February
2017
Third Circuit Holds that Alleged Violations of the Fair Credit Reporting Act Concerning Disclosure of Personal Information through a Data Breach Are Sufficient to Establish Standing
Blogs, Cyber Risks, Liabilities, Insurance and Litigation
In In re Horizon Healthcare Services, Inc. Data Breach Litigation,846 F. 3d 625, 2017 WL 242554 (3d Cir. Jan. 20, 2017), the Third Circuit Court of Appeals held that with the passage of the Fair Credit Reporting Act (FCRA), Congress established that the unauthorized dissemination of personal information by a credit reporting agency in and of itself causes an injury sufficient to establish Article III standing. Two laptops containing unencrypted personal information of more than 839,000 Horizon members were stolen. Plaintiffs in a putative class action allege willful and negligent violations of the FCRA. There were no allegations that identities were stolen as a result of the breach. (Although one plaintiff alleged he was the victim of a fraudulent tax return and a denial of credit, the court did not reach his argument.) Defendants moved under Fed. R. Civ. P. 12(b)(1) to dismiss for lack of subject matter jurisdiction, specifical lack of standing.
The court found there was no doubt that plaintiffs met the requirement for the standing of a particularized injury because they alleged the disclosure of their own private information. Thus, the court only addressed the concreteness requirement of the injury-in-fact element of standing. It recognized established authority that the violation of a statute creating legal rights can cause an injury, in fact, sufficient for standing. The court held that with the passage of the FCRA, Congress established that the mere unauthorized dissemination by a credit reporting company causes an injury, even though the information is truthful and not harmful to anyone’s reputation. It stated that Congress provided for damages for willful violations, which shows that Congress believed that FCRA violations cause concrete harm. That is, Congress “elevated the unauthorized disclosure of [credit] information into a tort.”
The court rejected arguments that Spokeo, Inc. v. Robins, 136 S. Ct.1540 (2016) compelled a different outcome. It concluded that Spokeo did not create a requirement that plaintiffs show that a statutory violation has caused a “material risk of harm” to establish standing.
There are separate issues of whether Horizon is a “consumer reporting agency” subject to the FCRA, and whether the FCRA applies when data is stolen rather than voluntarily furnished. Those are subject to a separate motion under Fed. R. Civ. P. 12 (b)(6), which was not before the court, so no rulings were made on those issues.