15‐464
Katz v. The Donna Karan Company, L.L.C. et al.
15‐464
Katz v. The Donna Karan Company, L.L.C. et al.
UNITED STATES COURT OF APPEALS
FOR THE SECOND CIRCUIT
_______________
August Term, 2015
(Argued: October 28, 2015 Final Submission: July 7, 2017
Decided: September 19, 2017)
Docket No. 15‐464
_______________
YEHUDA KATZ,
Plaintiff‐Appellant,
—v.—
THE DONNA KARAN COMPANY, L.L.C., THE DONNA KARAN COMPANY STORE,
L.L.C., DONNA KARAN INTERNATIONAL, INCORPORATED,
Defendants‐Appellees.
_______________
B e f o r e:
KATZMANN, Chief Judge, POOLER and CHIN, Circuit Judges.
1
15‐464
Katz v. The Donna Karan Company, L.L.C. et al.
_______________
Appeal from judgment of the district court dismissing with prejudice the
plaintiff’s second amended complaint for lack of standing. The plaintiff brought
suit against the defendants alleging willful violations of the Fair and Accurate
Credit Transactions Act of 2003 (“FACTA”), Pub. L. No. 108–159, 117 Stat. 1952
(codified as amended at 15 U.S.C. § 1681c(g)), which seeks to reduce the risk of
identity theft by, among other things, prohibiting merchants from including
more than the final five digits of a customer’s credit card number on a printed
receipt. Here, the plaintiff twice purchased items at the defendants’ stores, and
on both occasions he received a printed receipt that included not only the last
four digits of his credit card number but also the first six digits. The plaintiff
alleges that this bare procedural violation of FACTA raised a material risk of the
harm of identity theft and thus constitutes a concrete injury sufficient to establish
Article III standing.
Before the district court, defendants introduced evidence in their motion to
dismiss that the first six digits of a credit card number simply identify the card
issuer and provide no personally identifying information about the plaintiff. In
part on this basis, the district court concluded that this procedural violation of
FACTA, without more, did not raise a material risk of harm sufficient to satisfy
the concrete injury requirement for Article III standing, and granted defendants’
motion to dismiss with prejudice. The parties’ disagreement about whether
printing the first six digits constituted a real risk of harm is a question of fact, and
so we review the district court’s finding for clear error. On the basis of the record
below and because it is the plaintiff’s burden to establish subject matter
jurisdiction by a preponderance of the evidence, and also informed by the
findings of other district courts as to this specific issue, we conclude that the
district court’s finding was not clearly erroneous. Because a district court cannot
dismiss with prejudice a complaint dismissed due to lack of subject matter
jurisdiction, however, we AFFIRM the judgment of the district court as to its
disposition but REMAND with instructions to amend the judgment so that the
dismissal is entered without prejudice.
_______________
2
15‐464
Katz v. The Donna Karan Company, L.L.C. et al.
SHIMSHON WEXLER, Law Offices of Shimshon Wexler, P.C., Atlanta,
GA, and New York, NY (Keith J. Keogh, Keogh Law, Ltd.,
Chicago, IL, on the brief), for Plaintiff‐Appellant.
GREG M. MASHBERG (David A. Munkittrick and Charles S. Sims, on
the brief), Proskauer Rose, LLP, New York, NY, for Defendants‐
Appellees.
_______________
KATZMANN, Chief Judge:
This is the second of two related cases concerning the impact of Spokeo, Inc.
v. Robins, 136 S. Ct. 1540 (2016), as revised (May 24, 2016), on the concrete injury
requirement for establishing Article III standing when a claim alleges only a bare
procedural violation of a statute, here the Fair and Accurate Credit Transactions
Act of 2003 (“FACTA”), Pub. L. No. 108‐159, 117 Stat. 1952 (codified as amended
at 15 U.S.C. § 1681c(g)). FACTA seeks to reduce the risk of identity theft by,
among other things, prohibiting merchants from including more than the last
five digits of a customer’s credit card number on a printed receipt. See 15 U.S.C.
§ 1681c(g)(1). In the related case, Crupar‐Weinmann v. Paris Baguette Am., Inc., 861
F.3d 76 (2d Cir. 2017) (“Paris Baguette”), we held that the specific alleged bare
procedural violation of FACTA — the printing of the plaintiff’s credit card
expiration date on her receipt — presented no material risk of harm to the
3
15‐464
Katz v. The Donna Karan Company, L.L.C. et al.
underlying interest Congress sought to protect (identity theft), because Congress
itself had clarified that printing the expiration date, without more, did not
“increase[] the risk of material harm of identity theft.” Id. at 81.
Here, the plaintiff alleges that he twice purchased items at the defendants’
stores, and on both occasions received a printed receipt that identified not only
the last four digits of his credit card number but also the first six digits. He
alleges that such a violation of FACTA raises a material risk of harm of identity
theft, and so he has suffered a concrete injury sufficient to establish Article III
standing to sue defendants for the violation. At the motion‐to‐dismiss stage
below, the defendants introduced extrinsic evidence that the first six digits of a
credit card number simply identify the card issuer and provide no personally
identifying information about the plaintiff. In part on this basis, the district court
concluded that this alleged procedural violation, without some further harm, did
not raise a material risk of identity theft sufficient to satisfy the concrete injury
requirement as articulated in Spokeo, and dismissed with prejudice the plaintiff’s
complaint for lack of subject matter jurisdiction. See generally Katz v. Donna Karan
Intʹl, Inc., No. 14 CIV. 740 (PAC), 2017 WL 2191605 (S.D.N.Y. May 17, 2017)
(“Katz”).
4
15‐464
Katz v. The Donna Karan Company, L.L.C. et al.
On appeal, we hold that the parties’ factual disagreement as to whether
printing the first six digits constituted a material risk of harm is a question of fact
even at the Rule 12(b)(1) motion‐to‐dismiss stage, and so we review the district
court’s finding for clear error. On the basis of the record below and the plaintiff’s
affirmative burden to establish subject matter jurisdiction by a preponderance of
the evidence, and informed by the findings of other district courts as to this
specific issue, we conclude that the district court’s finding was not clearly
erroneous. Accordingly, we AFFIRM the judgment of the district court
dismissing the plaintiff’s second amended complaint for lack of subject matter
jurisdiction. However, because a complaint must be dismissed without prejudice
where the dismissal is due to the court’s lack of subject matter jurisdiction, we
REMAND so that the district court may amend the judgment and enter the
dismissal without prejudice.
BACKGROUND
I. Factual History
We draw the brief factual history of this case from plaintiff’s second
amended complaint, filed after our remand. Plaintiff Yehuda Katz alleges that, in
January and February 2014, respectively, he visited the defendants’ stores in
5
15‐464
Katz v. The Donna Karan Company, L.L.C. et al.
Tipton Falls, New Jersey, and New York, New York, made a purchase, and at
each “was given a customer copy of a computer‐generated cash register receipt
that published the first six digits of Plaintiff’s credit card number.” Sec. Am.
Compl. ¶ 61. Katz alleges that printing the first six digits of his credit card
number was in violation of FACTA. Id. ¶¶ 67; 72. Congress passed FACTA in
part to reduce the risk of identity theft by, among other things, imposing a
“truncation” requirement on venders who accept credit and debit cards,
instructing them not to print “more than the last 5 digits of the card number or
the expiration date upon any receipt provided to the cardholder at the point of
the sale or transaction.” 15 U.S.C. § 1681c(g)(1).
Like the amended complaint in Paris Baguette, Katz’s second amended
complaint here is “devoid of specific factual allegations concerning . . . any
consequences that stemmed from display of” the first six digits of his credit card
number on the receipts. 861 F.3d at 78. And as in Paris Baguette, Katz’s second
amended complaint instead largely focuses on the identity theft concerns that
motivated Congress to pass FACTA, as well as the defendants’ alleged prior
knowledge of FACTA’s requirements. Katz contends that the receipts issued by
defendants including the first six digits of his credit card number are “exactly the
6
15‐464
Katz v. The Donna Karan Company, L.L.C. et al.
reckless, i.e. willful, systematic dissemination of personal information which
FACTA was enacted to protect from disclosure, i.e. concrete particularized harm
which FACTA made redressable by providing a statutory damages remedy.”
Sec. Am. Compl. ¶ 68.
II. Procedural History
Katz filed his complaint in February 2014 and then amended his complaint
in May 2014. Shortly thereafter, defendants moved to dismiss. The district court
ultimately granted the motion, primarily on the basis that his complaint did not
contain “any well‐pleaded facts which allow the plausible inference that
Defendants willfully, knowingly, or recklessly violated FACTA.” Katz v. Donna
Karan Intʹl, Inc., No. 14 CIV. 740 PAC, 2015 WL 405506, at *2 (S.D.N.Y. Jan. 30,
2015). Katz appealed, and on October 28, 2015, we heard consolidated oral
argument in both his case and Paris Baguette. Days later, the Supreme Court
heard oral argument in Spokeo, which raised questions concerning the
circumstances in which a risk of harm may be sufficiently concrete so as to satisfy
the injury‐in‐fact requirement for Article III standing. 136 S. Ct. at 1549. After the
Court clarified the requirements for standing in Spokeo, we vacated and
remanded both cases “to allow plaintiffs an opportunity to replead their claims
7
15‐464
Katz v. The Donna Karan Company, L.L.C. et al.
to comport with the pleading standards set forth in Spokeo, and to allow the
district courts to address any standing questions in the first instance,” and we
retained appellate jurisdiction over the outcomes. Cruper‐Weinmann v. Paris
Baguette Am., Inc., 653 F. Appʹx 81, 82 (2d Cir. 2016). On remand, the district court
again granted the defendants’ motion to dismiss, this time because Katz did “not
show that Defendants’ FACTA violation presented a material risk of harm to
[the] underlying interest of identity theft protection,” and so Katz did not plead a
concrete injury‐in‐fact sufficient to establish standing. Katz, 2017 WL 2191605, at
*6 (alteration in original) (internal quotation marks omitted). The district court
dismissed with prejudice Katz’s claims for lack of subject matter jurisdiction,
Katz appealed that dismissal, and the parties submitted letter briefing addressing
this issue in light of Spokeo and our Circuit’s subsequent doctrine concerning
standing requirements when alleging bare procedural violations of law.
DISCUSSION
I. Standard of Review
We review de novo the district court’s decision to dismiss a complaint for
lack of standing pursuant to Federal Rule of Civil Procedure 12(b)(1),
“construing the complaint in plaintiff’s favor and accepting as true all material
8
15‐464
Katz v. The Donna Karan Company, L.L.C. et al.
factual allegations contained therein.” Donoghue v. Bulldog Inv’rs Gen. P’ship, 696
F.3d 170, 173 (2d Cir. 2012).
II. Concrete Harm from a Bare Procedural Violation of FACTA
In Paris Baguette, we described the contours of the concreteness
requirement in light of Spokeo. See 861 F.3d at 79–81. After Spokeo, we explained,
“the critical question for standing purposes is ‘whether the particular procedural
violations alleged in this case entail a degree of risk sufficient to meet the
concreteness requirement,’” 861 F.3d at 80 (quoting Spokeo, 136 S. Ct. at 1550),
which in turn depends on “whether the particular bare procedural violation may
present a material risk of harm to the underlying concrete interest Congress
sought to protect” in enacting the statutory requirement. Id. at 80–81.
Below, the district court concluded that although defendants violated
FACTA’s prohibition on printing the first six digits of Katz’s credit card, “[t]he
first six digits do not disclose any information about Plaintiff; but rather ’identify
the institution that issued the card to the card holder.’” Katz, 2017 WL 2191605, at
*1. The court drew this conclusion from information alleged in the defendants’
motion to dismiss, and from a website cited in the defendants’ brief. That site
explains that “[t]he first 6 digits of a credit card number are known as the Issuer
9
15‐464
Katz v. The Donna Karan Company, L.L.C. et al.
Identification Number (IIN), previously known as bank identification number
(BIN). These identify the institution that issued the card to the card holder.” See
Bin List (Binlist) & Bin Ranges, https://www.bindb.com/bin‐list.html) (last visited
Sept. 18, 2017). The court also made reference to similar findings made by several
other district courts across the country. See Katz, 2017 WL 2191605, at *5
(collecting cases). Because the court found that the “additional digits identify the
card issuer[,] and do not disclose any information pertaining to Plaintiff,” it
concluded that printing the first six digits “did not present an actual or imminent
risk of harm” of identity theft to plaintiff, and so it dismissed, with prejudice,
Katz’s claims for lack of subject matter jurisdiction. Id. at *5.
On appeal, Katz argues that the district court went “beyond the
complaint’s allegations” and “decided for itself (based on Internet research) that
the first six digits of Katz’s credit card number” disclosed no personally
identifying information and revealed only the institution that issued the credit
card. Pl. Letter Br. at 5–6. Katz challenges this finding, asserting that “the identity
of the institution at which Katz keeps a credit card account is data ‘about’ Katz
and, more importantly, it is data an identity thief can exploit.” Id. at 6. Plaintiff
contends that the printing of each additional digit beyond the last five permitted
10
15‐464
Katz v. The Donna Karan Company, L.L.C. et al.
by FACTA raises a risk of identity theft because it “increases a card number’s
vulnerability to brute‐force cryptological attack, i.e. computer‐assisted guessing”
by reducing to six the number of digits that must be guessed out of the total of
sixteen on Katz’s card. Id. at 6 n.2. In response, the defendants reiterate the
district court’s finding, arguing that they “redacted all of the personally
identifying information from Plaintiff’s receipts required by FACTA, and more.
Printing the non‐unique identifying number of the bank that issued his card did
not change that.” Def. Letter Br. 18 (citation omitted).
The key issue for this Court to resolve, then, is whether the district court
was correct in finding at the motion‐to‐dismiss stage that because the first six
digits of plaintiff’s credit card number are the IIN number, Katz did not plead a
concrete harm in alleging that the defendants violated FACTA by printing those
six digits on his receipts.
III. Assessing a “Real Risk of Harm” at the Motion‐to‐Dismiss Stage
As we explained in our Circuit’s first post‐Spokeo case to consider standing
to sue for a bare procedural violation of law, Strubel v. Comenity Bank, a plaintiff’s
pleading must satisfy a two‐part test for such an allegation to constitute a
concrete harm: first, that “Congress conferred the procedural right to protect a
11
15‐464
Katz v. The Donna Karan Company, L.L.C. et al.
plaintiff’s concrete interests” as to the harm in question, and second, that “the
procedural violation presents a ‘risk of real harm’ to that concrete interest.” 842
F.3d 181, 190 (2d Cir. 2016) (citation omitted). The first of these two issues —
determining the scope and purpose of the procedural right provided by the
statute — is a question of law, and so we review that aspect of the district court’s
conclusion, like all questions of law, de novo. See Connecticut v. Physicians Health
Servs. of Connecticut, Inc., 287 F.3d 110, 114–15 (2d Cir. 2002). However, we have
not yet addressed the second issue: how should district courts determine
whether a bare procedural violation presents a material risk of harm to a
concrete interest?
Confronted with that issue now, we conclude that this second requirement
may raise either a question of law or a question of fact, depending on the sources
the parties rely on in their pleadings. In Carter v. HealthPort Technologies, LLC, 822
F.3d 47 (2d Cir. 2016), we explained that “[a] Rule 12(b)(1) motion challenging
subject matter jurisdiction may be either facial or fact‐based.” Id. at 56. When
confronted with a defendant’s facial challenge to standing, i.e., one “based solely
on the allegations of the complaint or the complaint and exhibits attached to it,”
plaintiffs have no evidentiary burden, for both parties can be said to rely solely
12
15‐464
Katz v. The Donna Karan Company, L.L.C. et al.
on the facts as alleged in the plaintiffs’ pleading. Id. However, a defendant may
also “make a fact‐based Rule 12(b)(1) motion, proffering evidence beyond the
[plaintiffs’ p]leading.” Id. at 57. In opposition to such a motion, plaintiffs must
“come forward with evidence of their own to controvert that presented by the
defendant,” or may instead “rely on the allegations in the[ir p]leading if the
evidence proffered by the defendant is immaterial because it does not contradict
plausible allegations that are themselves sufficient to show standing.” Id.
Here, Katz is correct in contending that the argument defendants raised
below went beyond the allegations in his pleading. Defendants made a fact‐
based Rule 12(b)(1) challenge in their motion to dismiss, relying on extrinsic
evidence — i.e., citation to the aforementioned website to establish that the first
six digits are the IIN — in arguing that the first six digits of Katz’s credit card
were not personally identifying and thus did not raise a material risk of harm of
identity theft. Below, Katz objected to the defendants’ reliance “on matter[s]
outside of the [Second Amended Complaint] that [were] not before [the district
c]ourt, namely, a website and the summary of an expert’s opinion from” another
case. Pl. Opp. at 16 n.10. As a factual matter, Katz asserted both before the district
court and here on appeal that even revealing the IIN digits raises a material risk
13
15‐464
Katz v. The Donna Karan Company, L.L.C. et al.
of identity theft, because, as discussed above, the more digits revealed, the more
vulnerable a card number may be to a “brute force cryptological attack.” Pl.
Letter Br. at 6 n.2. Ultimately, the district sided with the defendants, concluding
that printing the IIN did not raise a material risk of identity theft; it cited both the
website in question as well as several other district court cases that made similar
factual findings about the absence of a real risk of identity theft stemming the
printing of the IIN digits on a receipt. See Katz, 2017 WL 2191605, at *5 (citing
Kamal v. J. Crew Grp., Inc., No. 2:15‐0190 (WJM), 2016 WL 6133827 (D.N.J. Oct. 20,
2016), and Thompson v. Rally House of Kansas City, Inc., No. 15‐00886‐CV‐W‐GAF,
2016 WL 8136658 (W.D. Mo. Oct. 6, 2016)).
Because “the extrinsic evidence presented by the defendant [wa]s material
and controverted, the district court . . . need[ed] to make findings of fact in aid of
its decision as to standing.” Carter, 822 F.3d at 57. And since “the [district]
court . . . resolved disputed facts, we will accept the court’s findings unless they
are ‘clearly erroneous.’” Id. (alterations in original) (quoting Rent Stabilization
Ass’n of New York v. Dinkins, 5 F.3d 591, 594 (2d Cir. 1993)). We must thus decide
whether the district court was clearly erroneous in finding that the procedural
violation of FACTA alleged (i.e., printing the first six digits of plaintiff’s credit
14
15‐464
Katz v. The Donna Karan Company, L.L.C. et al.
card number) raised a material risk of identity theft absent other allegations of
harm.
In large part because the plaintiff has the burden of proving by a
preponderance of the evidence that subject matter jurisdiction exists, see
Makarova v. United States, 201 F.3d 110, 113 (2d Cir. 2000), we do not think the
district court’s finding was clearly erroneous as to the specific material facts in
dispute in this case. FACTA does not expressly prohibit printing the identity of
the card issuer on a receipt. See 15 U.S.C. § 1681c(g); see also In re Toys ʺRʺ Us ‐
Delaware, Inc. ‐ Fair & Accurate Credit Transactions Act (FACTA) Litig., No. CV 06‐
08163 MMM FMOX, 2010 WL 5071073, at *12 (C.D. Cal. Aug. 17, 2010)
(recognizing that Congress did not prohibit printing issuer information on credit
card receipt). As both the court below and other district courts have found, the
first six digits of a credit card number constitute the IIN for the card’s issuer,
digits which can be easily obtained for any given issuer, including from the
website discussed above. While Katz may be correct that every additional digit
increases the risk of a brute force cryptological attack, printing the first six digits
— the IIN — is the equivalent of printing the name of the issuing institution,
information which need not be truncated under FACTA, and thus the district
15
15‐464
Katz v. The Donna Karan Company, L.L.C. et al.
court did not clearly err in concluding that printing the IIN does not increase the
risk of real harm. Cf. Noble v. Nevada Checker CAB Corp., No. 2:15‐cv‐02322‐RCJ‐
VCF, 2016 WL 4432685, at *3 (D. Nev. Aug. 19, 2016) (finding the same). Here,
moreover, neither receipt disclosed Katz’s name, a fact that also reduces the
possibility that disclosure of the IIN would result in harm.
Admittedly, the fact‐finding procedure below was more abbreviated than
might be conventionally expected or desirable in many contexts. Other FACTA
cases, particularly those pre‐Spokeo cases that did not consider subject matter
jurisdiction and thus proceeded directly to the question of class certification,
have provided the kind of expert witness declarations and fact‐intensive
pleadings ordinary associated with a material factual dispute requiring the
district court to engage in fact‐finding. See, e.g., In re Toys ʺRʺ Us, 2010 WL
5071073, at *11‐*13 (discussing and weighing facts raised in competing expert
witness declarations). In light of Spokeo’s renewed emphasis on subject matter
jurisdiction for claims alleging bare procedural violations of law, we note that in
future cases, evidentiary production via affidavits, and even limited
jurisdictional discovery, may sometimes be appropriate in order to resolve a fact‐
based Rule 12(b)(1) standing challenge to a claim arising from such a violation.
16
15‐464
Katz v. The Donna Karan Company, L.L.C. et al.
And in some circumstances, a fact‐finding hearing with expert witness testimony
may very well be appropriate, depending on the novelty of the issue, the extent
of the material dispute of facts, and the statutory prohibition in question. After
all, precisely because the plaintiff bears the burden of alleging facts
demonstrating standing, we have encouraged district courts to “give the plaintiff
ample opportunity to secure and present evidence relevant to the existence of
jurisdiction” where necessary. Amidax Trading Grp. v. S.W.I.F.T. SCRL, 671 F.3d
140, 149 (2d Cir. 2011) (per curiam) (citation omitted).
In this case, the plaintiff did not seek the opportunity to supplement the
record with additional evidence after defendants included in their motion papers
extrinsic evidence suggesting that printing the IIN did not increase the risk of
harm. Going forward, where a defendant makes a fact‐based Rule 12(b)(1)
challenge to jurisdiction, we are confident that district courts will oversee the
appropriate extent of fact‐finding necessary to resolve the contested issue, and
parties should be on renewed notice of both the right to introduce such evidence
and the plaintiff’s burden of proof to do so even at the motion‐to‐dismiss stage.
Here, given the plaintiff’s burden to establish subject matter jurisdiction
and the fact that FACTA does not prohibit printing the issuer identity on a
17
15‐464
Katz v. The Donna Karan Company, L.L.C. et al.
receipt, and informed by the findings of other courts as to this issue, we conclude
that the district court did not clearly err in finding that the bare procedural
violation in question did not raise a material risk of harm of identity theft. We
emphasize, however, that we do not here resolve whether other bare procedural
violations of FACTA should or will meet a similar outcome, a question for lower
courts to determine in the first instance, on a case‐ and fact‐specific basis.
One other wrinkle: when a case is dismissed for lack of federal subject
matter jurisdiction, “Article III deprives federal courts of the power to dismiss
[the] case with prejudice.” Hernandez v. Conriv Realty Assocs., 182 F.3d 121, 123
(2d Cir. 1999). As a result, where a case is dismissed for lack of Article III
standing, as here, that disposition cannot be entered with prejudice, and instead
must be dismissed without prejudice. See Carter, 822 F.3d at 54–55. And, as we
noted in dicta in Carter and must now order here, although we affirm the district
court’s conclusion that plaintiff’s second amended complaint failed to establish
Article III standing, we are “constrained to have the . . . [j]udgment amended to
provide that the dismissal is without prejudice.” Id. at 55.
18
15‐464
Katz v. The Donna Karan Company, L.L.C. et al.
CONCLUSION
For the reasons explained, we conclude that plaintiff has not established a
concrete injury sufficient to maintain Article III standing to bring suit. Plaintiff’s
suit was thus properly dismissed for lack of subject matter jurisdiction, but such
a dismissal must be entered without prejudice. Accordingly, the judgment of the
district court is AFFIRMED, but the case is REMANDED with the instruction
that the court shall amend its judgment and enter dismissal without prejudice.
19