Last week, the Third Circuit held that allegations of the unauthorized disclosure of personal information in violation of the Fair Credit Reporting Act (FCRA) constituted a de facto injury sufficient to confer standing at the pleading stage in reversing the dismissal of a class action complaint in a data breach case in In re: Horizon Healthcare Services, Inc. Data Breach Litigation, No. 15-2309 (3d Cir. Jan. 20, 2017).
The Fair Credit Reporting Act
The FCRA was enacted to “ensure fair and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy.” Safeco Ins. Co. of Am. V. Burr, 551 U.S. 47, 52 (2007). It imposes certain requirements on any “consumer reporting agency” that “regularly … assembl[es] or evaluat[es] consumer credit information … for the purpose of furnishing consumer reports to third parties.” 15 U.S.C. § 1681a(f). The FCRA provides a private right of action against consumer reporting agencies for their willful or negligent failures to comply with the FCRA’s requirements. See 15 U.S.C. § 1681n(a) & 1681o(a).
Horizon Healthcare Services, Inc., d/b/a Horizon Blue Cross Blue Shield of New Jersey (“Horizon”) provides health insurance products and services and collects and maintains both personally identifiable information and protected history information in the ordinary course of business. During the week of November 1, 2013, two laptop computers alleged to contain the unencrypted personal information of more than 839,000 members of Horizon insurance plans were stolen from Horizon’s headquarters. After the theft, Horizon alerted the affected members by letter and a press release. Horizon offered one year of credit monitoring and identity theft protection services to the affected members.
The four named plaintiffs — Courtney Diana, Mark Miesel, Karen Pekelney, and Mitchell Rindner — filed a class action complaint on June 27, 2014, on behalf of all Horizon members whose personal information was stored on the stolen laptops, asserting both willful and negligent violations of FCRA and various state law violations. Plaintiffs alleged that Horizon was a consumer reporting agency which “furnish[ed]” their information in an unauthorized manner by allowing it to fall into the hands of thieves. They also alleged that Horizon fell short of its FCRA responsibility to adopt reasonable procedures, such as encryption, to keep their personal information confidential. One of the four plaintiffs alleged he had experienced identity theft following the incident.
The district court dismissed the complaint, concluding that plaintiffs had not alleged a cognizable injury sufficient to confer Article III standing. The district court found that any future risk of harm, such as identity fraud or theft, depended on the “conjectural conduct of a third party bandit,” and was too “attenuated” to establish standing.
Third Circuit Decision
The Third Circuit reversed the district court’s dismissal and remanded the case for further proceeding in in In re: Horizon Healthcare Services, Inc. Data Breach Litigation, No. 15-2309 (3d Cir. Jan. 20, 2017), concluding that plaintiffs’ allegations that their personal information was disclosed without their authorization in violation of the FCRA was sufficient to establish standing at the pleading stage. Because the district court had not ruled on Horizon’s Rule 12(b)(6) challenge, the Third Circuit did not reach the issue of whether the complaint’s questionable allegation that Horizon was a consumer reporting agency adequately pleaded a claim under FCRA.
The court began its standing analysis by revisiting two of its recent decisions in favor of allowing plaintiffs to sue for violations of their statutory rights, even without allegations of additional injury. In re Google Inc. Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015), the Third Circuit found that, despite not having suffered any actual monetary loss, plaintiffs still possessed standing because their allegations that the placement of cookies (i.e., small files with identifying information) on their web browsers – violated several federal and state statutes, including the Stored Communications Act, constituted a concrete injury. The Court found that “the actual or threatened injury required by Art. III may exist solely by virtue of statutes creating standing.” Google, 806 F.3d at 134. Similarly, in In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016), the Third Circuit held that plaintiffs who alleged that Viacom and Google had unlawfully collected their personal information on the Internet in violation of numerous federal and state statutes, including the Wiretap Act and the Video Privacy Protection Act, had standing because “the unlawful disclosure of legally protected information” in violation of these statutes constituted a “clear de facto injury.” Nickelodeon, 827 F.3d at 274.
Citing Spokeo v. Robins, 136 S. Ct. 1540, 1549 (2016), the Third Circuit noted that plaintiffs must allege a concrete injury, which may be either tangible or intangible, and not simply a “bare procedural violation.” In determining whether an intangible injury is concrete, the Court explained “Congress is well positioned to identify intangible harms that meet minimum Article III requirements,” and “its judgment is … instructive and important.” Id. Moreover, even if an injury was “previously inadequate at law,” Congress may elevate it “to the status of [a] legally cognizable injur[y].” Id.
Turning to the allegations of the complaint, the Third Circuit held that “with the passage of FCRA, Congress established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself – whether or not the disclosure of that information increased the risk of identity theft or some other future harm.” Horizon, No. 15-2309, at 27. The Court continued: “[Congress] created a private right of action to enforce the provisions of FCRA, and even allowed for statutory damages for willful violations – which clearly illustrates Congress believed that the violation of FCRA causes a concrete harm to consumers.” Id. The court found, therefore, that the alleged dissemination of personal information by a consumer reporting agency is not a bare procedural violation. Given the “close relationship” between the intangible harm that FCRA seeks to remedy and the harm that formed the basis for invasion of privacy lawsuits, the Third Circuit concluded that the “unauthorized dissemination” of personal information in violation of FCRA constituted “a de facto injury that satisfies the concreteness requirement of Article III standing.” Id. at 30, 31.
Horizon has substantial implications for data breach litigation involving companies that are alleged to be consumer reporting agencies under FCRA. Prior appellate decisions in data breach cases not involving FCRA claims, such as Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7thCir. 2016), and Galaria v. Nationwide Mut. Ins. Co., No. 15-3386 (6thCir. Sept. 12, 2016), required plaintiffs to allege not only that their personal information was stolen but also that they faced an increased risk of identity theft and incurred mitigation costs in order to establish the existence of a particularized and concrete injury sufficient to confer Article III standing. This standard made it extremely difficult to have a data breach complaint dismissed at the pleading stage. Horizon raises that bar and makes a dismissal even less likely where the complaint alleges the defendant was a consumer reporting agency under FCRA or was otherwise regulated by statute creating a right against dissemination of personal information. Under Horizon, plaintiffs in data breach cases (at least in the Third Circuit) need not allege that they will suffer any potential harm from a breach of a consumer reporting agency. Nor do they need to allege that they engaged in any mitigation efforts or incurred any mitigation costs. Instead, these plaintiffs need only allege that the unauthorized disclosure or dissemination of their personal information violated a Congressional statute that provides a personal right of action to establish a de facto injury and survive a motion to dismiss for lack of standing.