[BreachExchange] Third Circuit Finds FCRA Violation Alone Confers Standing for Data Breach Suit

[Audrey McNeil]

http://www.jdsupra.com/legalnews/third-circuit-finds-fcra-violation-99611/

The United States Court of Appeals for the Third Circuit recently ruled
that a data breach class action may proceed on the basis of a Fair Credit
Reporting Act (FCRA) violation alone, even where the putative class members
do not allege that they were actually harmed by the breach.  The ruling,
which both relies on and distinguishes the Supreme Court’s recent analysis
of FCRA standing in Spokeo v. Robins, suggests that at least in the Third
Circuit, “injury” from a data breach may be presumed from the fact of the
breach itself.  This, in turn, could have the effect of expanding potential
liability for any consumer-facing entity that suffers a breach.

The case, In re: Horizon Healthcare Services Inc. Data Breach Litigation,
stems from a theft of two laptop computers in November 2013 from Horizon, a
New Jersey health insurer with over 3.7 million members.  The full text of
the Third Circuit’s opinion is available here.

The laptops in question allegedly contained personal identifying
information and personal health information belonging to over 839,000
Horizon customers.  Horizon promptly notified relevant authorities of the
breach, and alerted potentially affected members the following month,
offering to provide one year of credit monitoring and identity theft
protection services at its expense to minimize or eliminate any potential
risk of harm to those customers.

On June 27, 2014, several of these affected individuals filed suit in the
United States District Court for the District of New Jersey, alleging,
among other things, violations of the FCRA, a federal law requiring
consumer credit reporting agencies to fairly and accurately collect and
disseminate consumer credit information.  According to the Plaintiffs,
Horizon was a “consumer reporting agency” within the meaning of the FCRA,
which ran afoul of the statute by failing to take necessary steps to
protect their credit information when it allowed the laptops to be stolen,
and failed—either willfully or negligently—to take sufficient steps to get
the stolen information back.  (Free credit monitoring, the Plaintiffs
allege, wasn’t enough.)  Though several plaintiffs were individually named
in the original complaint, the action was styled as a putative class action
on behalf of all those affected by the breach.

The United States Court for the District of New Jersey dismissed the
complaint, finding that the plaintiffs lacked standing to sue under Article
III of the U.S. Constitution because the mere fact that their information
had been stolen—and not necessarily used—was not a cognizable injury.

On January 20, 2017, the Third Circuit reversed the District Court’s order
of dismissal, adopting the plaintiffs’ argument that in enacting the FCRA,
Congress intended to confer standing to sue to anyone whose credit
information had been improperly disseminated in violation of the act, even
if they had suffered no specific harm as a result of that improper
dissemination.

Horizon argued that this approach was facially at odds with the Supreme
Court’s ruling in Spokeo, which involved a claim that a website, a “people
search engine,” had disseminated inaccurate information about the
plaintiff’s age, wealth, employment status, education level, and marital
status in violation of FCRA, and where the Supreme Court held that for
standing to exist in such a situation the plaintiff must allege a statutory
harm that is both “particularized” and “concrete,” which the Spokeo
plaintiff failed to do.

Responding to Horizon’s argument, the Third Circuit looked to its own
precedent and concluded that in cases involving “‘unauthorized disclosures
of information’” under the FCRA, “we have no trouble concluding that
Congress properly defined an injury that ‘gives rise to a case or
controversy where none existed before,’” and Spokeo’s holding was therefore
inapposite.  The Third Circuit concluded, “the Plaintiffs here do not
allege a mere technical or procedural violation of FCRA . . . they allege
instead the unauthorized dissemination of their own private information—the
very injury that FCRA is intended to prevent.  There is thus a de facto
injury that satisfies the concreteness requirement for Article III
standing.”

This ruling is particularly significant in the context of FCRA data breach
litigation because of its acceptance of the plaintiffs’ theory that a mere
theft of personal identifying information from an FCRA-regulated
defendant—even if that information isn’t used in a way that is specifically
injurious to a plaintiff—gives that plaintiff the ability to sue under the
statute.

Moreover, as Third Circuit Judge Patty Shwartz noted in her concurring
opinion, the reasoning adopted by the court in its majority opinion
substantially overlooked the Supreme Court’s ruling in Clapper v. Amnesty
International USA, which held that certain public interest lawyers lacked
standing to claim that they were injured by a potential release of their
private communications under the Foreign Intelligence Surveillance Act
because they could not demonstrate that their communications had actually
been intercepted.  Since Clapper, many courts have concluded that increased
risk of harm following a data breach is insufficient to confer Article III
standing.  (Judge Shwartz concluded that the Horizon plaintiffs had stated
a concrete injury because the laptops in question had actually been stolen.)

Nevertheless, many questions relating to this lawsuit will need to be
resolved by the District Court as the case proceeds on remand.  Among other
things, the question of whether plaintiffs’ allegations are sufficient to
lead to certification of a class will no doubt be aggressively litigated,
as class certification will have a substantial effect on the scope of this
case (and the amount of any potential verdict or settlement).

Of course, the Third Circuit’s ruling is only one judicial interpretation
of post-Spokeo standing for data breach lawsuits, and it deals only with
standing under the FCRA specifically, not data breach suits more
generally.  The federal courts continue to wrestle with data breach
standing in a number of different of contexts, and—as we have previously
blogged—have reached a variety of outcomes.  But for now, this case
demonstrates how the plaintiffs’ bar continues to develop new theories of
liability for data breaches, and serves as yet another example of how a
single breach—even if it doesn’t result in quantifiable harm to
consumers—can have serious (and potentially costly) legal ramifications on
many different fronts.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170207/08952a92/attachment.html>