Opinion
17-CV-472(KAM)
12-29-2017
MEMORANDUM & ORDER
MATSUMOTO, United States District Judge :
In an amended complaint, plaintiff Yaakov Katz (the "plaintiff"), on behalf of himself and a putative class, alleges violations of the Fair and Accurate Credit Transactions Act ("FACTA") by the Metropolitan Transit Authority (the "defendant"), a New York public benefit corporation, which plaintiff asserts owns and/or operates transportation facilities throughout the New York region, including, in pertinent part, the Verrazano Narrows-Bridge and the Bronx-Whitestone Bridge. (Plaintiff's Amended Complaint ("Compl." or the "complaint"), ECF No. 15, at ¶¶ 1, 10.) Plaintiff asserts that defendant violated FACTA by issuing credit card transaction receipts that displayed improperly truncated credit card numbers. (See id. at ¶¶ 1-4.)
Before the court is defendant's motion to dismiss for failure to state a claim under Rule 12(b)(6) of the Federal Rules of Civil Procedure, and for lack of subject matter jurisdiction, presumably under Rule 12(b)(1), based on plaintiff's lack of standing under Article III of the United States Constitution. For the reasons that follow, the complaint is dismissed for lack of subject matter jurisdiction under Rule 12(b)(1) of the Federal Rules of Civil Procedure.
BACKGROUND
The following allegations from the complaint are taken as true for the purposes of a motion to dismiss. See Ashcroft v. Iqbal, 556 U.S. 662, 679 (2009); Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 555-56 (2007); see also Morrison v. Nat'l Australia Bank Ltd., 547 F.3d 167, 170 (2d Cir. 2008) (citations omitted) (discussing treatment of material factual allegations in complaint for purposes of Rule 12(b)(1) analysis), aff'd on other grounds, 561 U.S. 247 (2010). On August 12, 2015, plaintiff paid a toll using his Visa credit card on the Verrazano-Narrows Bridge, and on January 25, 2017, plaintiff paid a toll using his Visa credit card on the Bronx-Whitestone Bridge. (Compl. at ¶¶ 18-19.) After plaintiff paid for each toll with his Visa credit card, he received an electronically printed receipt. (Id.) Due to the manner in which defendant programmed its computer systems, both of these receipts (the "Toll Receipts") displayed the first six digits of plaintiff's Visa credit card number. (Id. at ¶ 20, 22.)
While not expressly stated in the complaint, subsequent briefing by plaintiff clarifies that the first six digits, which plaintiff asserts are prohibited, and the last four digits, which plaintiff asserts are permitted, of plaintiff's credit card number were printed on the Toll Receipts. (E.g., Plaintiff's Motion of Points and Authorities in Opposition to Motion to Dismiss the Amended Complaint ("Pl. Opp." or the "opposition"), ECF No. 19, at 15 and n.3.) Additionally, all other credit card transaction receipts generated by the same computer system in the seventeen-month period between the first Toll Receipt and the second Toll Receipt displayed the first six digits of the toll payer's credit card number. (Compl. at ¶¶ 21-22.)
Plaintiff contends that, at all relevant times, defendant, directly or through a subsidiary, was responsible for operating, and collecting tolls on, the Verrazano-Narrows and Bronx-Whitestone Bridges. (Compl. at ¶ 10.) Defendant disputes this allegation and contends that a distinct entity, the Triborough Bridge and Tunnel Authority, is responsible for the maintenance and operation of the Verrazano-Narrows and Bronx-Whitestone Bridges. (See Memorandum of Law in Support of Defendant Metropolitan Transportation Authority's Motion to Dismiss ("Mot." or the "motion"), ECF No. 21-1, at 13-15.)
Based on the alleged legal separateness of the Triborough Bridge and Tunnel Authority and defendant, defendant asserts that even if plaintiff did suffer a cognizable injury, that injury is not fairly traceable to defendant and the plaintiff lacks standing to bring the instant action. (Mot. at 13-15.) Because the court finds that it lacks subject matter jurisdiction on other grounds, the court does not, at this time, address the impact of the alleged separateness of the relevant entities.
LEGAL STANDARD
I. Motion to Dismiss
In its Notice of Motion, (ECF No. 21), defendant moves to dismiss under Rule 12(b)(6), under which a plaintiff's complaint must be dismissed if it fails to state a claim upon which relief can be granted. Fed. R. Civ. P. 12(b)(6). Additionally, defendant's Notice of Motion seeks dismissal for lack of subject matter jurisdiction. (ECF No. 21). "A case is properly dismissed . . . under Rule 12(b)(1) when the district court lacks the statutory or constitutional power to adjudicate it." Makarova v. United States, 201 F.3d 110, 113 (2d Cir. 2000) (citing Fed. R. Civ. P. 12(b)(1)).
Additionally, a district court may dismiss a complaint under Rule 12(b)(1) sua sponte, Fountain v. Karim, 838 F.3d 129, 133 n.5 (2d Cir. 2016) (citations omitted); accord Fed. R. Civ. P. 12(h)(3), though the plaintiff should generally be given notice and have an opportunity to be heard. See Snider v. Melindez, 199 F.3d 108, 112-13 (2d Cir. 1999); accord Digitel, Inc. v. MCI Worldcom, Inc., 239 F.3d 187, 189-90 n.2 (2d Cir. 2001).
A Rule 12(b)(1) challenge to subject matter jurisdiction may be facial, that is, based solely on the pleadings, in which case the court must determine whether the pleadings "allege facts that affirmatively and plausibly suggest that [the plaintiff] has standing to sue." Amidax Trading Grp. v. S.W.I.F.T. SCRL, 671 F.3d 140, 145 (2d Cir. 2011); accord Carter v. HealthPort Techs., LLC, 822 F.3d 47, 56 (2d Cir. 2016). A Rule 12(b)(1) motion may also be fact-based and rely on evidence beyond the pleadings, in which case a plaintiff must present controverting evidence unless the evidence is "immaterial because it does not contradict plausible allegations that are themselves sufficient to show standing." Carter, 822 F.3d at 57. A plaintiff must establish subject matter jurisdiction by a preponderance of the evidence. Makarova, 201 F.3d at 110.
In applying Rule 12(b)(1), "'the court must take all facts alleged in the complaint as true and draw all reasonable inferences in favor of plaintiff,' but 'jurisdiction must be shown affirmatively, and that showing is not made by drawing from the pleadings inferences favorable to the party asserting it.'" Morrison, 547 F.3d at 170 (quoting Natural Res. Def. Council v. Johnson, 461 F.3d 164, 171 (2d Cir. 2006) and APWU v. Potter, 343 F.3d 619, 623 (2d Cir. 2003)). Additionally, the court "may consider affidavits and other materials beyond the pleadings to resolve the jurisdictional issue, but . . . may not rely on conclusory or hearsay statements contained in the affidavits." J.S. ex rel. N.S. v. Attica Cent. Sch., 386 F.3d 107, 110 (2d Cir. 2004) (citing Zappia Middle E. Const. Co. Ltd. v. Emirate of Abu Dhabi, 215 F.3d 247, 253 (2d Cir. 2000) and Kamen v. Am. Tel. & Tel. Co., 791 F.2d 1006, 1011 (2d Cir.1986)).
By contrast, when resolving a motion to dismiss under Rule 12(b)(6), the court applies a "two-pronged approach." Iqbal, 556 U.S. at 679. First, courts are not bound to accept legal conclusions when examining the sufficiency of a complaint. See id. at 678. Second, the court must assume all well-pleaded facts are true and then "determine whether they plausibly give rise to an entitlement to relief." Id. at 679; Twombly, 550 U.S. at 555-56. A claim is plausible "when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Iqbal, 556 U.S. at 678.
II. Standing
Under Article III of the Constitution, the plaintiff must establish standing to sue in order for a federal court to adjudicate a suit. See Spokeo Inc. v. Robins, 136 S.Ct. 1540, 1546-1548 (2016); accord Lujan v. Defenders of Wildlife, 504 U.S. 555, 559-60 (1992). "[T]he 'irreducible constitutional minimum' of standing consists of three elements. The plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision." Spokeo, 136 S.Ct. at 1547 (internal citations omitted) (quoting and citing Lujan, 504 U.S. at 560-61).
To establish the first standing element, injury in fact, "a plaintiff must show that he or she suffered 'an invasion of a legally protected interest' that is 'concrete and particularized' and 'actual or imminent, not conjectural or hypothetical.'" Id. at 1548 (quoting Lujan, 504 U.S. at 560). An injury is "particularized" when it affects the plaintiff in a "personal and individual way," Lujan, 504 U.S. at 560 n.1, and is "concrete" when it "actually exist[s]" in that it is "'real' and not 'abstract.'" Spokeo, 136 S.Ct. at 1548 (citations omitted).
In the Second Circuit, a plaintiff suing on a "bare procedural violation of [a statute] . . . must satisfy a two-part test for such an allegation to constitute a concrete harm." Katz v. Donna Karan Co., 872 F.3d 114, 119 (2d Cir. 2017). First, the plaintiff must show "that 'Congress conferred the procedural right to protect a plaintiff's concrete interests' as to the harm in question." Id. (quoting Strubel v. Comenity Bank, 842 F.3d 181, 190 (2d Cir. 2016)). Second, the plaintiff must show "that 'the procedural violation presents a risk of real harm to that concrete interest.'" Id. (quoting Strubel, 842 F.3d at 190). If a plaintiff suing on a bare procedural violation cannot satisfy this test, he or she cannot establish injury in fact, and the court has no jurisdiction because the plaintiff has no standing.
III. Applicable Statutory Law
FACTA provides, in pertinent part and subject to a limitation that is inapplicable here, that "[n]o person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of sale or transaction." 15 U.S.C. § 1681c(g)(1). In other words, FACTA generally imposes a requirement that merchants truncate or redact all but the last five digits of a credit card number when they issue receipts for credit card transactions (the "Truncation Requirement"). The parties do not dispute that FACTA's Truncation Requirement was in force at the time the Toll Receipts were issued.
DISCUSSION
I. Katz v. Donna Karan
After the close of briefing on defendant's motion to dismiss, the Second Circuit issued its opinion in Katz v. Donna Karan Co., 872 F.3d 114 (2d Cir. 2017). In that case, as here, the plaintiff sued under FACTA after making two payments by credit card to the defendants and, in each instance, receiving a printed receipt that displayed the first six and last four digits of his credit card number. Donna Karan, 872 F.3d at 116. Also as here, the plaintiff asserted that this failure to comply with FACTA's Truncation Requirement "raise[d] a material risk of harm of identity theft" such that he "suffered a concrete injury sufficient to establish Article III standing." Id.
In Donna Karan, both payments at issue were for purchases at the defendants' stores. 872 F.3d at 116.
At the motion to dismiss stage in Donna Karan, the district court concluded that FACTA's Truncation Requirement "is a means to the end goal of identity theft prevention," and not a substantive right. Katz v. Donna Karan Int'l, Inc., No. 14-CV-740 (PAC), 2017 WL 2191605, at *4 (S.D.N.Y. May 17, 2017), aff'd and remanded sub nom. Katz v. Donna Karan Co., L.L.C., 872 F.3d 114 (2d Cir. 2017). Accordingly, to establish constitutional standing and subject matter jurisdiction, a plaintiff suing on a violation of the Truncation Requirement must establish that the violation presents a material risk of harm to the interest of identity theft prevention. Id.
A. District Court Decision
The district court in Donna Karan found that the first six digits of a credit card number, also known as the "issuer identification number" or "IIN," identify the institution that issued the card and disclose no personal information about the cardholder. Id. at *1 (citing Bin List & Bin Ranges: List of Issuer Identification Numbers, Bin Database—Industry Standard Fraud Prevention, https://www.bindb.com/bin-list.html); accord Donna Karan, 872 F.3d at 116. Because FACTA does not prohibit identifying a card's issuer on a transaction receipt, the district court concluded that failure to redact the first six digits of a credit card number was, standing alone, insufficient to establish a material risk of harm to the interest of identity theft protection. Donna Karan, 2017 WL 2191605 at *5-6 (citations omitted). The district court also noted that the plaintiff had "not allege[d] any facts showing that he experienced the Congressionally-proscribed harm: identity theft," id. at *5, and rejected the plaintiff's argument that FACTA gives rise to a privacy right in the information required to be truncated. Id. at *6. Accordingly, the district court found that the plaintiff had not demonstrated a risk of injury sufficient to establish standing. Id.
B. Second Circuit Decision
The Second Circuit affirmed the district court's determination that the plaintiff had not established subject matter jurisdiction. In setting forth the applicable legal standards, the Second Circuit characterized the printing of the first six digits of a credit card number on a receipt as a "procedural" violation of FACTA and stated that the interest implicated by FACTA and the Truncation Requirement is the prevention of identity theft. Donna Karan, 872 F.3d at 120. The Second Circuit then applied a "clear error" standard of review to the district court's finding that printing the first six digits of a credit card number does not create a material risk of harm sufficient to confer Article III standing. Id.
After discussing the district court's analysis of the significance and importance of the first six digits of a credit card number, id. at 116, the Second Circuit found that the district court did not clearly err "as to the specific material facts in dispute." Id. at 120. The Second Circuit accordingly affirmed the district court's finding that "the bare procedural violation in question did not raise a material risk of harm of identity theft," as well as the district court's dismissal of the case for lack of subject matter jurisdiction. Id. at 121.
II. Plaintiff's Contentions
Plaintiff asserts that Donna Karan is not dispositive in the instant action because the "fact-based aspects of the [Donna Karan] decision . . . have no more precedential force than an affirmed jury verdict." (Plaintiff's Supplemental Letter Brief ("Pl. Supp." or the "plaintiff's supplement"), ECF No. 31, at 3.) Plaintiff further asserts that information that was not of record in Donna Karan demonstrates that disclosure of the first six digits of a credit card number "carr[ies] immense additional risk beyond the disclosure of the final five digits permitted by FACTA." (Id. at 2.)
The purportedly new information presented in the instant action, but not in Donna Karan, consists of two assertions by the plaintiff. First, plaintiff submits that "the typical major credit card issuer uses not one but many different initial six digit combinations, with one major bank using nearly 250 combinations." (Id. (citing www.creditcardvalidator.org/bank-of-america and https://www.cardbinlist.com/bin-list-united-states.html?page=12 ("Card Bin List")).) According to plaintiff, this means that identifying a card's issuer does not provide information sufficient to determine the first six digits of the card number even though the first six digits are sufficient to determine the card's issuer. Plaintiff thus contends that printing the first six digits of a card number is not strictly equivalent to identifying the issuer in that printing the first six digits reveals more information than printing the identity of the issuer would.
Second, and in part following from his first assertion, plaintiff submits that "disclosure of the first six digits diminishes the challenge of 'cracking' a credit card number by a factor of one hundred thousand." (Id.) Plaintiff arrives at this conclusion by positing that "competent identity thieves know that Visa card numbers begin with 4." (Id.) According to plaintiff, if a receipt shows that a Visa card was used, then, a would-be identity thief would be able to determine the first digit of the credit card, but not necessarily the second through sixth digits. (See id.) There are 10, or one hundred thousand, possible combinations for the second through sixth digits, so plaintiff asserts that printing those digits reduces the difficulty of determining the full credit card number through "brute force" cryptological trial and error by that factor. (Id.) To further illustrate this point, plaintiff states that if a receipt displays a credit card's issuer and last four digits, a would-be identity thief "would need to try 10, or [one hundred billion], combinations" to determine the full card number, but with ten digits revealed, the thief "is faced with only [one million]" different combinations.5 (Id. at 2-3.)
For the sake of definitional clarity, the court notes here that in making this argument, plaintiff appears to conflate a credit card's "issuer" and its "network" or "type." A card's "issuer" is the entity, such as a bank, that actually issues a credit card to a consumer. See United States v. Am. Express Co., 838 F.3d 179, 184-185 (2d Cir. 2016), cert. granted sub nom. Ohio v. Am. Express Co., No. 16-1454, 2017 WL 2444673 (U.S. Oct. 16, 2017) (defining card "issuer"). A card's "network," such as Visa or MasterCard, is the entity that "provide[s] the infrastructure and mechanisms through which general purpose card transactions are conducted, including the authorization, settlement, and clearance of transactions." Id. at 197 (quoting United States v. Visa U.S.A., Inc., 344 F.3d 229, 239 (2d Cir. 2003))
The court notes that in June of 2017, the parties jointly requested leave to file simultaneous fifteen-page pre-argument letter briefs. (Joint Motion for Leave to File Simultaneous Briefs, ECF No. 26.) This filing made no reference to plaintiff seeking to develop the record or introduce evidence regarding subject matter jurisdiction or standing. In any event, the court subsequently entered an order on June 28, 2017 authorizing each of the parties to file a five-page supplement no later than October 25, 2017. Each party filed its respective supplement on that date, as discussed herein.
Plaintiff asserts that these facts establish a "radically increased concrete risk to [his] congressionally protected privacy and interests [sic] - which [risk] was not fully raised or considered in Donna Karan - [and] amply satisfies all applicable standing tests." (Id. at 3.) Therefore, plaintiff contends, the proper application of Donna Karan to the facts in this case "requires that the instant motion be denied, or at [a] minimum that appropriate discovery and fact-finding on dispositive jurisdictional issues be allowed to go forward before the motion is decided." (Id. at 4.)
III. Defendant's Contentions
Defendant asserts that Donna Karan is dispositive. (See generally Defendant's Supplemental Letter Brief ("Def. Supp."), ECF No. 30.) Defendant contends that plaintiff's arguments regarding increased risk resulting from printing the first six digits of a credit card number are misguided because the Second Circuit's decision held that FACTA does not prohibit printing a credit card's issuer on a transaction receipt. (Id. at 2.) Further, although defendant acknowledges that Donna Karan suggests that jurisdictional discovery might be appropriate depending on the issue, facts, and statute in question, this case involves "the very same purported violation of the very same statutory prohibition on identical facts." (Id. at 2 n.1.) Even if this were not the case, defendant asserts that plaintiff has had "ample opportunity . . . to submit whatever extrinsic evidence regarding 'the enhanced risk of identity theft' he claims exists" but has not done so. (Id. at 2.)
IV. Analysis
Plaintiff's argument that the record here compels a different result than that in Donna Karan is without merit. Donna Karan makes clear that the violation that plaintiff alleges here is procedural. 872 F.3d at 120. Plaintiff does not dispute that only he and his attorneys have seen the Toll Receipts since they were issued to him. (See Pl. Opp. at 18 (acknowledging plaintiff "safeguarded his own receipts").) Plaintiff's action is predicated on a bare procedural violation and he must therefore plead facts that establish that the violation presents a material risk of harm to the underlying concrete interest of identity theft prevention. See Donna Karan, 872 F.3d at 117-18 (citations omitted); see also Crupar-Weinmann v. Paris Baguette, 861 F.3d 76, 80-81 (2d Cir. 2017). Plaintiff fails to allege facts to make such a showing.
A. Purportedly "New" Information
Plaintiff purports to submit "additional information not of record in Donna Karan" that he contends suffices to establish subject matter jurisdiction, (Pl. Supp. at 2), but a review of Donna Karan makes abundantly clear that all information that plaintiff submits here was before both the district court and the Second Circuit in Donna Karan, albeit in a slightly different form.
i. Information Regarding IIN
In Donna Karan, the district court cited a website maintained by BinDB LLC for the proposition that the first six digits of a credit card number merely identify the institution that issued the card and reveal no information about the card's holder. 2017 WL 2191605 at *1 (citing Bin List & Bin Ranges: List of Issuer Identification Numbers, Bin Database—Industry Standard Fraud Prevention, https://www.bindb.com/bin-list.html ("BinDB List")). The Second Circuit expressly referenced this portion of the district court's opinion, including the BinDB LLC website citation, in its own opinion. 872 F.3d at 118. Even a cursory review of the source material establishes that major credit card companies use a number of different issuer identification numbers. The relevant BinDB LLC webpage includes a conspicuously-placed list indicating that, for instance, American Express card numbers start with "37," Visa card numbers start with "4," and MasterCard numbers start with "51 through 55." (BinDB List (last accessed 11/17/2017)). The page also lists a number of issuer identification numbers. By way of example, at least thirteen of the first fifteen issuer identification numbers listed are American Express combinations, and the list includes numerous issuer identification numbers attributable to Bank of America. Id.
From this information, a reader can easily infer that any given network, such as Visa or MasterCard, or issuing institution, such as a bank, could be associated with multiple initial six-digit combinations. The record before both the district court and the Second Circuit in Donna Karan, therefore, clearly indicated that although the first six digits of a credit card number reveal the card's issuer, the issuer does not necessarily reveal the first six digits. Indeed, the websites plaintiff cites in support of his argument here contain information that is substantially similar to that set forth on the BinDB LLC webpage. (See Pl. Supp. at 2 (citing www.creditcardvalidator.org/bank-of-america and Card Bin List); compare BinDB List (last accessed 11/17/2017) with Card Bin List (last accessed 11/17/2017) (each listing IINs, or beginning portions thereof, and corresponding card types and issuers).) Therefore, the relevant core facts regarding the significance of the issuer identification number were before both the district court and the Second Circuit in Donna Karan.
The court notes that on a record virtually identical to this record, the district court in Donna Karan found that the IIN did not reveal any information "pertaining to the plaintiff," 2017 WL 2191605 at *5, and the Second Circuit affirmed. Plaintiff here does not actually challenge or question the Donna Karan court's findings and does not allege that the IIN reveals any personal information about him. Instead, he argues that printing the IIN reveals information about the credit card number, but that merely revealing the issuer would not reveal this information.
To the extent plaintiff takes issue with the Second Circuit's characterization of printing the IIN as "equivalent" to revealing the issuer, 872 F.3d at 120, the court interprets the Second Circuit's characterization as a statement that printing the IIN reveals the issuer, not a statement that knowing a card's issuer is sufficient to derive the IIN for each card issued by that issuer. The court reaches this interpretation in light of the record that was before the Second Circuit, and because the protected interest at issue in Donna Karan, as here, was the plaintiff-appellant's interest in protecting his identity from being stolen. Consequently, the district court in Donna Karan sought to determine what information, if any, "pertaining to the plaintiff" the IIN revealed, 2017 WL 2191605 at *5, and the Second Circuit reviewed this determination, not a general determination about the significance of the IIN. See 872 F.3d at 116 (discussing district court opinion). The court notes that neither the district court nor the Second Circuit in Donna Karan ever stated that identifying a credit card's issuer is sufficient to determine the IIN. The Second Circuit's observation that IIN digits "can easily be obtained for any given issuer," 872 F.3d at 120, appears correct on the record here, which includes references to three internet-based IIN databases, two of which plaintiff himself introduced.
ii. Information Regarding Possible Digit Combinations
Plaintiff here contends that the "mathematical fact" that "disclosure of the first six digits [of a credit card number] diminishes the challenge of 'cracking' a credit card number by a factor of one hundred thousand" was not before the district court or the Second Circuit in Donna Karan. (Pl. Supp. at 2.) This mathematical fact follows from four propositions. First, when a merchant "properly" truncates a credit card number, eleven digits are redacted. (See id. at 2-3.) Second, defendant here truncated the credit card number such that only six digits were redacted. (Id. at 3.) Third, when eleven digits are redacted, the true credit card number can be one of 1011, or one hundred billion, numbers. (See id. at 2-3.) Fourth, when six digits are redacted, the true credit card number can be one of 106, or one million, numbers. (Id. at 3.) Because one hundred billion divided by one million is one hundred thousand, then, obtaining the full credit card number when a receipt redacts all but six digits is "one hundred thousand times easier" than when a receipt redacts eleven digits. (Id. at 3.)
Of those four propositions, three were clearly before the Second Circuit in Donna Karan. First, the Donna Karan plaintiff-appellant clearly argued that a "properly" redacted receipt reveals, at most, five digits. See Donna Karan, 872 F.3d at 118 (stating that plaintiff contends that printing each digit beyond the five permitted by FACTA increases risk to plaintiff); see also Plaintiff's Post-Argument Letter Brief ("Letter Br."), Katz v. Donna Karan Co., Case No. 15-464 (2d Cir. June 23, 2017), ECF No. 120, at 4 (arguing that all but the last five digits of a card number must be masked under FACTA). Because a credit card number contains sixteen digits and a digit must be either redacted or unredacted, arguing that no more than five digits should be revealed is the equivalent of arguing that at least eleven digits should be redacted.
Second, the Donna Karan plaintiff-appellant clearly asserted that the receipts at issue in that case "identified not only the last four digits of his credit card number, but also the first six digits." Donna Karan, 872 F.3d at 116; see also Letter Br. at 5 (stating that the receipts at issue disclosed the first six and last four digits, for a total of ten). Once again, because a credit card number contains sixteen digits, asserting that ten digits were revealed is the equivalent of asserting that only six digits were redacted.
Third, the Donna Karan plaintiff-appellant argued before the Second Circuit that, when all but six digits of a credit card number are revealed, there remain "[one] million possible combinations of six integers," which "[a] computer can try . . . in seconds." (Letter Br. at 6 n.2.) Although this information and argument were contained in a footnote in the plaintiff-appellant's letter brief, the Second Circuit cited the relevant pages and footnote in its opinion. See 872 F.3d at 118.
The two pieces of "information" presented here that were not directly presented in Donna Karan, then, are first, the proposition that when all but five digits of a credit card number are redacted (or, put another way, eleven digits are redacted), there are one hundred billion possible card number combinations, and second, the comparison between one hundred billion and one million.
The problem for plaintiff here is that the proposition and comparison that he argues were not "of record" in Donna Karan are, as plaintiff concedes, "mathematical facts." (Pl. Supp. at 2). Moreover, these mathematical facts necessarily follow from information that was clearly before the Second Circuit in Donna Karan. To reiterate, the Donna Karan plaintiff-appellant argued that the Donna Karan defendant should have redacted all but five digits of the plaintiff's credit card number, (Letter Br. at 6 n.2), leaving eleven digits unknown. It is a mathematical fact that there are 1011, or one hundred billion, nine-digit numbers where each digit is a number between zero and nine. It is also a mathematical fact that dividing one hundred billion by one million, which the Donna Karan plaintiff-appellant pointed out is the number of possible "combinations of six integers" between zero and nine, (id.), results in the number one hundred thousand.
If, for example, only one digit of a credit card number is redacted, there exist ten possible full card numbers. For each additional digit that is redacted, there are ten times as many possible combinations. Accordingly, if two digits are redacted, there are 10 x 10, or one hundred, possible combinations, and if three digits are redacted, there are 10 x 10 x 10, or 103, or one thousand, possible combinations. When eleven digits are redacted, there are 1011, or one hundred billion, possible combinations.
The "fact" that a FACTA-compliant receipt leaves one hundred billion possible credit card number combinations and the "fact" that this represents one hundred thousand times the number of possible combinations that the receipts at issue presented, which the Donna Karan plaintiff-appellant did not expressly present to the Second Circuit, therefore follow directly from information that the plaintiff-appellant did present in Donna Karan. As demonstrated above, to accept plaintiff's argument in this action would be to find that where information was before the Second Circuit, mathematical facts necessarily flowing from that information were not before the Second Circuit.
Furthermore, plaintiff-appellant's briefing in Donna Karan argued that "each additional known digit beyond the five permitted by FACTA, regardless of its informational significance, increases a card number's vulnerability to brute-force cryptological attack, i.e. computer-assisted guessing." (Letter Br. at 6 n.2.) This argument necessarily implies that a properly redacted receipt, with more numbers redacted, leaves more possible credit card number combinations, even though the argument does not expressly quantify the number of possible combinations when a receipt is properly redacted. To accept plaintiff's argument here would be to find that by merely quantifying that number and comparing it to a number before both this court and the Donna Karan court, plaintiff here has submitted new information. The court declines to make such a finding.
The Second Circuit expressly referenced this argument in its opinion. 872 F.3d at 120.
iii. Summary
All of the "additional information" that plaintiff claims was "not of record in Donna Karan" was expressly presented to the Second Circuit, necessarily followed from information presented to the Second Circuit, or illustrates argument that was presented to the Second Circuit. Additionally, the district court in Donna Karan considered information regarding issuer identification numbers that is materially identical to the information plaintiff presents here. The record here is therefore substantially identical to that in Donna Karan insofar as plaintiff alleges that plaintiff violated the same statute in the same way and offers an identical theory of harm in an effort to establish Article III standing.
B. Showing of Cognizable Harm
On a substantially identical record, as set forth above, plaintiff asks that the court reach a different result than the Donna Karan courts. To briefly restate plaintiff's burden, because failure to comply with FACTA's Truncation Requirement is a bare procedural violation, plaintiff must establish that defendant's failure to comply gave rise to a material risk of identity theft. See, e.g., Donna Karan, 872 F.3d at 116. Here, defendant refers to facts outside the pleadings in support of its motion to dismiss that reveal factual problems in the assertion of jurisdiction. (See Def. Supp. at 1-2 (referring to Donna Karan district court's findings of fact).) Plaintiff must therefore "come forward with evidence of [his] own to controvert that presented by the defendant," or demonstrate that the facts put forward by the defendant are "immaterial because[they] do not contradict plausible allegations that are themselves sufficient to show standing." Carter 822 F.3d at 57 (citation omitted). Plaintiff has done neither.
Plaintiff does not dispute that after he received the Toll Receipts, only he and his lawyer saw them. (See Pl. Opp. at 19.) Over two years have passed since the first Toll Receipt was issued to plaintiff, yet he alleges no tangible harm as a result. As in Donna Karan, these realities weigh against a finding of "injury in fact." See 2017 WL 2191605 at *5.
Furthermore, the issuer identification number merely identifies the card's issuer. Donna Karan makes clear that FACTA does not prohibit disclosure of the card's issuer, 872 F.3d at 120, and disclosure of the card's issuer does not in turn disclose any personally identifying information. 2017 WL 2191605 at *5. Accordingly, printing a card's IIN on a transaction receipt does not give rise to a material risk of identity theft. Donna Karan, 2017 WL 2191605 at *5-6.
To the extent plaintiff contends that printing the IIN reveals the issuer in a way that makes him materially more susceptible to identity theft, his argument is unavailing. Plaintiff essentially argues that the Toll Receipts at issue heighten the risk that his identity will be stolen relative to the risk he would face if provided a FACTA compliant-receipt. (See Pl. Supp. at 2-3.) The Second Circuit expressly rejected this argument in Donna Karan, writing that "while Katz may be correct that every additional digit increases the risk of a brute force cryptological attack, printing the first six digits - the IIN -is the equivalent of printing the name of the issuing institution, information which need not be truncated under FACTA, and thus the district court did not clearly err in concluding that printing the IIN does not increase the risk of real harm." 872 F.3d at 120. Reiterating substantially the same argument, only this time with additional numerical illustrations that are matters of mathematical fact, does not give the argument new vitality.
At oral argument regarding the motion to dismiss, plaintiff suggested that the Second Circuit in Donna Karan had been laboring under a misimpression that revealing the IIN was strictly equivalent to identifying the issuing institution. As discussed above, plaintiff is correct that the two pieces of information are not strictly equivalent because knowing a card's issuing institution does not necessarily allow one to determine the card's IIN. However, as discussed above, the BinDB List source upon which both the district court and the Second Circuit in Donna Karan relied, when discussing the significance of the IIN, is strikingly similar to plaintiff's website sources here.
Further, even assuming plaintiff is correct and the Second Circuit misunderstood the record before it, particularly as to the significance of the IIN, plaintiff still has not met his burden of establishing a material risk of harm by a preponderance of the evidence. See, e.g., Makarova, 201 F.3d at 113 ("A plaintiff asserting subject matter jurisdiction has the burden of proving by a preponderance of the evidence that it exists.") To meet this burden, even assuming the Second Circuit was mistaken, plaintiff would have to plead facts or present evidence demonstrating that revealing all six IIN numbers creates a material risk of harm not present where only the issuer is revealed. See Carter, 822 F.3d at 56-57 (noting that to defeat a fact-based challenge to subject matter jurisdiction, a plaintiff must present controverting evidence or demonstrate that the defendant's evidence is immaterial in light of well-pleaded allegations); see also Katz, 872 F.3d at 120 (stating that relevant inquiry for 12(b)(1) purposes is whether "printing the first six digits of plaintiff's credit card number[] raised a material risk of identity theft absent other allegations of harm."). Plaintiff does not plead any such facts in his complaint or present any such evidence to the court.
To the contrary, plaintiff's briefing concedes that even a properly redacted receipt would narrow the number of possible issuer identification numbers significantly. As discussed above, each IIN is a six-digit number, and it is a mathematical fact that there are 106, or one million, possible combinations of six digits. Plaintiff's supplement notes that "the typical major credit card issuer uses not one but many different initial six digit combinations, with one major bank nearly using nearly 250 combinations." (Pl. Supp. at 2 (citations omitted).) Thus, even a properly redacted receipt can narrow the universe of possible IINs from up to one million (where neither the issuer nor card type are known) to two hundred fifty or fewer.
Because each credit card issued by a given network has a number that begins with the same number or two-number combination, even identifying the network reduces the number of possible IINs from one million to no more than one hundred thousand.
To conclude that plaintiff has established subject matter jurisdiction, the court would have to conclude that plaintiff could prove by a preponderance of the evidence, or based on properly and sufficiently alleged facts, that identifying a single IIN creates a material risk of identity theft over and above the risk that exists where a receipt permissibly identifies the credit card issuer, which plaintiff concedes significantly reduces the universe of possible IINs, possibly to two hundred fifty or fewer. See Carter, 822 F.3d at 56-57. Plaintiff alleges no facts and submits no evidence or argument that would enable the court to conclude that this incremental contraction of the universe of possible credit card numbers gives rise to a material risk of identity theft. On the record before it, the court cannot find, based on the facts alleged in the complaint, that a would-be fraudster could more readily ascertain the credit card number such that plaintiff has been subjected to a material risk of identity theft. See Carter, 822 F.3d at 56-57 (discussing ability to establish subject matter jurisdiction through evidence and/or well-pleaded allegations); Makarova, 201 F.3d at 112 (stating that a plaintiff must prove subject matter jurisdiction by a preponderance of the evidence).
Similarly, plaintiff makes no showing, or sufficient allegation, that narrowing the universe of possible credit card numbers from one hundred billion, the number of possible combinations with eleven digits redacted, to one million, the number of possible combinations with six digits redacted, creates a material risk of identity theft. Clearly one hundred billion is larger than one million - specifically, one hundred thousand times larger - but even incorrectly assuming that these "mathematical facts" were not of record in Donna Karan, it is not enough for plaintiff to merely point them out. The court must have some basis to find, or conclude that plaintiff has properly pleaded, that the difference between redacting eleven digits and redacting six digits is such that redacting only six creates a material risk of identity theft that would otherwise not be present. This requires some information as to the practical significance of the difference, and no such information is before the court in the complaint or in subsequent briefing.
The court therefore finds that the plaintiff has not met his burden to plead sufficient facts or submit sufficient evidence to establish subject matter jurisdiction by a preponderance of the evidence. See Carter, 822 F.3d at 56-57 (discussing ability to establish subject matter jurisdiction through evidence and well-pleaded allegations); see also Makarova, 201 F.3d at 112 (stating that a plaintiff must prove subject matter jurisdiction by a preponderance of the evidence).
C. Further Development of the Record and Leave to Amend
As to plaintiff's contention that the court should "permit further development of the record," (Pl. Supp. at 3), the court is mindful that the Second Circuit in Donna Karan noted that the plaintiff-appellant there "did not seek the opportunity to supplement the record with additional evidence after defendants included in their motion papers extrinsic evidence suggesting that printing the IIN did not increase the risk of harm," and expressed its confidence that "that district courts will oversee the appropriate extent of fact-finding necessary to resolve the contested issue" where there is a fact-based Rule 12(b)(1) challenge to jurisdiction. 872 F.3d at 121. However, the court also notes that the Second Circuit then commented that "parties should be on renewed notice of both the right to introduce such evidence and the plaintiff's burden of proof to do so even at the motion-to-dismiss stage." Id.
Here, plaintiff should have been on notice of his burden to establish subject matter jurisdiction as early as February 22, 2017, when defendant filed a letter on the docket in this case requesting a pre-motion conference with respect to the instant motion. (Defendant's Letter Requesting Pre-motion Conference, ECF No. 6). The defendants' letter clearly stated that it would seek dismissal for lack of Article III standing, and would argue that plaintiff did not suffer a concrete injury under Spokeo. (Id. at 1-2.) If that were not sufficient to put plaintiff here on notice, on May 17, 2017, while the parties were briefing the instant motion, the district court in Donna Karan dismissed that case for lack of subject matter jurisdiction. See 2017 WL 2191605 at *1. Given that plaintiff acknowledged to this court on February 27, 2017 that Donna Karan "raise[d] the precise standing issue [d]efendant would bring forward in this case," (Plaintiff's Letter Regarding Pre-motion Conference ("Pl. PMC Letter"), ECF No. 8, at 1), the district court's opinion in Donna Karan certainly should have put plaintiff here on notice.
The court also notes that the Second Circuit decided Paris Baguette on June 26, 2017, and in so doing clarified the showing that plaintiffs who bring claims based on bare procedural violations of federal statutes must make in this circuit. See 861 F.3d at 81. Plaintiff's letter regarding the pre-motion conference references a prior decision in Paris Baguette, (Pl. PMC Letter at 1), so plaintiff was clearly aware of that litigation. Additionally, following the Second Circuit's issuance of its decision in Donna Karan on September 19, 2017, this court entered an order on September 27, 2017 directing the parties to advise the court as to how they wished to proceed in light of the Second Circuit's decision.
Plaintiff's references to introducing evidence and developing the record, particularly those made following the Second Circuit's decision in Donna Karan, suggest that he has understood his burden from an early stage, though the substance of these pleadings casts doubt on plaintiff's ability to develop a record on which the court could find subject matter jurisdiction, and on his diligence in developing such a record.
In the parties' joint letter submitted in response to the court's September 27, 2017 order, plaintiff generally referred to his desire to introduce additional evidence without any specific indication as to what the substance of that evidence might be, even though the instant motion was pending at the time. (See Letter in Response to September 27, 2017 Court Order, ECF No. 27, at 2-3.). Although plaintiff's supplement purports to develop the record by presenting "facts" that were "not of record" in Donna Karan, (see Pl. Supp. at 2-3), plaintiff instead repackages information that clearly was either directly in the record, or necessarily followed from information in the record, in Donna Karan. Plaintiff's supplement also argues that the court should allow "appropriate discovery and fact-finding" to "go forward," (Pl. Supp. at 4), but contains no explanation as to what that discovery would consist of or the information that plaintiff would seek to obtain through it.11
Finally, at oral argument on November 8, 2017, in response to a question from the court, plaintiff suggested that he might be able to establish the concrete significance of printing additional digits through an expert report and/or expert testimony. This is plaintiff's most specific and compelling example of the kind of record development he wishes to achieve should the court refrain from dismissing this case. Nothing, however, prevented plaintiff from consulting with such an expert well before the November 8, 2017 argument. As discussed above, plaintiff had ample notice that defendant intended to litigate subject matter jurisdiction given that defendant raised that issue in its letter initiating the instant motion. The district court in Donna Karan issued its opinion on May 17, 2017, and on June 23, 2017, the Donna Karan plaintiff-appellant raised the argument that each additional digit of a credit card number that is revealed "increases a card number's vulnerability to brute-force cryptological attack, i.e. computer-assisted guessing" in a letter brief to the Second Circuit and co-authored by counsel for the plaintiff in this action. (Pl. Letter Br. at 6 n.2.)
Courts in this circuit have looked favorably upon efforts to supplement the record absent prejudice or bad faith. See, e.g., Nat'l Union Fire Ins. Co. of Pittsburgh, PA v. BP Amoco P.L.C., No. 03-CV-0200 (GEL), 2003 WL 1618534 at *1 (S.D.N.Y. Mar. 27, 2003) (authorizing defendants to file supplemental affidavit regarding jurisdictional issue presented to court); Spano v. V & J Nat'l Enterprises, LLC, No. 16-CV-0 6419-EAW-MWP, -- F. Supp. 3d --, 2017 WL 3738555, at *8 (W.D.N.Y. Aug. 30, 2017) (quoting National Union) (authorizing plaintiff to file supplemental declaration), appeal docketed, No. 17-3055 (2d. Cir. Sept. 28, 2017); cf. Taylor v. Schaffer, No. 14-CV-123-JGM, 2015 WL 541058, at *4 (D. Vt. Feb. 10, 2015) (taking judicial notice of public records annexed to plaintiff's motion for leave to file supplemental pleadings as no prejudice would result to defendant). Cases in which courts have authorized parties to supplement the record, however, have generally involved parties who have come to the court with the actual supplemental information in hand. See National Union, 2003 WL 1618534 at *1 ("[T]he Court will consider the evidence contained in defendants' supplemental affidavit."); Spano, 2017 WL 3738555 at *8 ("The additional evidence submitted in Plaintiff's motion presents a Declaration by Plaintiff's counsel, the Demand, and [certain correspondence relevant to the issues before the court]."); Taylor, 2015 WL 541058 at *3 ("[Plaintiff] moves for leave to file supplemental pleadings supporting her status as administratrix, attaching documents from [state court].")
Additionally, the Second Circuit has indicated that, "[a]lthough a motion to dismiss for lack of jurisdiction cannot be converted into a Rule 56 motion, a court may nonetheless look to Rule 56[(d)] for guidance in considering the need for discovery on jurisdictional facts." Gualandi v. Adams, 385 F.3d 236, 244 (2d Cir. 2004) (citations omitted). "To request discovery under Rule 56[(d)], a party must file an affidavit describing: (1) what facts are sought and how they are to be obtained; (2) how these facts are reasonably expected to raise a genuine issue of material fact; (3) what efforts the affiant has made to obtain them; and (4) why the affiant's efforts were unsuccessful." Id. at 244-45 (citation omitted).
Here, to the extent plaintiff merely seeks to supplement the record, he has not indicated that he actually seeks or possesses any evidence that he would like to introduce, much less come to the court with evidence in hand. Further, despite multiple opportunities to articulate the nature of the information plaintiff would seek to introduce into the record, the most specific indication from plaintiff consists of an eleventh-hour suggestion that expert testimony could shed light on the concrete impact that redacting eleven digits of a credit card number instead of redacting six digits would have on a would-be identity thief. Plaintiff, therefore, does not properly seek leave to supplement the record. Instead, he seeks to have this court deny, or hold in abeyance, the instant motion, with respect to which he has not carried his burden, so that he may pursue avenues of fact-finding that are either unidentified or have been available to him for months, and are in any case speculative.
To the extent plaintiff seeks discovery, he has not identified the information he seeks to obtain from it, and because he has not identified such information, he necessarily has not shown how this unidentified information would elucidate the extent to which defendant exposed him to a material risk of identity theft. See Gualandi, 385 F.3d at 245 (analogizing request for discovery as to jurisdictional facts to Rule 56(d) discovery). Further, plaintiff has not made any showing as to his efforts to obtain the information he seeks. Accordingly, the court finds that plaintiff is not entitled to discovery, and the court will not deny the instant motion or delay ruling on it so that plaintiff may pursue discovery for which he has not sufficiently articulated a need. Plaintiff has not demonstrated that he has been subjected to an increased risk of identity theft as a result of defendant's failure to comply with the Truncation Requirement, and his complaint must be dismissed for lack of subject matter jurisdiction as a result.
Finally, plaintiff has not indicated in his opposition or in his supplement that he would be inclined to seek leave to amend his complaint, and the Court therefore affords him no opportunity to do so. Schwartz v. HSBC Bank USA, N.A., No. 14-CV-9525 (KPF), 2017 WL 95118, at *8 (S.D.N.Y. Jan. 9, 2017) (citations omitted); see also, e.g., Shields v. Citytrust Bancorp, Inc., 25 F.3d 1124, 1132 (2d Cir. 1994) ("Although federal courts are inclined to grant leave to amend following a dismissal order, we do not deem it an abuse of the district court's discretion to order a case closed when leave to amend has not been sought.").
CONCLUSION
For the foregoing reasons, the complaint is dismissed for lack of subject matter jurisdiction pursuant to Rule 12(b)(1) without leave to amend. "When a case is dismissed for lack of federal subject matter jurisdiction, 'Article III deprives the court of the power to dismiss the case with prejudice.'" Donna Karan, 782 F.3d at 121 (quoting Hernandez v. Conriv Realty Assocs., 182 F.3d 121, 123 (2d Cir. 1999)). Therefore, dismissal is without prejudice. The Clerk of Court is respectfully directed to enter judgment dismissing plaintiff's claims without prejudice.
Because the court finds that it lacks subject matter jurisdiction over the instant action as set forth herein, the court does not address defendant's alternative arguments regarding lack of standing, or the component of defendant's motion that seeks dismissal under Rule 12(b)(6). See Rhulen Agency, Inc. v. Alabama Ins. Guar. Ass'n, 896 F.2d 674, 678 (2d Cir. 1990) ("Where, as here, the defendant moves for dismissal under Rule 12(b)(1) . . . as well as on other grounds, the court should consider the Rule 12(b)(1) challenge first since if it must dismiss the complaint for lack of subject matter jurisdiction, the accompanying defenses and objections become moot and do not need to be determined." (internal quotation marks and citations omitted)). --------
SO ORDERED.
Dated: Brooklyn, New York
December 29, 2017
/s/_________
KIYO A. MATSUMOTO
United States District Judge
Eastern District of New York