What the TransUnion v. Ramirez Supreme Court Ruling Means for Employers

The U.S. Supreme Court issued a decision on June 25, 2021, in TransUnion LLC v. Ramirez, an important case about who may have standing in class action cases in federal court. The Court, in a controversial 5-4 decision, held that “only plaintiffs concretely harmed by a defendant’s statutory violation have Article III standing to seek damages against a private defendant in court.” In short, “[n]o concrete harm, no standing.” The court reasoned that Article III standing required a concrete injury even when there is a statutory violation and that “injury in law” is not “injury in fact.”

The jury in this case found that credit reporting agency TransUnion had willfully violated the Fair Credit Reporting Act (FCRA) when it falsely flagged the credit reports of thousands of individuals for being "Specially Designated Nationals'' under the Office of Foreign Asset Controls list that includes terrorists, drug traffickers, and other sanctioned individuals. The Supreme Court held that only the group of individuals who could prove that these false credit reports had been disclosed to third parties had standing to sue, the group who did not provide evidence that their reports had been disclosed did not meet the burden under Article III. Merely having their information flagged in a database did not equate to concrete harm.

The FCRA is a federal law that helps to ensure the accuracy, fairness and privacy of the information in consumer credit bureau files. The law regulates the way credit reporting agencies (CRAs) can collect, access, use and share the data they collect in consumer reports. Under FCRA, if employers use a third-party provider to conduct a background check (i.e., consumer report or investigative consumer report), there are certain required notices and communications.

Over the years, there have been numerous lawsuits against employers for failure to comply with FCRA’s strict notice and/or disclosure requirements. In many instances, employees challenged technical violations – some on behalf of a class – even though no actual harm was experienced. This led to the Supreme Court’s 2016 decision in Spokeo Inc. v. Robins, in which it held that, in order to sue under FCRA, a plaintiff must establish that they have suffered “concrete” harm – meaning real injury, and not simply a “bare procedural violation.” The Supreme Court has now reiterated this position in the non-employment case of TransUnion LLC v. Ramirez.

TransUnion LLC v. Ramirez: Case Background

In the case of TransUnion LLC v. Ramirez, a man named Sergio Ramirez could not buy a car after TransUnion mistakenly stated on a credit report that his name was found on the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) list of suspected terrorists and criminals. Ramirez sued TransUnion on behalf of 8,000+ class members for not following “reasonable procedures to assure maximum possible accuracy” under the FCRA.

A jury returned a verdict in favor of Ramirez and a class of consumers whose names were included on the OFAC List and who had also received two letters from TransUnion, one of which failed to include information about the OFAC List and another that included the OFAC information but omitted a summary-of-rights required by the FCRA. The U.S. Court of Appeals for the Ninth Circuit upheld the award.

Reversing the Ninth Circuit, the Supreme Court held that 6,332 of the 8,185 certified class members lack Article III standing despite their inclusion on TransUnion's OFAC List, because TransUnion did not disseminate their credit reports to third-party businesses during the relevant time period. As to the FCRA claims based on TransUnion's letters to class members, the Court held that all 8,185 class members lacked Article III standing, because the plaintiffs presented no evidence that a single class member, other than Ramirez, opened the mailings or were confused, distressed or relied on the information in any way. The Court held that even if the letters constituted technical violations of the FCRA, these bare procedural violations could not proceed absent a showing of concrete harm.

Justice Brett Kavanaugh wrote in the opinion:

“No concrete harm, no standing. The 1,853 class members whose credit reports were provided to third-party businesses suffered a concrete harm and thus have standing as to the reasonable-procedures claim. The 6,332 class members whose credit reports were not provided to third-party businesses did not suffer a concrete harm and thus do not have standing as to the reasonable-procedures claim. The mere existence of inaccurate information, absent dissemination, traditionally has not provided the basis for a lawsuit in American courts. The plaintiffs cannot demonstrate that the misleading information in the internal credit files itself constitutes a concrete harm. The mere presence of an inaccuracy in an internal credit file, if it is not disclosed to a third party, causes no concrete harm.”

The Decision’s Potential Implications for Employers

This ruling has varied potential implications on class certification and FCRA litigation going forward. While not arising from a data breach or ransomware event, the Supreme Court's decision seems likely to impact class actions brought without an actual harm (such as identity theft or financial loss). It also gives support to those courts that have said simply getting a data breach notification letter is not enough to open the doors to a federal courtroom, absent identity theft or economic harm.

While the TransUnion LLC v. Ramirez decision is good news for employers that now have an argument that they should avoid liability if there is no tangible harm (like economic or damage to reputation) for lawsuits brought in federal court, employers must still ensure compliance with the FCRA’s technical requirements in order to avoid the possibility of such liability, along with the cost of defending against a lawsuit regardless of the merits.

The best way to ensure compliance with FCRA (and other legal requirements) is to partner with a background screening vendor that is not only accredited by the PBSA, but ensures FCRA, state, and local Ban the Box notification and time-frame and record-keeping compliance; maintains auditable logs; and greatly reduces the risk of liability. For example, Cisive advocates a best practice that includes a fully electronic, 100% auditable FCRA dispute process. Our comprehensive, secure, web-based dispute resolution system can track every notification sent to candidates, including receipt, review, and disputes or consumer statements.