim under the Act or under common-law. The plaintiff appealed as to the district court’s dismissal under the Act.

After reviewing relevant case law, the Fourth Circuit reversed the district court’s standing decision finding that “Article III excludes plaintiffs who rely on an abstract statutory privacy injury unless it came with a nonspeculative increased risk of identity theft.” Here, the plaintiff “hasn’t alleged — even in a speculative or conclusory fashion — that entering six digits of his SSN on TrustedID’s website has somehow raised his risk of identity theft.” While the plaintiff’s claim could not proceed in federal court, the appellate court included instructions to the district court to remand the case back to state court where it could proceed on the merits.