PRECEDENTIAL
UNITED STATES COURT OF APPEALS
FOR THE THIRD CIRCUIT
___________
Nos. 17-2345 and 17-2453
___________
AHMED KAMAL,
on behalf of himself and the putative class,
Appellant in No. 17-2345
v.
J. CREW GROUP, INC.; J CREW INC.;
J. CREW INTERMEDIATE LLC; J CREW
INTERNATIONAL, INC.;
J. CREW OPERATING CORP; J. CREW SERVICES, INC.;
CHINOS ACQUISITION CORP; CHINOS HOLDINGS,
INC.,
Appellants in No. 17-2453
_______________________
On Appeal from the United States District Court
for the District of New Jersey
(D.C. Civil Action No. 2-15-cv-00190)
District Judge: Honorable William J. Martini
______________
Argued: February 8, 2018
Before: CHAGARES, SCIRICA, and RENDELL, Circuit
Judges.
(Filed: March 8, 2019)
Marvin L. Frank [ARGUED]
Suite 1706
370 Lexington Avenue
New York, NY 10017
Peter Y. Lee
Suite 1101
60 East 42nd Street
New York, NY 10165
Counsel for Appellant/Cross-Appellee Ahmed Kamal
Andrew O. Bunn [ARGUED]
Steven R. Marino
DLA Piper
51 John F. Kennedy Parkway
Suite 120
Short Hills, NJ 07078
Keara M. Gordon
DLA Piper
1251 Avenue of the Americas
New York, NY 10020
Counsel for Appellees/Cross-Appellants J. Crew Group,
Inc., J Crew Inc., J. Crew
2
Intermediate LLC, J Crew International, Inc., J. Crew
Operating Corp, J. Crew Services, Inc., Chinos Acquisition
Corp; Chinos Holdings, Inc.
_________________
OPINION OF THE COURT
_________________
SCIRICA, Circuit Judge
Enacted to combat credit card and identity theft, the Fair
and Accurate Credit Transactions Act of 2003 (FACTA)
prohibits anyone who accepts credit or debit cards as payment
from printing more than the last five digits of a customer’s
credit card number on the receipt. 15 U.S.C. § 1681c(g).
Plaintiff-Appellant Ahmed Kamal brought this suit after
receiving three receipts from Defendants-Appellees J. Crew
Group, Inc. (and related entities) that included both the first six
and last four digits of his credit card number. The District Court
dismissed Kamal’s suit under Federal Rule of Civil Procedure
12(b)(1) for lack of Article III standing based on its
determination that Kamal did not suffer a concrete injury from
the alleged violation.
We agree, and we will affirm on that issue. We will
vacate and remand, however, for the District Court to dismiss
Kamal’s complaint without prejudice.
I.
3
We begin with a review of FACTA’s text and
background before turning to the facts and procedural history.
A.
Congress enacted FACTA in 2003 as an amendment to
the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681.
FACTA was part of Congress’s effort to prevent identity theft.
Pub. L. No. 108-159, 117 Stat. 1952. Consistent with that
purpose, one of its provisions regulates the information that
can be included on receipts given to customers:
Except as otherwise provided in this subsection,
no person that accepts credit cards or debit cards
for the transaction of business shall print more
than the last 5 digits of the card number or the
expiration date upon any receipt provided to the
cardholder at the point of the sale or transaction.
15 U.S.C. § 1681c(g)(1). This provision was “included . . . to
limit the number of opportunities for identity thieves to ‘pick
off’ key card account information.” S. Rep. No. 108-166, at 13
(2003).
FACTA provides for actual damages and attorneys’ fees
and costs to remedy negligent violations. 15 U.S.C.
§ 1681o(a). Willful violators are liable for “any actual
damages . . . or damages of not less than $100 and not more
than $1,000,” punitive damages, and attorneys’ fees and costs.
Id. § 1681n(a).
In 2008, Congress passed the Credit and Debit Card
Receipt Clarification Act (Clarification Act), which provided a
4
temporary safe harbor to merchants that had violated FACTA
by including card expiration dates on receipts. Pub. L. No. 110-
241, 122 Stat. 1565. Although FACTA requires truncation of
card numbers and removal of expiration dates, Congress found
many merchants mistakenly believed it only required card
number truncation, leading to “hundreds of lawsuits” alleging
these merchants’ willful failure to remove the expiration date.
Id. § 2(a)(3)–(4). According to Congress, these suits did not
contain “allegation[s] of harm to any consumer’s identity,” and
“[e]xperts in the field agree that proper truncation of the card
number . . . regardless of the inclusion of the expiration date,
prevents a potential fraudster from perpetrating identity theft.”
Id. § 2(a)(5)–(6). To ensure “consumers suffering from any
actual harm to their credit or identity are protected while
simultaneously limiting abusive lawsuits that do not protect
consumers,” id. § 2(b), the Clarification Act amended FACTA
so merchants who printed expiration dates but otherwise
complied with FACTA would not be deemed in willful
noncompliance, id. § 3; see also 15 U.S.C. § 1681n(d). This
safe harbor covers receipts printed between 2004 and 2008.
Clarification Act § 3; 15 U.S.C. § 1681n(d).
B.
On December 18, 2014, Kamal visited a J. Crew retail
store in Ocean City, Maryland, and made a purchase with a
credit card. Four days later, he went to another J. Crew store in
Rehoboth Beach, Delaware, and again made a credit card
purchase. Finally, about two weeks later, Kamal went to a J.
Crew store in Wayne, New Jersey, and made a third purchase.
Each time, Kamal “received an electronically printed receipt,”
which he retained, that “display[ed] the first six digits of [his]
5
credit card number as well as the last four digits.” 1 App. 97,
Sec. Am. Compl. ¶ 8. As Kamal notes, the first six digits
identify the issuing bank and card type. The receipts he
received also identified his card issuer, Discover, by name.
Kamal does not allege anyone (other than the cashier) saw his
receipts. Neither does he allege his identity was stolen nor that
his credit card number was misappropriated.
Six days after the last purchase, Kamal filed his first
Class Action Complaint, alleging J. Crew willfully violated
FACTA by including on his receipts the first six digits of his
credit card number. Kamal sought statutory and punitive
damages as well as attorneys’ fees. J. Crew filed a motion to
dismiss under Federal Rule of Civil Procedure 12(b)(6),
arguing its violations had not been willful. Kamal filed an
Amended Complaint, and J. Crew again moved to dismiss on
the same grounds. The District Court denied the motion,
concluding Kamal plausibly alleged a willful violation.
Following the Supreme Court’s decision in Spokeo, Inc. v.
Robins, 136 S. Ct. 1540 (2016), J. Crew moved to dismiss for
lack of subject matter jurisdiction under Rule 12(b)(1),
contending Kamal lacked standing because he did not suffer a
“concrete” injury. The District Court agreed that Kamal had
not alleged a sufficiently concrete injury and thus lacked
standing under Article III. It granted J. Crew’s motion without
prejudice and allowed Kamal to file another amended
complaint.
1
We note that Kamal did not attach copies of the receipts to
his Second Amended Complaint. But he did attach them to
previous Complaints he filed, which are included in the Joint
Appendix.
6
Kamal filed his Second Amended Complaint—the
operative complaint in this matter. In an effort to address the
deficiencies leading to the dismissal of his Amended
Complaint, Kamal alleges two “concrete” harms: “the printing
of the prohibited information itself and the harm caused by
such printing increasing the risk of identity theft.” App. 104,
Sec. Am. Compl. ¶ 36. To support these allegations, Kamal
contends “[t]he extensive legislative findings by Congress, the
Federal Trade Commission, the Department of Justice, and the
industry” demonstrate that J. Crew’s conduct “created a real,
non-speculative harm in the form of increased risk of identity
theft.” Id. The Complaint accordingly includes statements from
Congress, industry experts, and government officials to show
FACTA was intended to address identity theft. For example,
Kamal notes that “[e]xperts . . . told Congress that both non-
redacted Card numbers and expiration dates are particularly
dangerous in the hands of sophisticated criminals.” App. 104,
Sec. Am. Compl. ¶ 37. Similarly, Kamal says, “the Senate
found that the specific provision at issue here protected
consumers, like Plaintiff, from an intangible harm in the form
of enhanced risk of identity theft.” App. 106, Sec. Am. Compl.
¶ 41.
The Complaint also explains how FACTA’s truncation
requirement responds to identity theft. Kamal alleges that
“[o]ne common modus operandi of identity thieves is to obtain
Card receipts that are lost or discarded, or through theft, and
use the information on them to commit fraud and theft.” App.
101, Sec. Am. Compl. ¶ 28. FACTA “makes it more difficult
for identity thieves to obtain consumers’ Card information by
reducing the amount of information identity thieves could
retrieve from found or stolen Card receipts.” App. 103, Sec.
Am. Compl. ¶ 33. In other words, Congress was responding to
7
“the possibility that identity thieves would be able to piece
together credit card numbers and expiration dates to invade
consumers’ privacy and exploit their financial resources.” App.
106, Sec. Am. Compl. ¶ 42.
Notwithstanding these additional allegations, J. Crew
again moved to dismiss on standing grounds. The District
Court noted the two injuries alleged in the Second Amended
Complaint—the printing of the prohibited information and the
increased risk of identity theft—and rejected both in turn. See
Kamal v. J. Crew Grp., Inc., No. 15-0190, 2017 WL 2587617,
at *3 (D.N.J. June 14, 2017). 2
The court first held the printing of the information on
the receipt was not itself a concrete injury. J. Crew’s conduct
in giving Kamal a receipt that included his credit card’s first
six digits did “not implicate traditional common law privacy
interests” because “J. Crew did not ‘disclose’ Kamal’s personal
information” and “the [card’s] first six digits do not pertain to
the customer’s individual bank account.” Id. As to “the
judgment of Congress,” Spokeo, 136 S. Ct. at 1549, the court—
relying on quoted portions of the Clarification Act—
determined that “Congress sought [through FACTA] to ‘ensure
that consumers suffering from any actual harm to their credit
or identity are protected,’” Kamal, 2017 WL 2587617, at *4
(quoting Clarification Act § 2(b)) (emphasis added in District
Court opinion). Because Kamal had not sustained any actual
harm, the court held there was no injury in fact.
2
Because the District Court subsequently reissued an identical
opinion, dismissing Kamal’s Second Amended Complaint
with prejudice, we cite to the reissued opinion.
8
The District Court next evaluated whether Kamal’s
alleged increased risk of identity theft constituted a concrete
injury. The court was unable to “reasonably infer that printing
the first six and last four digits of [Kamal’s] credit card
materially increased the risk of future harm.” Id. at *4. The
court stated that the first six digits of a credit card number
identify the bank or card issuer, information that permissibly
appears elsewhere on a receipt. It also examined the
intervening events that must occur for Kamal’s identity to be
stolen and found this chain of future events too speculative to
constitute a concrete injury.
Accordingly, because Kamal had alleged only a
technical violation of FACTA and not a concrete injury, the
District Court held Kamal lacked standing and granted J.
Crew’s motion, dismissing without prejudice the Second
Amended Complaint. The District Court gave Kamal leave to
file another amended complaint.
Kamal moved for reconsideration, or alternatively, for
amendment of the court’s order “so as to redenominate it final
and appealable,” as Kamal intended to stand on the Second
Amended Complaint to establish his Article III standing. Pl.’s
Mem. of Law Supp. Mot. Reconsider at 5, Kamal v. J. Crew
Grp., Inc., D. Ct. Dkt. No. 87-1, Civ. No. 15-0190 (D.N.J. June
8, 2017). The District Court denied the motion for
reconsideration but amended its order to provide for a
dismissal with prejudice based on Kamal’s intent to stand on
his complaint. Kamal appealed, and J. Crew filed a cross-
appeal challenging the District Court’s denial of its motion to
dismiss under Rule 12(b)(6) for failure to plausibly plead a
willful violation.
II.
9
The District Court had jurisdiction under 28 U.S.C.
§ 1331 to resolve the question of standing. We have
jurisdiction under 28 U.S.C. § 1291.
“Our review of the District Court’s dismissal of a
complaint pursuant to Federal Rule of Civil Procedure 12(b)(1)
is de novo.” In re Horizon Healthcare Servs. Inc. Data Breach
Litig., 846 F.3d 625, 632 (3d Cir. 2017). The District Court
properly determined that J. Crew’s Motion was a facial
challenge because it did “not dispute what [the] facts are, but
rather whether the facts as plead [sic] create standing.” Kamal,
2017 WL 2587617, at *2; see also Constitution Party of Pa. v.
Aichele, 757 F.3d 347, 358 (3d Cir. 2014) (“In reviewing a
facial attack, ‘the court must only consider the allegations of
the complaint and documents referenced therein and attached
thereto, in the light most favorable to the plaintiff.’” (quoting
In re Schering Plough Corp. Intron/Temodar Consumer Class
Action, 678 F.3d 235, 243 (3d Cir. 2012))). “Although ‘general
factual allegations of injury resulting from the defendant’s
conduct may suffice,’” Reilly v. Ceridian Corp., 664 F.3d 38,
41 (3d Cir. 2011) (quoting Lujan v. Defs. of Wildlife, 504 U.S.
555, 561 (1992)), “the complaint must still ‘clearly and
specifically set forth facts sufficient to satisfy’ Article III,” id.
(quoting Whitmore v. Arkansas, 495 U.S. 149, 155 (1990)).
III.
Kamal pleaded an injury which no doubt involves a
technical violation of FACTA’s ban on printing more than the
last five digits of a consumer’s credit card number. We must
resolve whether the alleged resulting harm is sufficiently
concrete to create an Article III case or controversy.
10
A.
“Under Article III of the United States Constitution, the
power of the judiciary ‘extends only to “Cases” and
“Controversies.”’” Long v. Se. Pa. Transp. Auth., 903 F.3d
312, 320 (3d Cir. 2018) (quoting Spokeo, 136 S. Ct. at 1547).
“One element of the case-or-controversy requirement is that
[plaintiffs], based on their complaint, must establish that they
have standing to sue.” Raines v. Byrd, 521 U.S. 811, 818
(1997). The standing doctrine “limits the category of litigants
empowered to maintain a lawsuit in federal court” and has
“developed in our case law to ensure that federal courts do not
exceed their authority as it has been traditionally understood.”
Spokeo, 136 S. Ct. at 1547. To maintain a suit, a “plaintiff must
have (1) suffered an injury in fact, (2) that is fairly traceable to
the challenged conduct of the defendant, and (3) that is likely
to be redressed by a favorable judicial decision.” Id. This
appeal involves only the injury-in-fact requirement.
To show injury in fact, a plaintiff must allege “‘an
invasion of a legally protected interest’ that is ‘concrete and
particularized’ and ‘actual or imminent, not conjectural or
hypothetical.’” Id. at 1548 (quoting Lujan, 504 U.S. at 560).
“Th[e] injury . . . must be concrete in both a qualitative and
temporal sense,” and an “abstract” injury will not suffice.
Whitmore, 495 U.S. at 155.
1.
11
In Spokeo, the Supreme Court considered Congress’s
ability to confer standing for intangible harms, and it
established criteria for evaluating whether those harms satisfy
Article III. 136 S. Ct. at 1549. The plaintiff alleged the
defendant, which operates a “people search engine,” violated
the FCRA when it published inaccurate information about him
on the Internet. Id. at 1544. On appeal, the United States Court
of Appeals for the Ninth Circuit determined the plaintiff
satisfied the injury-in-fact requirement because a “violation of
a statutory right is usually a sufficient injury in fact to confer
standing.” Robins v. Spokeo, Inc., 742 F.3d 409, 412 (9th Cir.
2014), vacated, 136 S. Ct. 1540 (2016). The Supreme Court
vacated and remanded the decision of the Ninth Circuit,
explaining that “Article III standing requires a concrete injury
even in the context of a statutory violation.” Spokeo, 136 S. Ct.
at 1549. To assess whether an intangible harm constitutes an
injury in fact, the Supreme Court directed courts to look both
at the “judgment of Congress” and at history. Id.
The congressional inquiry considers whether Congress
has “identif[ied] and elevat[ed]” an intangible harm because,
as the Supreme Court recognized, “Congress is well positioned
to identify intangible harms that meet minimum Article III
requirements” and “its judgment is . . . instructive and
important.” Id. The historical inquiry considers “whether an
alleged intangible harm has a close relationship to a harm that
has traditionally been regarded as providing a basis for a
lawsuit in English or American courts.” Id. This comparison is
useful because the Article III case-or-controversy requirement
“is grounded in historical practice.” Id.
The Supreme Court cautioned that a plaintiff does not
“automatically satisf[y] the injury-in-fact requirement
12
whenever a statute grants a person a statutory right and
purports to authorize that person to sue to vindicate that right.”
Id. Congress cannot statutorily manufacture Article III
standing in the case of “a bare procedural violation, divorced
from any concrete harm.” Id. Rather, a procedural violation
must yield or risk actual harm to meet the requirements of
Article III.
The Spokeo Court traced this limitation back to
Summers v. Earth Island Institute, 555 U.S. 488 (2009), where
the Court explained:
[D]eprivation of a procedural right without some
concrete interest that is affected by the
deprivation—a procedural right in vacuo—is
insufficient to create Article III standing. Only a
“person who has been accorded a procedural
right to protect his concrete interests can assert
that right without meeting all the normal
standards for redressability and immediacy.”
Id. at 496 (quoting Lujan, 504 U.S. at 572 n.7) (emphasis added
in Summers). When a procedural right protects a concrete
interest, a violation of that right may create a sufficient “risk of
real harm” to the underlying interest to “satisfy the requirement
of concreteness.” Spokeo, 136 S. Ct. at 1549; cf. Strubel v.
Comenity Bank, 842 F.3d 181, 190 (2d Cir. 2016). In Spokeo,
the Court remanded for the Ninth Circuit to address whether
the alleged procedural violations “entail a degree of risk
sufficient to meet the concreteness requirement.” 136 S. Ct. at
1550. It explained that some FCRA violations, such as
“dissemination of an incorrect zip code,” would not suffice
because they do not “present any material risk of harm.” Id.
13
2.
We have applied these principles in four cases. First, in
Horizon, after unencrypted laptop computers containing the
plaintiffs’ personal information were stolen from a Horizon
facility, the plaintiffs sued under the FCRA. 846 F.3d at 630.
They contended the company inadequately safeguarded their
personal information. Id. at 630–31. We determined the
plaintiffs had standing because their alleged injury—
unauthorized dissemination of their personal information—
was identified by Congress as a cognizable injury under the
FCRA, id. at 639, and involved harm that had “long been seen
as injurious,” id. at 638. Under Spokeo, the violation of the
plaintiffs’ “statutory right to have their personal information
secured against unauthorized disclosure” was, “in and of itself,
an injury in fact.” Id. at 634; see also In re Nickelodeon
Consumer Privacy Litig., 827 F.3d 262, 274 (3d Cir. 2016)
(concluding the “unlawful disclosure of legally protected
information” in and of itself constitutes a “de facto injury”).
Second, in Susinno v. Work Out World Inc., 862 F.3d
346 (3d Cir. 2017), the plaintiff alleged a single prerecorded
call to her cell phone was a violation of the Telephone
Consumer Protection Act (TCPA). Id. at 351. We recognized
that Congress had “squarely identified” the plaintiff’s injury in
the TCPA. Id. Because the injury was closely related to a
common law intrusion upon seclusion claim, Congress was
able to elevate the harm—although intangible—to a “legally
cognizable injur[y].” Id. at 352 (quoting Spokeo, 136 S. Ct. at
1549).
14
Third, in St. Pierre v. Retrieval-Masters Creditors
Bureau, 898 F.3d 351 (3d Cir. 2018), the plaintiff alleged the
defendant debt collection agency violated the Fair Debt
Collection Practices Act (FDCPA) when it disclosed his debtor
account number through a glassine window on an envelope
sent to him through the mail. Id. at 355–56. Noting Horizon’s
statement that “unauthorized dissemination of personal
information . . . causes an injury in and of itself,” we concluded
the plaintiff had standing. Id. at 357 (quoting Horizon, 846
F.3d at 639). The exposure of the account number
“‘implicate[d] a core concern animating the FDCPA—the
invasion of privacy’—and thus [wa]s closely related to” a
traditional harm. Id. at 357–58 (quoting Douglass v.
Convergent Outsourcing, 765 F.3d 299, 303 (3d Cir. 2014)).
Finally, in Long, the plaintiffs alleged defendant
Southeastern Pennsylvania Transportation Authority (SEPTA)
violated the FCRA in two ways. First, “SEPTA did not send
[them] copies of their background checks before it decided not
to hire them” on the basis of those background checks. Long,
903 F.3d at 317. We determined this injury was sufficiently
concrete because the FRCA clearly expressed Congress’s
intent to make the injury redressable, and the alleged
interference with the plaintiffs’ ability to control their personal
information was “analogous” to common law invasions of
privacy rights. Id. at 323–24. But the second alleged
violation—that SEPTA did not send the plaintiffs notice of
their FCRA rights—was a “bare procedural violation” for
which there was no standing. Id. at 325 (quoting Spokeo, 136
S. Ct. at 1549). Although the plaintiffs alleged the violation
increased the risk that their claims would lapse before they
could bring suit, we determined there was no harm because the
15
plaintiffs “became aware of their FRCA rights and were able
to file [a] lawsuit.” Id.
We have not yet had occasion to review standing where
a procedural violation allegedly presents a “material risk of
harm” because, in these past cases, the underlying harm
contemplated by Congress had already materialized or failed
to materialize. See Long, 903 F.3d at 324 (plaintiffs alleged the
defendant took an adverse employment action without
providing the required consumer report, “the very harm that
Congress sought to prevent”) (internal quotation omitted); St.
Pierre, 898 F.3d at 358 (plaintiff alleged unauthorized
disclosure of debtor account number, and “invasion of privacy”
was “a core concern animating the FDCPA”) (internal
quotation omitted); Susinno, 862 F.3d at 351 (plaintiff asserted
nuisance and invasion of privacy, “the very harm that Congress
sought to prevent” with the TCPA) (internal quotation
omitted); Horizon, 846 F.3d at 640 (plaintiffs alleged the
unauthorized dissemination of their own private information,
“the very injury that FCRA is intended to prevent”). This was
in keeping with the Supreme Court’s statement that if violation
of a statutory right itself constitutes injury in fact, “a plaintiff .
. . need not allege any additional harm beyond the one
Congress has identified.” Spokeo, 136 S. Ct. at 1549.
Our precedent recognizes, though, “that there are some
circumstances where the mere technical violation of a
procedural requirement of a statute cannot, in and of itself,
constitute an injury in fact.” Horizon, 846 F.3d at 638.
Although we then had “no occasion to consider” those
“limiting circumstances,” we are now presented with a case
that requires us to “consider the full reach of congressional
power to elevate a procedural violation into an injury in fact.”
16
Id. We—like several of our sister circuits—understand Spokeo
“to instruct that an alleged procedural violation . . . manifest[s]
concrete injury” if the violation actually harms or presents a
material risk of harm to the underlying concrete
interest. Strubel, 842 F.3d at 190 (citing Spokeo, 136 S. Ct. at
1549); see also Robins v. Spokeo, Inc., 867 F.3d 1108, 1115
(9th Cir. 2017), cert. denied, 138 S. Ct. 931 (2018); Braitberg
v. Charter Commc’ns, Inc., 836 F.3d 925, 930 (8th Cir. 2016). 3
If the violation does not present a “material risk of harm to that
underlying interest,” however, a plaintiff fails to demonstrate
concrete injury. Strubel, 842 F.3d at 190 (citing Spokeo, 136 S.
Ct. at 1549). 4
3
In Horizon, we noted that other courts employed a “material
risk of harm” analysis in determining standing after Spokeo.
846 F.3d at 637 n.17. On the facts of Horizon, we did not apply
that approach, concluding that Spokeo did not erect “a
requirement that a plaintiff show a statutory violation has
caused a ‘material risk of harm’ before he can bring suit.” Id.
at 637 (quoting Spokeo, 136 S. Ct. at 1550). But Horizon
rejected a requirement that a plaintiff show an additional risk
of harm when a violation has already harmed a concrete
interest identified by Congress. As we have explained, the
alleged injury in Horizon—unauthorized dissemination of
private information—could “itself constitute a cognizable
injury,” id. at 638–39, and was “the very injury that FCRA
[was] intended to prevent,” id. at 640.
4
This “material risk of harm” standard also strikes a balance
between Congress’s “power to define injuries and articulate
chains of causation that will give rise to a case or controversy
where none existed before,” Spokeo, 136 S. Ct. at 1549
(quoting Lujan, 504 U.S. at 580 (Kennedy, J., concurring)
17
B.
Kamal has pleaded two allegedly “concrete” injuries:
“the printing of the prohibited information itself,” i.e., a
violation of FACTA’s plain text, and the “increas[ed] risk of
identity theft” resulting from that printing. App. 104, Sec. Am.
Compl. ¶ 36. But the procedural violation is not itself an injury
in fact, and Kamal has not otherwise alleged a risk of harm that
satisfies the requirement of concreteness.
1.
In Spokeo, the Supreme Court instructed courts
determining standing to consider Congress’s judgment, as
Congress is “well positioned to identify intangible harms that
meet minimum Article III requirements.” 136 S. Ct. at 1549.
Based on the plain text of FACTA, which requires truncation
of all but the last five digits of a consumer’s credit card
number, we recognize Congress identified the violation alleged
here. By “creat[ing] a private right of action to enforce”
FACTA’s provisions and “allow[ing] for statutory damages for
willful violations,” Horizon, 846 F.3d at 639, Congress has
“expressed an intent to make [the] injury redressable,” id. at
637. See Long, 903 F.3d at 323–24.
(internal quotation mark omitted)), and the requirement that—
absent a statutory right of action—a threatened harm be
“certainly impending” or based on a “substantial risk” of harm
to amount to injury in fact, Clapper v. Amnesty Int’l USA, 568
U.S. 398, 409, 414 n.5 (2013). See Summers, 555 U.S. at 497
(“[T]he requirement of injury in fact is a hard floor of Article
III jurisdiction that cannot be removed by statute.”).
18
But the Clarification Act also expresses Congress’s
judgment that not all procedural violations of FACTA will
amount to concrete harm. The congressional findings
underlying the Act are directed to the risk incurred by printing
the expiration date when the card number is properly truncated.
Though expiration date truncation is not at issue here,
Congress’s action to limit FACTA liability to those claims
implicating actual harm accords with our understanding of
Article III. Cf. Spokeo, 136 S. Ct. at 1549 (explaining that a
plaintiff does not “automatically satisf[y] the injury-in-fact
requirement whenever a statute grants a person a statutory
right” because “Article III standing requires a concrete injury
even in the context of a statutory violation”). Accordingly, we
next consider whether Kamal has pleaded a concrete injury.
2.
As noted, in determining whether “an alleged intangible
harm” is concrete, Spokeo directs us to “consider whether [the]
harm has a close relationship to a harm that has traditionally
been regarded as providing a basis” for a common law action.
136 S. Ct. at 1549; see also Horizon, 846 F.3d at 637
(explaining that if the alleged harm closely relates to a
traditional harm, “it is likely to be sufficient to satisfy the
injury-in-fact element of standing”). Kamal contends his injury
is analogous to common law privacy torts and an action for
breach of confidence. Because Kamal’s alleged injury is
different in kind than the harms “providing a basis” for these
common law actions, we disagree.
Harms actionable under traditional privacy torts include
“unreasonable intrusion upon . . . seclusion,” “appropriation of
the other’s name or likeness,” “unreasonable publicity given to
19
the other’s private life,” and “publicity that unreasonably
places the other in a false light before the public.” Long, 903
F.3d at 324 (quoting Restatement (Second) of Torts §
652A(2)(a)–(d) (1977)). The most analogous tort here is
unreasonable publicity, which, as we explained in Horizon,
protects against “unauthorized disclosures of information.”
846 F.3d at 638 (quoting Nickelodeon, 827 F.3d at 274);
accord Cox Broad. Corp. v. Cohn, 420 U.S. 469, 489 (1975)
(noting that the “gravamen” of the injury in a public disclosure
case “is the publication of information”). Similarly, a breach of
confidence involves “the unconsented, unprivileged disclosure
to a third party of nonpublic information that the defendant has
learned within a confidential relationship.” Alan B.
Vickery, Note, Breach of Confidence: An Emerging Tort, 82
Colum. L. Rev. 1426, 1455 (1982); see also McGuire v.
Shubert, 722 A.2d 1087, 1091 (Pa. Super. Ct. 1998) (breach of
confidence requires “banker [to] divulge to third persons,
without the consent of the customer . . . any information
relating to the customer acquired through the keeping of his
account” (quoting Peterson v. Idaho First Nat. Bank, 367 P.2d
284, 290 (Idaho 1961))). Importantly, the harm underlying
both of these actions transpires when a third party gains
unauthorized access to a plaintiff’s personal information.
Kamal’s injury does not have the requisite “close
relationship” with these actions because he does not allege
disclosure of his information to a third party. See Spokeo, 136
S. Ct. at 1549. Instead, he pleads only that he “received” a
FACTA non-compliant receipt after each transaction. App. 97,
Sec. Am. Compl. ¶ 8. As Kamal points out, our precedent does
not require an “exact historical analog,” Appellant’s Br. at 20,
and we have recognized Congress’s ability to define injuries
that would not “give rise to a cause of action under common
20
law,” Horizon, 846 F.3d at 639. Yet we still require the harm
be “of the same character of previously existing ‘legally
cognizable injuries.’” Susinno, 862 F.3d at 352 (quoting
Spokeo, 136 S. Ct. at 1549). For example, in Susinno, although
the alleged single unwanted telephone call was not the
persistent hounding required to state a claim for intrusion upon
seclusion, the harm was similar and thus appropriate for
Congress to elevate to a concrete injury. Id. at 351–52. As
Spokeo reminds us, because comparison to “historical
practice” helps us understand the type of harm that meets
Article III’s case-or-controversy threshold, it is important that
the relationship be “close.” Spokeo, 136 S. Ct. at 1549. Absent
disclosure to a third party, Kamal’s injury is unlike the harms
recognized by traditional causes of action. Accordingly,
historical practice does not weigh in favor of finding a concrete
injury on the facts pleaded here. See id.
3.
But the Supreme Court has explained that a “risk of real
harm” may “satisfy the requirement of concreteness.” Id.
Kamal maintains this inquiry is irrelevant because he has
pleaded the violation of a “statutory right to remedy an
‘intangible harm,’” itself sufficient to confer standing.
Appellant’s Br. at 24. He points to a passage in Spokeo, where
the Court explained that “the violation of a procedural right
granted by statute can be sufficient in some circumstances to
constitute injury in fact. In other words, a plaintiff in such a
case need not allege any additional harm beyond the one
Congress has identified.” 136 S. Ct at 1549. But this passage
lends no help to Kamal. “The emphasized phrase ‘additional
harm’ clearly presumes that the putative plaintiff had already
suffered a de facto injury resulting from the procedural
21
violation.” Owner-Operator Indep. Drivers Ass’n v. U.S. Dep’t
of Transp., 879 F.3d 339, 343 (D.C. Cir. 2018). Because the
FACTA violation alleged by Kamal is not itself a concrete
injury, his case does not present the circumstances envisioned
by Spokeo. Kamal also points to Horizon, where we said that
under the FCRA “Congress established that the unauthorized
dissemination of personal information by a credit reporting
agency causes an injury in and of itself—whether or not the
disclosure of that information increased the risk of identity
theft or some other future harm.” 846 F.3d at 639. Again, in
Horizon, it was the alleged injury’s close relationship to a
traditional harm that showed it was sufficiently concrete to
create standing. Here, absent unauthorized third-party
disclosure, Kamal’s alleged FACTA violation is not “an injury
in and of itself.” Accordingly, we will evaluate whether the
FACTA procedural right protects a concrete interest, and if the
violation alleged by Kamal entails a degree of risk sufficient to
meet the concreteness requirement. See Spokeo, 136 S. Ct. at
1549–50.
As we have noted, the FACTA provision at issue was
part of Congress’s effort to prevent the concrete harm of
identity theft. See 117 Stat. at 1952; accord Bassett v. ABM
Parking Servs., 883 F.3d 776, 782–83 (9th Cir. 2018)
(FACTA’s truncation provision seeks to reduce the risk of
identity theft); Katz v. Donna Karan Co., 872 F.3d 114, 116
(2d Cir. 2017) (same); Meyers v. Nicolet Rest. of De Pere, LLC,
843 F.3d 724, 725 (7th Cir. 2016), cert. denied, 137 S. Ct. 2267
(2017) (same). Kamal contends we should defer to what he
sees as Congress’s determination that all conduct prohibited by
FACTA creates a sufficient risk of identity theft. See
Appellant’s Br. at 16. As we have described, Kamal’s Second
Amended Complaint devotes much space to showing that
22
Congress enacted FACTA to combat identity theft. See, e.g.,
App. 104–06, Sec. Am. Compl. ¶¶ 36–41. But the lesson of
Spokeo is that we must confirm a concrete injury or material
risk exists even when Congress confers a right of action. 5
Accordingly, we will review the Second Amended Complaint
to see if it “clearly and specifically set[s] forth facts” showing
a risk of harm particular to Kamal. Reilly, 664 F.3d at 41
(quoting Whitmore, 495 U.S. at 155 (internal quotation mark
omitted)).
Kamal’s Second Amended Complaint broadly alleges
that J. Crew’s printing of the first six digits of his credit card
number “created a real risk of identity theft.” App. 117–18,
Sec. Am. Compl. ¶¶ 99, 101, 103; see also App. 104, Sec. Am.
Compl. ¶ 36. These conclusory allegations of risk are
insufficient. See Horizon, 846 F.3d at 633 (noting “threadbare
recitals of the elements of standing, supported by mere
conclusory statements” are “disregard[ed]” at the motion to
dismiss stage (internal citation omitted)). Instead, Kamal must
5
Furthermore, the congressional “[f]act-[f]inding” Kamal
relies on is not particularized to his alleged injury. Appellant’s
Br. at 12. Kamal does not point us to any part of the
congressional record that considers the risk of identity theft
when only the first six and last four digits of a consumer’s
credit card are printed on a receipt. Instead, he notes that
“[e]xperts . . . recommended [to Congress] that card numbers
not be printed in full on receipts, because card numbers are
particularly dangerous in the hands of sophisticated criminals.”
Id. at 13 (emphasis added); see also App. 104, Sec. Am.
Compl. ¶ 37. Because Kamal has not alleged that J. Crew
printed his card number “in full,” these congressional findings
of risk are not tailored to the FACTA violation he has pleaded.
23
plausibly aver how J. Crew’s printing of the six digits presents
a material risk of concrete, particularized harm.
The closest the Second Amended Complaint comes to
alleging material risk of harm is its allegation that “identity
thieves . . . obtain Card receipts that are lost or discarded, or
through theft, and use the information on them to commit fraud
and theft.” App. 101, Sec. Am. Compl. ¶ 28. As the District
Court explained, this threat consists of a “highly ‘speculative
chain of future events,’” Kamal, 2017 WL 2587617, at *5
(quoting Reilly, 664 F.3d at 46): “Kamal loses or throws away
[the receipt], which is then discovered by a hypothetical third
party, who then obtains the six remaining truncated digits
along with any additional information required to use the card,
such as the expiration date, security code or zip code.” Id.
Kamal has alleged neither third-party access of his
information, nor that the receipt included enough information
to likely enable identity theft. Our analysis would be different
if, for example, Kamal had alleged that the receipt included all
sixteen digits of his credit card number, making the potential
for fraud significantly less conjectural. Here, however, we
agree with the District Court that this speculative chain of
events does not constitute a material risk of harm. 6
6
Our opinion in Horizon supports this conclusion. In Horizon,
although we did not rely on a “risk of harm” analysis because
the unauthorized dissemination of the plaintiffs’ personal
information was itself a concrete injury, we also found the
alleged data breach created a material risk of identity theft. 846
F.3d at 639 n.19. Specifically, we noted the stolen information
was highly personal and could be used to steal one’s identity,
and the personal information was easily accessible because
24
In responding to J. Crew’s motion to dismiss and in his
briefing on appeal, Kamal attempts to supplement his
Complaint by referring to a study and accompanying press
release that he contends shows “the concrete risk that
publication of card numbers creates.” Appellant’s Br. at 15
(citing Mohammed Aamir Ali et al., Does the Online Card
Payment Landscape Unwittingly Facilitate Fraud?, 15 IEEE
Security & Privacy, Mar–Apr. 2017, at 78–86). Because this
study was not attached to or referenced in Kamal’s pleadings,
we do not consider either the study or Kamal’s “after-the-fact
allegations” related to the study “in determining the sufficiency
of [the] complaint.” Frederico v. Home Depot, 507 F.3d 188,
201–02 (3d Cir. 2007).
Although we do not consider it, we observe the study is
not relevant to Kamal’s allegations. The study describes how
hackers—who begin with none of a consumer’s credit card
details—can exploit weaknesses in online payment systems to
generate usable card payment details, including card numbers,
expiration dates, and card verification value (CVV) numbers.
Ali et al., supra, at 78. First, the hacker can theoretically obtain
a valid full card number using the first six digits and a common
algorithm. Id. at 81. Because this method generates a valid card
number (as opposed to a random collection of digits), it must
Horizon’s laptops were unencrypted. Id. Here, no information
has been stolen or disclosed, and even if there was disclosure,
the information could not easily be used to steal Kamal’s
identity because, as pleaded, a thief would still need to “pick
off” the remaining “different bits of information from different
sources.” See App. 106, Sec. Am. Compl. ¶ 43 (internal
citation omitted).
25
also be verified. Id. Once verified, the hacker can use that
anonymous card number on multiple merchants’ online
payment pages to systematically guess the remaining card data.
Id. at 80. In light of these system weaknesses, the study advises
online merchants to uniformly require three fields of card data
(card number, expiration date, and CVV) for a purchase, as
doing so would mean “the difference between a quick and
practical attack, and a tedious, close to impractical attack.” Id.
The study thus concerns vulnerabilities in online payment
systems that allow hackers to obtain a range of credit card data.
Kamal’s assertions about the study’s relevance to his claim
take its language out of context and distort its conclusions.
Compare Appellant’s Br. at 15, with Ali et al., supra, at 80. 7
In sum, absent a sufficient degree of risk, J. Crew’s
alleged violation of FACTA is “a bare procedural violation”
7
Moreover, consideration of the study and accompanying
press release would—were it part of our analysis—add
additional support for our conclusion that Kamal has not
alleged actual harm or material risk of harm. The press release
says that “the first six digits” of a credit card “tell you the bank
and card type and so are the same for every card from a single
provider.” Six Seconds to Hack a Credit Card, Newcastle
University (Dec. 2, 2016) (attached as Ex. B. to Frank Decl.
Supp. Pl.’s Opp. Defs.’s Mot. Dismiss Sec. Am. Compl.,
Kamal v. J. Crew Grp., Inc., D. Ct. Dkt. No. 69-3, Civ. No. 15-
0190 (D.N.J. Jan. 12, 2017)) (emphasis added). Here, the
receipts Kamal received from J. Crew separately identify his
card provider, Discover. Taking the press release’s statement
as true, the inclusion of the first six digits provides no more
information than is already permissibly printed on the receipt,
and so could not increase the risk of identity theft.
26
that does not create Article III standing. Spokeo, 136 S. Ct. at
1549. This result falls within the Supreme Court’s admonition
that when Congress “adopt[s] procedures designed to decrease
th[e] risk” of harm to a concrete interest, “[a] violation of one
of th[ose] procedural requirements may result in no harm.” Id.
at 1550.
C.
Our conclusion is in keeping with the decisions of the
majority of our sister circuits that have addressed similar
issues.
In Katz, the Second Circuit determined a plaintiff lacked
standing in a FACTA case based on the improper truncation of
the plaintiff’s credit card number. 872 F.3d at 116. The court—
which addressed a factual challenge to standing—agreed with
the trial court that printing the first six digits was a “bare
procedural violation” of FACTA that “did not raise a material
risk of harm of identity theft.” Id. at 121. The court deferred to
the trial judge’s factual finding that printing the first six digits
was “the equivalent of printing the name of the issuing
institution, information which need not be truncated under
FACTA,” and thus did not increase the risk of harm. Id. at 120.
But in Muransky v. Godiva Chocolatier, Inc., 905 F.3d
1200 (11th Cir. 2018), the Eleventh Circuit found the same
alleged FACTA violation “create[d] a concrete injury,” id. at
1211, “the unlawful disclosure of legally protected
information,” id. at 1210 (quoting Nickelodeon, 827 F.3d at
27
274). 8 The court reached this conclusion after finding the
FACTA violation was similar to a common law breach of
confidence action. Id. at 1209. As we have explained, we do
not believe a breach of confidence action is sufficiently
analogous absent third-party disclosure. The Eleventh Circuit
recognized this incongruity, acknowledging the breach of
confidence tort is “complete after the person entrusted with
property or information gives it to a third party.” 905 F.3d at
1211. 9 Because Kamal has not alleged disclosure to a third
8
In Muransky, the Eleventh Circuit upheld a $6.3 million
FACTA class action settlement over an appeal by objecting
class members. 905 F.3d at 1204–05. The parties reached the
settlement in 2015—before the Supreme Court’s decision in
Spokeo—and the defendant never challenged the plaintiff’s
standing. Instead, an objecting class member first raised
standing at the trial court’s final approval hearing for the
settlement. Id. at 1206.
9
Moreover, the sources cited in Muransky recognize that a
breach of confidence requires unauthorized disclosure to a
third party. See McCormick v. England, 494 S.E.2d 431, 438
(S.C. Ct. App. 1997) (“A confidential relationship is breached
if unauthorized disclosure is made to only one person not a
party to the confidence.” (quoting Breach of Confidence: An
Emerging Tort, 82 Colum. L. Rev. at 1442)); Alicia Solow-
Niederman, Beyond the Privacy Torts: Reinvigorating A
Common Law Approach for Data Breaches, 127 Yale L.J.
Forum 614, 633 (2018) (noting that a breach does not take
place until the data holder’s “operations in fact permit a breach
of that [personal] data”); Neil M. Richards & Daniel J.
Solove, Privacy’s Other Path: Recovering the Law of
Confidentiality, 96 Geo. L.J. 123, 135 (2007) (“[D]uties of
28
party, we disagree that a “close relationship” to a breach of
confidence exists, and do not find a concrete injury on this
basis. 10
Although the Eleventh Circuit did not reach the “risk of
harm” analysis, it admonished courts that have “incorporated
the fact findings” from other courts’ opinions “into [their own]
legal analysis that FACTA violations do not create a concrete
injury.” Muransky, 905 F.3d at 1213. The District Court here,
in addition to finding the risk of harm too speculative, also
found no material risk of harm because printing a credit card’s
first six digits “gives an identity thief no more personal
information about a person’s account than Congress has
permitted to be printed on receipts.” Kamal, 2017 WL
nondisclosure attached to confidential relationships prohibited
a person from divulging confidential information to any
unauthorized person.”).
10
The Eleventh Circuit held that besides alleging a concrete
injury on the basis of the statutory violation, the plaintiff
alleged an additional concrete injury: “shouldering the cost of
safely keeping or destroying the receipt” to “avoid someone
finding [the] credit card number on [the] receipt.” Muransky,
905 F.3d at 1211. This injury was not alleged in Kamal’s
Second Amended Complaint and so was not addressed by the
District Court’s opinion. Because it was not raised by Kamal,
we need not speculate about how such an allegation might
change the standing analysis. Cf. Whitmore, 495 U.S. at 155–
56 (“A federal court is powerless to create its own jurisdiction
by embellishing otherwise deficient allegations of standing.”).
29
2587617, at *4 (quoting Noble v. Nev. Checker CAB Corp., No.
15-2322, 2016 WL 4432685, at *3 (D. Nev. Aug. 19, 2016)).
Because we are presented with a facial challenge to standing,
we must consider only the Complaint, viewing it in the light
most favorable to Kamal. In this context, we agree with the
Eleventh Circuit that we cannot “rely on facts established in . .
. older cases.” Muransky, 905 F.3d at 1214; accord S. Cross
Overseas Agencies, Inc. v. Wah Kwong Shipping Grp., 181
F.3d 410, 426 (3d Cir. 1999) (“To resolve a 12(b)(6) motion .
. . we may [not] take judicial notice of another court’s opinion
. . . for the truth of the facts recited therein.”). 11 Accordingly,
our determination that Kamal has not alleged a concrete injury
does not incorporate this analysis. We instead affirm, as
explained above, on the grounds that Kamal’s alleged injury is
not itself concrete and the alleged risk of identity theft is too
speculative to satisfy the requirement of concreteness.
The Ninth and Seventh Circuits have reached
conclusions similar to ours in cases involving violations of
FACTA’s ban on including credit card expiration dates on
receipts. See Bassett, 883 F.3d at 777; Meyers, 843 F.3d at
725–26. 12 As we do here, the Ninth Circuit rejected the
11
As the Eleventh Circuit explained, “[t]here are a number of
problems with relying on facts found in another FACTA case
to say [a plaintiff] does not have standing.” Muransky, 905
F.3d at 1213. For example, the other plaintiffs “may have done
a poor job at proving standing as a factual matter,” and “in light
of evolving technology” there are “variations in the amount of
risk related to different disclosures or data breaches.” Id.
12
Because these cases involved FACTA’s expiration date
requirement, these courts relied in part on Congress’s
30
plaintiff’s proposed analogy to “privacy-based torts centered
on wrongful disclosures of information” because the defendant
“did not disclose [the plaintiff’s] information to anyone but
[the plaintiff].” Bassett, 883 F.3d at 780. The court also found
the risk of identity theft too speculative to amount to a concrete
injury, “given that [the plaintiff] could shred the offending
receipt along with any remaining risk of disclosure.” Id. at 783.
Likewise, in Meyers, the Seventh Circuit determined that a
restaurant’s failure to truncate the expiration date from a
receipt did not “create[] any appreciable risk of [identity theft]”
when the plaintiff “discovered the violation immediately and
nobody else ever saw the non-compliant receipt.” Id. at 727.
E.
Because Kamal lacks standing, we must vacate the
District Court’s order dismissing the case with prejudice and
remand for the District Court to dismiss without prejudice. The
District Court initially dismissed this case without prejudice.
After Kamal stated his intention to stand on his Second
Amended Complaint and asked the court to amend the
disposition to designate it as final, the District Court amended
the judgment to dismiss the case with prejudice. Nonetheless,
the case should be dismissed without prejudice because the
statement in the Clarification Act that “failure to truncate a
card’s expiration date, without more, does not heighten the risk
of identity theft.” Meyers, 843 F.3d at 727; see also Bassett,
883 F.3d at 783. As we have stated, these congressional
findings in the Clarification Act are not directly relevant to our
analysis of Kamal’s standing. But because both Bassett and
Meyers reached other pertinent conclusions in applying
Spokeo’s framework, we discuss them here.
31
District Court lacked jurisdiction. See Cottrell v. Alcon Labs.,
874 F.3d 154, 164 n.7 (3d Cir. 2017) (stating that “[b]ecause
the absence of standing leaves the court without subject matter
jurisdiction to reach a decision on the merits, dismissals ‘with
prejudice’ for lack of standing are generally improper”).
Accordingly, we will remand for this limited purpose.
IV.
For the foregoing reasons, we will affirm the District
Court’s judgment that Kamal lacks standing. But we will
vacate and remand for the District Court to dismiss the Second
Amended Complaint without prejudice. In light of our
decision, we need not reach J. Crew’s cross-appeal, and we will
dismiss it as moot.
32