The class action filed on April 30 in the U.S. District Court for the Eastern District of Michigan represents a significant escalation in the legal scrutiny surrounding data brokers. While Thomson Reuters has recently settled a massive $27.5 million privacy case in California, this new Michigan suit targets a very specific—and legally hazardous—technicality: the Michigan Social Security Number Privacy Act.
The Core of the Litigation
The lawsuit focuses on how Thomson Reuters’ research tools, specifically Westlaw People Map and CLEAR (Consolidated Lead Evaluation and Reporting), handle sensitive identifiers.
-
The Allegation: The plaintiffs claim that these platforms publicly display five sequential digits of Social Security numbers (SSNs) to subscribers.
-
The Legal Threshold: Michigan law (MCL 445.81 et seq.) strictly prohibits businesses from displaying more than four sequential digits of an SSN on any document or information made available to the general public or a group of people.
-
The Intentionality Argument: By displaying five digits instead of the standard “masked” four, the lawsuit argues the company is in willful violation of state privacy protections designed to prevent identity theft.
Michigan Social Security Number Privacy Act Causing Legal Headaches
This case highlights several critical trends in the intersection of big data and privacy law:
1. The “Damage” Dilemma
A major hurdle in these cases is proving “actual damages.” A previous attempt to sue Thomson Reuters in Michigan was dismissed because plaintiffs couldn’t prove that the exposure led to direct harm (like identity theft). However, this new filing likely aims to capitalize on recent shifts in how courts view “statutory damages”—where the violation of the law itself is considered the injury.
2. The End of “Data Broker Immunity”
For years, companies like Thomson Reuters, LexisNexis, and Experian operated under the assumption that if data was sourced from public records, it was fair game. This lawsuit challenges that, asserting that even if data is “publicly available,” the way it is organized and displayed by a private entity must still comply with modern privacy statutes.
3. State-Level Protectionism
As federal privacy legislation remains stalled, plaintiffs’ attorneys are increasingly using state-specific “pocket” laws (like Michigan’s SSN Act or Illinois’ Biometric Information Privacy Act) to hold tech giants accountable. This creates a “compliance patchwork” that is becoming a nightmare for national data providers.
The Genesis of the Michigan Social Security Number Privacy Act (MSSNPA)
To understand why the Thomson Reuters suit is so dangerous for the company, one must look at the specific climate in which Michigan’s law was born. Enacted in December 2004 and taking full effect on March 1, 2005, the MSSNPA was part of a national “first wave” of identity theft legislation.
At the turn of the millennium, Michigan was seeing a massive spike in “identity fraud,” which prompted the state legislature to move faster than the federal government. While most federal laws (like the Privacy Act of 1974) only applied to government agencies, Michigan’s law was far more aggressive—it applied to any “person” or entity, including corporations, schools, and private investigators.
The “Four-Digit” Bright Line
The Act’s most famous provision is its strict limit on sequential digits. The legislature essentially created a “safe harbor” by deciding that the last four digits of an SSN were “public enough” for verification, but five digits crossed the line into “identity-enabling” information.
The historical intent was to eliminate the then-common practice of using SSNs as student IDs, employee numbers, or account identifiers. By outlawing the display of all or more than four sequential digits, Michigan effectively forced every business in the state to overhaul its database architecture. The current lawsuit against Thomson Reuters alleges that they failed to perform this fundamental architectural update on their CLEAR and Westlaw People Map platforms, choosing instead to display a fifth digit that the Michigan legislature explicitly deemed a security risk over 20 years ago.
Case Law Evolution: The “Actual Damages” Hurdle
The history of this Act in Michigan courts has been a rollercoaster for plaintiffs. For a decade, many suits were dismissed because plaintiffs couldn’t prove they had lost money or had their identity stolen specifically because of a disclosure.
-
Early Dismissals: Many early cases against retailers and employers were tossed out based on a “no harm, no foul” logic. If an SSN was visible but no one used it to open a fraudulent credit card, courts often found no standing to sue.
-
The Shift in 2024–2026: This new Thomson Reuters filing is a strategic “Version 2.0” of previous failed attempts. The legal theory has shifted from “Did this cause me identity theft?” to “The violation of the statute is the injury.”
-
The “Knowing Violation” Escalator: The Act includes a specific provision for knowing violations. If a plaintiff can prove that a sophisticated data giant like Thomson Reuters was aware of Michigan’s four-digit limit—which is common knowledge in the compliance industry—but continued to display five digits anyway, the penalties jump. This entitles class members to $1,000 per violation regardless of whether they suffered a financial loss.
Implications for Data Brokers and “Public” Records
Thomson Reuters has historically relied on the “Public Records Exception.” Their defense usually argues that they are merely an aggregator of data that is already “public.”
However, the history of the MSSNPA suggests this is a flawed defense. The Act does not care if the data was originally public; it regulates the act of displaying it in a specific format. Michigan law creates a “duty of care” for the aggregator. In the eyes of the law, once a broker like Thomson Reuters collects that data and puts it into a searchable, paid interface like CLEAR, they have “possessed” it and are therefore bound by the Act’s display restrictions.
Why This Case is a “Titan” of Litigation
If this class action proceeds, it represents a nightmare scenario for the data industry for three reasons:
-
The “Scraping” Vulnerability: Legal experts and cybersecurity litigators argue that five digits are the “Goldilocks zone” for hackers. It provides enough data to use AI “brute force” tools to guess the remaining four digits in seconds.
-
Administrative Exposure: Unlike the $27.5 million California settlement, which was based on “privacy rights,” this is a statutory violation. There is much less “gray area” for a judge to interpret. Either the company displayed five digits, or it didn’t.
-
The Subscriber Loophole: Thomson Reuters will argue that their platforms are “private” and therefore not “publicly” displayed. However, the Act defines public display as making info visible to “members of the public or in a public manner.” Since almost any business can buy a CLEAR subscription, plaintiffs argue it is essentially “public” to anyone with a credit card.
