The Third Circuit recently overturned a district court’s ruling on In re Horizon Healthcare Services Inc. Data Breach Litigation and gave new life to a putative class action over a data breach. No. 15-2309 (Jan. 20, 2017). The Third Circuit panel held that allegations of unauthorized disclosure of personal information in violation of the Fair Credit Reporting Act (“FCRA”) constituted a de facto injury sufficient to establish Article III standing. Plaintiffs did not allege identity theft, any other misuse of the compromised data, or even any mitigation costs.
The case concerns a data breach from November 2013, where two laptop computers containing the unencrypted personal information of more than 839,000 Horizon members were stolen from Horizon’s headquarters in New Jersey. The information included names, dates of birth, Social Security numbers, medical histories, test and lab results. Horizon discovered the theft the next day, notified law enforcement that same day, and notified potentially affected customers within a month. The company also offered one year of credit monitoring and identify theft protection.
The question before the court was one of injury and standing: Under FCRA, do plaintiffs need to allege that their personal information had been accessed or misused in order to prove an injury to satisfy Article III’s standing requirement?
The Third Circuit, relying on the 2016 Supreme Court ruling in Spokeo, said no: “[W]ith the passage of FCRA, Congress established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself – whether or not the disclosure of that information increased the risk of identity theft or some other future harm.” Horizon, No. 15-2309, at 27. In Spokeo, a case based on FCRA violations, the Supreme Court reiterated the need to allege concrete injury for standing—mere procedural rights are insufficient. The Third Circuit, however, went further, explaining that because the unauthorized dissemination of personal is “the very injury that FCRA is intended to prevent,” it constituted “a de facto injury that satisfied the concreteness requirement of Article III standing.” Id. at 29-31. Concurring Judge Patty Schwartz would have gone even further, recognizing standing based on the “intangible harm from the loss of privacy….”
In contrast to Horizon, in an earlier case before the Third Circuit that did not involve the alleged violation of a statutory right, Reilly v. Ceridian Corp., 664 F.3d 38, 40, 44 (3d Cir. 2011), the Third Circuit held that the increased risk of identity theft after a hacking incident was too speculative to establish “certainly impending” injury-in-fact. Further, the Horizon decision appears to conflict with the holdings of other circuit courts who have considered whether violations of statutes necessarily create standing, such as Gubala v. Time Warner Cable, Inc., No. 16-2613, 2017 WL 243343, at *4 (7th Cir. Jan. 20, 2017) (concluding that the continued retention of personal information in violation of the Cable Communications Policy Act is insufficient to confer Article III standing). And, indeed, the Horizon opinion has already been distinguished by the Fourth Circuit in Beck v. McDonald, No. 15-1395 (4th Cir. Feb. 6, 2017) (holding that the “non-speculative, imminent injury-in-fact” was not established based on “the increased risk of future identity theft and the cost of measures to protect against it” after data breaches implicating the Privacy Act).
Horizon may have substantial implications for data breach litigation, particularly for companies with FCRA compliance obligations — to the extent a data breach may impact consumer report information. Going forward, plaintiffs may be able to find courts where they can survive a motion to dismiss for lack of standing based on an alleged de facto injury rooted in FCRA (or perhaps other federal statutory violations), again heightening the risks and potential liability connected to modern data security incidents.