Consumer Compliance Outlook: First Issue 2021

On the Docket: Recent Federal Court Opinions


Eleventh Circuit dismisses plaintiff’s class-action lawsuit for a data security breach for lack of standing because he failed to allege a concrete injury.

Tsao v. Captiva MVP Restaurant Partners, LLC, 986 F3d. 1332 (11th Cir. 2021). The federal appeals courts are divided on whether a plaintiff whose payment card data was exposed in a data breach without specific harm has a constitutional standing to file a lawsuit for the risk of identity theft. The Eleventh Circuit has now weighed in on this issue. In 2017, a hacker infiltrated the point-of-sale systems of the PDQ restaurant chain and may have accessed customers’ debit and credit card information, including cardholders’ names, account numbers, expiration dates, card verification value codes, and PIN data for debit cards. A PDQ customer whose credit card data may have been exposed during the breach period filed a class-action lawsuit alleging class members whose data were exposed were at risk for identity theft and fraud but did not allege any specific fraud had actually occurred. The court addressed a threshold issue of whether the plaintiff had standing under Article III of the Constitution, which requires a plaintiff to allege an injury fairly traceable to the challenged conduct that likely can be redressed by a favorable court ruling. To satisfy the injury requirement, a plaintiff must allege plausible, clear facts of concrete harm that is actual or imminent and not hypothetical.

Because the lawsuit only alleged the threat of harm, the court relied on a 2013 Supreme Court case, Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013), which held that legal standing in threat-of-harm cases requires “certainly impending” harm or a substantial risk of it occurring. The court concluded the plaintiff did not satisfy this requirement because he only alleged his credit card data may have been accessed. The court noted the findings of a 2007 Government Accountability Office report (GAO-07-737) that hackers generally cannot open unauthorized new accounts based solely on credit or debit card information without additional personal identifying information and that most data breaches have not resulted in detected incidents of fraud on existing accounts. Thus, the court found the plaintiff failed to demonstrate a substantial risk that members of the class would suffer identity theft in the future. The court also contrasted this case with other data breach cases among the federal appeals courts that conferred standing after a data breach, in which the plaintiffs offered evidence of actual misuse of their data. The court also noted that some prior decisions conferring standing for the risk of future identity threat were decided before Clapper, which clarified and tightened standing requirements for future harm cases. While the plaintiff also alleged he suffered damages in his efforts to mitigate the risk of harm by cancelling his cards, including lost opportunity for credit card reward points, costs in cancelling and replacing his cards, and restricted access to his preferred cards, the court found that plaintiffs cannot “manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” Accordingly, the court affirmed the dismissal of the case.



A federal district court vacates two provisions of the prepaid card rule.

PayPal, Inc. v. Consumer Financial Protection Bureau, 2020 U.S. Dist. LEXIS 244761 (D.D.C. December 30, 2020). In 2016, the Consumer Financial Protection Bureau (Bureau) published a final rule under Regulation E, which implements the EFTA, and Regulation Z, which implements TILA, to create new consumer protections for prepaid accounts that store funds, such as a prepaid debit card and digital wallets. The rule became effective on April 1, 2019. PayPal, a provider of digital wallets subject to the rule, filed a lawsuit against the Bureau in 2019 to challenge two provisions: the mandated short-form disclosure requirements and the 30-day credit linking restriction. The short-form provision, codified at 12 C.F.R. §1005.18(b)(6)(iii), requires financial institutions offering a prepaid account to disclose certain information in a tabular format using specified language. The 30-day credit linking restriction, codified at 12 C.F.R. §1026.6l(c)(l)(iii), requires that if a prepaid account with a credit feature that is considered a hybrid-prepaid credit card under Regulation Z can be used for certain purposes and is offered by the issuer, its affiliate, or business partner, the credit feature cannot be linked to the prepaid account until 30 days after the consumer registered the prepaid account. PayPal argued that these provisions of the rule exceeded the Bureau’s rulemaking authority under the EFTA and TILA and were therefore invalid under the Administrative Procedure Act, the federal law governing agency rulemaking.

The district court found the Bureau exceeded its rulemaking authority by mandating the use of its model forms because the EFTA directs the Bureau to “issue model clauses for optional use by financial institutions.” 15 U.S.C. §1693b(b) (emphasis added). The court therefore vacated 12 C.F.R. §1005.18(b) “to the extent that the short-form disclosure requirement provides mandatory disclosure.” Similarly, with respect to the 30-day waiting period for the credit feature, the court found that “the statutory language and legislative history of TILA establish that the Bureau’s authority under TILA is limited to disclosure of credit terms” and that the credit feature was substantive and not a disclosure. Accordingly, the court vacated 12 C.F.R. §1026.61(c)(l)(iii) as well. On March 10, 2021, the Bureau filed a notice of appeal with the D.C. Circuit Court of Appeals.


The U.S. Department of Housing and Urban Development (HUD) announces it will enforce the FHA prohibition on sex discrimination to include discrimination based on sexual orientation or gender identity.

On January 20, 2021, President Joseph Biden issued an executive order to implement the Supreme Court’s decision in Bostock v. Clayton County, 140 S. Ct. 1731 (2020), which held that the federal law prohibiting employment discrimination based on a person’s sex (Title VII of the Civil Rights Act of 1964) includes sexual orientation and gender identity. The order announced a policy statement against this discrimination and directs federal agencies enforcing statutes or regulations prohibiting sex discrimination to review existing orders, regulations, guidance documents, and policies that may be inconsistent with Bostock and revise them accordingly. On February 11, 2021, HUD issued a directive in response to the order announcing that the FHA’s provisions prohibiting sex discrimination are comparable to those of Title VII and therefore prohibit discrimination because of sexual orientation and gender identity. HUD announced the steps it is initiating to comply with the order, including:

The directive also instructs HUD’s offices and grantees to review their records for complaints based on gender identity or sexual orientation since January 20, 2021, and to notify the persons their claims may be timely and jurisdictional.

The Ninth Circuit addresses the FHA’s requirement to make reasonable accommodations in sale or rental of housing to a disabled person necessary to afford an “equal opportunity to use and enjoy a dwelling.”

Howard v. HMK Holdings, LLC, 988 F.3d 1185 (9th Cir. 2021). The plaintiffs (husband, wife, and their daughter) rented a home in Los Angeles in September 2012 for $4,700 a month under a one-year lease, which became a month-to-month tenancy when they did not renew it. In 2017, the landlord proposed to increase the plaintiffs’ monthly rent to $5,966 and established a deadline for them to answer. After they failed to respond, the landlord sent a 60-day notice to terminate the tenancy as of April 25, 2017. The plaintiffs requested to extend this to July 2017 because of the husband’s medical disability. The landlord granted the request while also stating it would not grant any other extensions. In June, the plaintiffs asked for an additional extension because of the husband’s medical condition without disclosing the plaintiffs intended to drive to Florida to relocate and were advised to delay the long drive until his condition stabilized. The landlord denied the request as open ended and unreasonable and filed suit to regain possession. In response, the plaintiffs filed a federal lawsuit alleging the landlord violated the Fair Housing Amendments Act of 1988, which requires “reasonable accommodations in rules, policies, practices, or services [for a person with a disability] when such accommodations may be necessary to afford such person equal opportunity to use and enjoy a dwelling.” 42 U.S.C. § 3604(f)(3)(B).

The district court granted the landlord’s motion for summary judgment to dismiss the case. On appeal, the Ninth Circuit affirmed. The court found the plaintiffs failed to establish the accommodation was necessary to afford the husband an opportunity “to use and enjoy” the house that was also offered to a person without a disability. The court noted the plaintiffs were offered a new lease with a higher rent, which put them in the same position as a person without a disability. They rejected this offer and failed to provide evidence they could not relocate somewhere else in Los Angeles without jeopardizing the husband’s health (i.e., they did not show a connection between the requested accommodation and the disability). The plaintiffs also argued that the landlord violated the FHA by failing to engage in an “interactive process” to address the accommodation request. The court found that neither the FHA nor its implementing regulations impose such a requirement. Accordingly, the court affirmed the dismissal of the lawsuit.