Plaintiffs Have Standing to Sue for Data Breaches That Violate the Fair Credit Reporting Act, Even Without More “Concrete” Injury

In re Horizon Healthcare Services Inc. Data Breach Litig., 846 F.3d 625 (3d Cir. 2017).  [Dislcosure:  My firm, Lite DePalma Greenberg, LLC, is co-lead counsel for the successful plaintiffs in this appeal].  Horizon Healthcare Services, Inc. (“Horizon”) provides health care insurance to millions of New Jersey citizens.  Horizon kept insureds personal identifying information on laptop computers.  That information was password-protected but was not encrypted.  Two laptop computers, containing the personal identifying information of over 839,000 members, were stolen from Horizon’s offices.

Plaintiffs filed a putative class action for violation of the Fair Credit Reporting Act, 15 U.S.C. §1681 et seq. (“FCRA”), and on other theories.  On Horizon’s motion, the District Court dismissed the case for lack of standing.  Plaintiffs appealed, and the Third Circuit today reversed in an opinion by Judge Jordan.

Writing for himself and Judge Vanaskie, Judge Jordan stated that “[i]n light of the congressional decision to to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes.  Even without evidence that the Plaintiffs’ information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury.”

That ruling followed from the Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S.Ct. 1540 (2016), discussed here.  As Judge Jordan observed, Spokeo offered two paths to a demonstration that an injury is sufficiently “concrete” to confer standing.  One of those tests “asks whether Congress has expressed an intent to make an injury redressable.”  Here, far from alleging “a mere technical or procedural violation of FCRA,” Judge Jordan ruled that plaintiffs had pleaded “unauthorized dissemination of their own private information– the very injury that FCRA is intended to prevent,” and an injury that “has a close relationship to a harm [i.e. invasion of privacy] that has traditionally been regarded as providing a basis for a lawsuit in English or American courts,” quoting language from Spokeo.

Today’s decision rightly reaffirmed two prior Third Circuit cases that declined to construe Spokeo as having changed standing law to restrict plaintiffs’ access to the courts.  In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d  Cir. 2016); In re Google Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015).  Judge Jordan also observed that today’s result was in accord with “the weight of precedents in our sister circuits.”

The court distinguished Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), on which the District Court had relied.  In Reilly, the plaintiffs’ claims centered on future injuries that were too speculative.  “Here, in contrast, the Plaintiffs are not complaining solely of future injuries.  Congress has elevated the unauthorized disclosure of information into a tort.  And so there is nothing speculative about the harm that Plaintiffs allege” (emphasis in original).

Judge Shwartz filed a concurring opinion, agreeing that plaintiffs had standing, but giving different grounds for that conclusion.  In her view, the proper prong of Spokeo to rely on was the historical approach: “whether the intangible harm is closely related to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts,” rather than the approach adopted by the majority, which looked to the intent of Congress in enacting the statute.  On either ground, however, today’s decision is a powerful restatement of standing doctrine that recognizes that data breaches can and should give rise to a right to sue.