Yehuda KATZ, Plaintiff–Appellant, v. The DONNA KARAN COMPANY, L.L.C., The Donna Karan CompanyStore, L.L.C., Donna Karan International, Incorporated, Defendants–Appellees.
This is the second of two related cases concerning the impact of Spokeo, Inc. v. Robins, ––– U.S. ––––, 136 S.Ct. 1540, 194 L.Ed.2d 635 (2016), as revised (May 24, 2016), on the concrete injury requirement for establishing Article III standing when a claim alleges only a bare procedural violation of a statute, here the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”), Pub. L. No. 108-159, 117 Stat. 1952 (codified as amended at 15 U.S.C. § 1681c(g)). FACTA seeks to reduce the risk of identity theft by, among other things, prohibiting merchants from including more than the last five digits of a customer's credit card number on a printed receipt. See 15 U.S.C. § 1681c(g)(1). In the related case, Crupar–Weinmann v. Paris Baguette Am., Inc., 861 F.3d 76 (2d Cir. 2017) (“Paris Baguette”), we held that the specific alleged bare procedural violation of FACTA—the printing of the plaintiff's credit card expiration date on her receipt—presented no material risk of harm to the underlying interest Congress sought to protect (identity theft), because Congress itself had clarified that printing the expiration date, without more, did not “increase[ ] the risk of material harm of identity theft.” Id. at 81.
Here, the plaintiff alleges that he twice purchased items at the defendants' stores, and on both occasions received a printed receipt that identified not only the last four digits of his credit card number but also the first six digits. He alleges that such a violation of FACTA raises a material risk of harm of identity theft, and so he has suffered a concrete injury sufficient to establish Article III standing to sue defendants for the violation. At the motion-to-dismiss stage below, the defendants introduced extrinsic evidence that the first six digits of a credit card number simply identify the card issuer and provide no personally identifying information about the plaintiff. In part on this basis, the district court concluded that this alleged procedural violation, without some further harm, did not raise a material risk of identity theft sufficient to satisfy the concrete injury requirement as articulated in Spokeo, and dismissed with prejudice the plaintiff's complaint for lack of subject matter jurisdiction. See generally Katz v. Donna Karan Int'l, Inc., No. 14 CIV. 740 (PAC), 2017 WL 2191605 (S.D.N.Y. May 17, 2017) (“Katz”).
On appeal, we hold that the parties' factual disagreement as to whether printing the first six digits constituted a material risk of harm is a question of fact even at the Rule 12(b)(1) motion-to-dismiss stage, and so we review the district court's finding for clear error. On the basis of the record below and the plaintiff's affirmative burden to establish subject matter jurisdiction by a preponderance of the evidence, and informed by the findings of other district courts as to this specific issue, we conclude that the district court's finding was not clearly erroneous. Accordingly, we AFFIRM the judgment of the district court dismissing the plaintiff's second amended complaint for lack of subject matter jurisdiction. However, because a complaint must be dismissed without prejudice where the dismissal is due to the court's lack of subject matter jurisdiction, we REMAND so that the district court may amend the judgment and enter the dismissal without prejudice.
I. Factual History
We draw the brief factual history of this case from plaintiff's second amended complaint, filed after our remand. Plaintiff Yehuda Katz alleges that, in January and February 2014, respectively, he visited the defendants' stores in Tipton Falls, New Jersey, and New York, New York, made a purchase, and at each “was given a customer copy of a computer-generated cash register receipt that published the first six digits of Plaintiff's credit card number.” Sec. Am. Compl. ¶ 61. Katz alleges that printing the first six digits of his credit card number was in violation of FACTA. Id. ¶¶ 67; 72. Congress passed FACTA in part to reduce the risk of identity theft by, among other things, imposing a “truncation” requirement on venders who accept credit and debit cards, instructing them not to print “more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.” 15 U.S.C. § 1681c(g)(1).
Like the amended complaint in Paris Baguette, Katz's second amended complaint here is “devoid of specific factual allegations concerning ․ any consequences that stemmed from display of” the first six digits of his credit card number on the receipts. 861 F.3d at 78. And as in Paris Baguette, Katz's second amended complaint instead largely focuses on the identity theft concerns that motivated Congress to pass FACTA, as well as the defendants' alleged prior knowledge of FACTA's requirements. Katz contends that the receipts issued by defendants including the first six digits of his credit card number are “exactly the reckless, i.e. willful, systematic dissemination of personal information which FACTA was enacted to protect from disclosure, i.e. concrete particularized harm which FACTA made redressable by providing a statutory damages remedy.” Sec. Am. Compl. ¶ 68.
II. Procedural History
Katz filed his complaint in February 2014 and then amended his complaint in May 2014. Shortly thereafter, defendants moved to dismiss. The district court ultimately granted the motion, primarily on the basis that his complaint did not contain “any well-pleaded facts which allow the plausible inference that Defendants willfully, knowingly, or recklessly violated FACTA.” Katz v. Donna Karan Int'l, Inc., No. 14 CIV. 740 PAC, 2015 WL 405506, at *2 (S.D.N.Y. Jan. 30, 2015). Katz appealed, and on October 28, 2015, we heard consolidated oral argument in both his case and Paris Baguette. Days later, the Supreme Court heard oral argument in Spokeo, which raised questions concerning the circumstances in which a risk of harm may be sufficiently concrete so as to satisfy the injury-in-fact requirement for Article III standing. 136 S.Ct. at 1549. After the Court clarified the requirements for standing in Spokeo, we vacated and remanded both cases “to allow plaintiffs an opportunity to replead their claims to comport with the pleading standards set forth in Spokeo, and to allow the district courts to address any standing questions in the first instance,” and we retained appellate jurisdiction over the outcomes. Cruper–Weinmann v. Paris Baguette Am., Inc., 653 Fed.Appx. 81, 82 (2d Cir. 2016). On remand, the district court again granted the defendants' motion to dismiss, this time because Katz did “not show that Defendants' FACTA violation presented a material risk of harm to [the] underlying interest of identity theft protection,” and so Katz did not plead a concrete injury-in-fact sufficient to establish standing. Katz, 2017 WL 2191605, at *6 (alteration in original) (internal quotation marks omitted). The district court dismissed with prejudice Katz's claims for lack of subject matter jurisdiction, Katz appealed that dismissal, and the parties submitted letter briefing addressing this issue in light of Spokeo and our Circuit's subsequent doctrine concerning standing requirements when alleging bare procedural violations of law.
I. Standard of Review
We review de novo the district court's decision to dismiss a complaint for lack of standing pursuant to Federal Rule of Civil Procedure 12(b)(1), “construing the complaint in plaintiff's favor and accepting as true all material factual allegations contained therein.” Donoghue v. Bulldog Inv'rs Gen. P'ship, 696 F.3d 170, 173 (2d Cir. 2012).
II. Concrete Harm from a Bare Procedural Violation of FACTA
In Paris Baguette, we described the contours of the concreteness requirement in light of Spokeo. See 861 F.3d at 79–81. After Spokeo, we explained, “the critical question for standing purposes is ‘whether the particular procedural violations alleged in this case entail a degree of risk sufficient to meet the concreteness requirement,’ ” 861 F.3d at 80 (quoting Spokeo, 136 S.Ct. at 1550), which in turn depends on “whether the particular bare procedural violation may present a material risk of harm to the underlying concrete interest Congress sought to protect” in enacting the statutory requirement. Id. at 80–81.
Below, the district court concluded that although defendants violated FACTA's prohibition on printing the first six digits of Katz's credit card, “[t]he first six digits do not disclose any information about Plaintiff; but rather ‘identify the institution that issued the card to the card holder.’ ” Katz, 2017 WL 2191605, at *1. The court drew this conclusion from information alleged in the defendants' motion to dismiss, and from a website cited in the defendants' brief. That site explains that “[t]he first 6 digits of a credit card number are known as the Issuer Identification Number (IIN), previously known as bank identification number (BIN). These identify the institution that issued the card to the card holder.” See Bin List (Binlist) & Bin Ranges, https://www.bindb.com/bin-list.html (last visited Sept. 18, 2017). The court also made reference to similar findings made by several other district courts across the country. See Katz, 2017 WL 2191605, at *5 (collecting cases). Because the court found that the “additional digits identify the card issuer[,] and do not disclose any information pertaining to Plaintiff,” it concluded that printing the first six digits “did not present an actual or imminent risk of harm” of identity theft to plaintiff, and so it dismissed, with prejudice, Katz's claims for lack of subject matter jurisdiction. Id. at *5.
On appeal, Katz argues that the district court went “beyond the complaint's allegations” and “decided for itself (based on Internet research) that the first six digits of Katz's credit card number” disclosed no personally identifying information and revealed only the institution that issued the credit card. Pl. Letter Br. at 5–6. Katz challenges this finding, asserting that “the identity of the institution at which Katz keeps a credit card account is data ‘about’ Katz and, more importantly, it is data an identity thief can exploit.” Id. at 6. Plaintiff contends that the printing of each additional digit beyond the last five permitted by FACTA raises a risk of identity theft because it “increases a card number's vulnerability to brute-force cryptological attack, i.e. computer-assisted guessing” by reducing to six the number of digits that must be guessed out of the total of sixteen on Katz's card. Id. at 6 n.2. In response, the defendants reiterate the district court's finding, arguing that they “redacted all of the personally identifying information from Plaintiff's receipts required by FACTA, and more. Printing the non-unique identifying number of the bank that issued his card did not change that.” Def. Letter Br. 18 (citation omitted).
The key issue for this Court to resolve, then, is whether the district court was correct in finding at the motion-to-dismiss stage that because the first six digits of plaintiff's credit card number are the IIN number, Katz did not plead a concrete harm in alleging that the defendants violated FACTA by printing those six digits on his receipts.
III. Assessing a “Real Risk of Harm” at the Motion-to-Dismiss Stage
As we explained in our Circuit's first post-Spokeo case to consider standing to sue for a bare procedural violation of law, Strubel v. Comenity Bank, a plaintiff's pleading must satisfy a two-part test for such an allegation to constitute a concrete harm: first, that “Congress conferred the procedural right to protect a plaintiff's concrete interests” as to the harm in question, and second, that “the procedural violation presents a ‘risk of real harm’ to that concrete interest.” 842 F.3d 181, 190 (2d Cir. 2016) (citation omitted). The first of these two issues—determining the scope and purpose of the procedural right provided by the statute—is a question of law, and so we review that aspect of the district court's conclusion, like all questions of law, de novo. See Connecticut v. Physicians Health Servs. of Connecticut, Inc., 287 F.3d 110, 114–15 (2d Cir. 2002). However, we have not yet addressed the second issue: how should district courts determine whether a bare procedural violation presents a material risk of harm to a concrete interest?
Confronted with that issue now, we conclude that this second requirement may raise either a question of law or a question of fact, depending on the sources the parties rely on in their pleadings. In Carter v. HealthPort Technologies, LLC, 822 F.3d 47 (2d Cir. 2016), we explained that “[a] Rule 12(b)(1) motion challenging subject matter jurisdiction may be either facial or fact-based.” Id. at 56. When confronted with a defendant's facial challenge to standing, i.e., one “based solely on the allegations of the complaint or the complaint and exhibits attached to it,” plaintiffs have no evidentiary burden, for both parties can be said to rely solely on the facts as alleged in the plaintiffs' pleading. Id. However, a defendant may also “make a fact-based Rule 12(b)(1) motion, proffering evidence beyond the [plaintiffs' p]leading.” Id. at 57. In opposition to such a motion, plaintiffs must “come forward with evidence of their own to controvert that presented by the defendant,” or may instead “rely on the allegations in the[ir p]leading if the evidence proffered by the defendant is immaterial because it does not contradict plausible allegations that are themselves sufficient to show standing.” Id.
Here, Katz is correct in contending that the argument defendants raised below went beyond the allegations in his pleading. Defendants made a fact-based Rule 12(b)(1) challenge in their motion to dismiss, relying on extrinsic evidence—i.e., citation to the aforementioned website to establish that the first six digits are the IIN—in arguing that the first six digits of Katz's credit card were not personally identifying and thus did not raise a material risk of harm of identity theft. Below, Katz objected to the defendants' reliance “on matter[s] outside of the [Second Amended Complaint] that [were] not before [the district c]ourt, namely, a website and the summary of an expert's opinion from” another case. Pl. Opp. at 16 n.10. As a factual matter, Katz asserted both before the district court and here on appeal that even revealing the IIN digits raises a material risk of identity theft, because, as discussed above, the more digits revealed, the more vulnerable a card number may be to a “brute force cryptological attack.” Pl. Letter Br. at 6 n.2. Ultimately, the district sided with the defendants, concluding that printing the IIN did not raise a material risk of identity theft; it cited both the website in question as well as several other district court cases that made similar factual findings about the absence of a real risk of identity theft stemming the printing of the IIN digits on a receipt. See Katz, 2017 WL 2191605, at *5 (citing Kamal v. J. Crew Grp., Inc., No. 2:15-0190 (WJM), 2016 WL 6133827 (D.N.J. Oct. 20, 2016), and Thompson v. Rally House of Kansas City, Inc., No. 15-00886-CV-W-GAF, 2016 WL 8136658 (W.D. Mo. Oct. 6, 2016)).
Because “the extrinsic evidence presented by the defendant [wa]s material and controverted, the district court ․ need[ed] to make findings of fact in aid of its decision as to standing.” Carter, 822 F.3d at 57. And since “the [district] court ․ resolved disputed facts, we will accept the court's findings unless they are ‘clearly erroneous.’ ” Id. (alterations in original) (quoting Rent Stabilization Ass'n of New York v. Dinkins, 5 F.3d 591, 594 (2d Cir. 1993)). We must thus decide whether the district court was clearly erroneous in finding that the procedural violation of FACTA alleged (i.e., printing the first six digits of plaintiff's credit card number) raised a material risk of identity theft absent other allegations of harm.
In large part because the plaintiff has the burden of proving by a preponderance of the evidence that subject matter jurisdiction exists, see Makarova v. United States, 201 F.3d 110, 113 (2d Cir. 2000), we do not think the district court's finding was clearly erroneous as to the specific material facts in dispute in this case. FACTA does not expressly prohibit printing the identity of the card issuer on a receipt. See 15 U.S.C. § 1681c(g); see also In re Toys “R” Us—Delaware, Inc.—Fair & Accurate Credit Transactions Act (FACTA) Litig., No. CV 06-08163 MMM FMOX, 2010 WL 5071073, at *12 (C.D. Cal. Aug. 17, 2010) (recognizing that Congress did not prohibit printing issuer information on credit card receipt). As both the court below and other district courts have found, the first six digits of a credit card number constitute the IIN for the card's issuer, digits which can be easily obtained for any given issuer, including from the website discussed above. While Katz may be correct that every additional digit increases the risk of a brute force cryptological attack, printing the first six digits—the IIN—is the equivalent of printing the name of the issuing institution, information which need not be truncated under FACTA, and thus the district court did not clearly err in concluding that printing the IIN does not increase the risk of real harm. Cf. Noble v. Nevada Checker CAB Corp., No. 2:15-cv-02322-RCJ-VCF, 2016 WL 4432685, at *3 (D. Nev. Aug. 19, 2016) (finding the same). Here, moreover, neither receipt disclosed Katz's name, a fact that also reduces the possibility that disclosure of the IIN would result in harm.
Admittedly, the fact-finding procedure below was more abbreviated than might be conventionally expected or desirable in many contexts. Other FACTA cases, particularly those pre-Spokeo cases that did not consider subject matter jurisdiction and thus proceeded directly to the question of class certification, have provided the kind of expert witness declarations and fact-intensive pleadings ordinary associated with a material factual dispute requiring the district court to engage in fact-finding. See, e.g., In re Toys “R” Us, 2010 WL 5071073, at *11-*13 (discussing and weighing facts raised in competing expert witness declarations). In light of Spokeo's renewed emphasis on subject matter jurisdiction for claims alleging bare procedural violations of law, we note that in future cases, evidentiary production via affidavits, and even limited jurisdictional discovery, may sometimes be appropriate in order to resolve a fact-based Rule 12(b)(1) standing challenge to a claim arising from such a violation. And in some circumstances, a fact-finding hearing with expert witness testimony may very well be appropriate, depending on the novelty of the issue, the extent of the material dispute of facts, and the statutory prohibition in question. After all, precisely because the plaintiff bears the burden of alleging facts demonstrating standing, we have encouraged district courts to “give the plaintiff ample opportunity to secure and present evidence relevant to the existence of jurisdiction” where necessary. Amidax Trading Grp. v. S.W.I.F.T. SCRL, 671 F.3d 140, 149 (2d Cir. 2011) (per curiam) (citation omitted).
In this case, the plaintiff did not seek the opportunity to supplement the record with additional evidence after defendants included in their motion papers extrinsic evidence suggesting that printing the IIN did not increase the risk of harm. Going forward, where a defendant makes a fact-based Rule 12(b)(1) challenge to jurisdiction, we are confident that district courts will oversee the appropriate extent of fact-finding necessary to resolve the contested issue, and parties should be on renewed notice of both the right to introduce such evidence and the plaintiff's burden of proof to do so even at the motion-to-dismiss stage.
Here, given the plaintiff's burden to establish subject matter jurisdiction and the fact that FACTA does not prohibit printing the issuer identity on a receipt, and informed by the findings of other courts as to this issue, we conclude that the district court did not clearly err in finding that the bare procedural violation in question did not raise a material risk of harm of identity theft. We emphasize, however, that we do not here resolve whether other bare procedural violations of FACTA should or will meet a similar outcome, a question for lower courts to determine in the first instance, on a case- and fact-specific basis.
One other wrinkle: when a case is dismissed for lack of federal subject matter jurisdiction, “Article III deprives federal courts of the power to dismiss [the] case with prejudice.” Hernandez v. Conriv Realty Assocs., 182 F.3d 121, 123 (2d Cir. 1999). As a result, where a case is dismissed for lack of Article III standing, as here, that disposition cannot be entered with prejudice, and instead must be dismissed without prejudice. See Carter, 822 F.3d at 54–55. And, as we noted in dicta in Carter and must now order here, although we affirm the district court's conclusion that plaintiff's second amended complaint failed to establish Article III standing, we are “constrained to have the ․ [j]udgment amended to provide that the dismissal is without prejudice.” Id. at 55.
For the reasons explained, we conclude that plaintiff has not established a concrete injury sufficient to maintain Article III standing to bring suit. Plaintiff's suit was thus properly dismissed for lack of subject matter jurisdiction, but such a dismissal must be entered without prejudice. Accordingly, the judgment of the district court is AFFIRMED, but the case is REMANDED with the instruction that the court shall amend its judgment and enter dismissal without prejudice.
Katzmann, Chief Judge: