Introduction

Recently, the Third Circuit widened the gates for certain data-breach plaintiffs, holding that alleged violations of the Fair Credit Reporting Act (“FCRA”) constitute injuries-in-fact sufficient for Article III standing. [1] In its opinion in In re Horizon Healthcare Services Inc. Data Breach Litigation, [2] the Third Circuit clarified the standing requirements for plaintiffs asserting violations of certain federal statutes, and appears to shift the direction of the court’s previous trend. Before now, district courts in the Third Circuit often dismissed data-breach disputes on the basis of Article III standing—that is, many courts, relying on Reilly v. Ceridian Corp.,[3] found that plaintiffs did not plead a concrete injury sufficient to seek redress from federal courts absent allegations of harm arising from actual identity theft. [4]

The In re Horizon decision, however, suggests that the Third Circuit may be moving toward a view of finding standing for certain data-breach incidents that allege violations of certain federal statutes even if the plaintiff does not allege tangible personal harm arising from the data breach. Yet, despite this, and despite the Supreme Court’s ruling in Spokeo, Inc. v. Robins, [5] the contours of Article III standing in the data-breach context remain subject to debate and are not fully defined. [6]

Evolving Standing Requirements in the Third Circuit

The dispute in In re Horizon centered on the personal information of health care plan members of Horizon Healthcare Services, Inc.—including their names, address, dates of birth, and social security numbers. [7] The information was contained on two password-protected laptops that were chain-locked to the employees’ desks but were nevertheless stolen from Horizon’s headquarters. [8] Four plan members sued Horizon on behalf of 839,000 putative class members, alleging that “Horizon failed to take reasonable and appropriate measures to secure the stolen laptop computers and safeguard and protect Plaintiffs’ and Class Members’ [personal information].” [9]

The plaintiffs alleged that Horizon was a “consumer reporting agency” subject to FCRA’s privacy provisions, and that Horizon violated those provisions by (1) failing “to adopt reasonable procedures to keep sensitive information confidential,” and (2) furnishing “their information in an unauthorized fashion by allowing it to fall into the hands of thieves.” [10] In other words, “Horizon's failure to protect [the plaintiffs’] personal information violated the company's responsibility under FCRA to maintain the confidentiality of their personal information.” [11] Only one of the four representative plaintiffs alleged that he actually had suffered identity theft arising from the theft of the laptops. [12]

In the district court, Horizon filed a Rule 12(b)(1) motion to dismiss, arguing that the plaintiffs lacked standing because they had suffered no concrete injury. [13] The plaintiffs responded that “the violation of their statutory right to have their personal information secured against unauthorized disclosure constitutes, in and of itself, an injury in fact.” [14] The district court accepted Horizon’s reasoning and dismissed the case. [15]

On appeal, the Third Circuit reversed, ruling that the plaintiffs, by alleging an unauthorized transfer of personal identifying information in violation of FCRA, had established a sufficient de facto injury for standing. [16] The court reasoned that “the unlawful disclosure of legally protected information constitute[s] a clear de facto injury,” even if that information was not improperly used, [17] and that “Congress has long provided plaintiffs with the right to seek redress for unauthorized disclosures of information that, in Congress’s judgment, ought to remain private.” [18]

Anchoring its decision, the court emphasized that the injury the plaintiffs alleged was not “a mere technical or procedural violation of FCRA.” [19] Instead, the court found that the plaintiffs alleged the “unauthorized dissemination of their own private information—the very injury that FCRA is intended to prevent.” [20] Accordingly, “there is thus a de facto injury that satisfies the concreteness requirement for Article III standing.” [21]

The Third Circuit’s In re Horizon decision is notable in at least three respects.

First, the court’s decision makes clear that disclosure of personal information in violation of FCRA constitutes an injury-in-fact sufficient to create Article III standing even if plaintiffs did not suffer actual harm in the form of identity theft. The court’s decision also makes clear that disclosure of personal information may create standing under other federal statutes in which Congress has expressed an intent to make such an injury redressable. Though the court noted that the “particularization requirement” in the standing framework might work to limit disputes over more “technical breach[es]” of a statute, [22] it expressly declined to rule on when a data breach may be a mere “technical violation of a procedural requirement.” [23]

Second, the court interpreted the Supreme Court’s recent standing decision in Spokeo as a narrow one—working only to clarify and reinforce the Supreme Court’s “traditional notions of standing.” [24] The Supreme Court noted in Spokeo that “not all inaccuracies [in sharing people’s data] cause harm or present any material risk of harm.” [25] The Third Circuit reasoned that this language speaks only to the Article III “concreteness” requirement, and does not create any additional elements of an injury. [26] Thus, in the Third Circuit, Spokeo is simply another case in a long line of standing cases affirming the three traditional standing requirements.

Third, the court distinguished its prior guiding precedent, Reilly v. Ceridian Corp., in that the data-breach plaintiffs in that case had not asserted statutory causes of action under FCRA. [27] The Reilly plaintiffs’ common law claims did not grant them standing because “their risk of harm was too speculative.” [28] Contrast that with In re Horizon, in which the court relied heavily on the fact that “Congress has elevated the unauthorized disclosure of information into a tort[,] [a]nd so there is nothing speculative about the harm that Plaintiffs allege.” [29] This distinction, based on statutory versus common law causes of action, will likely be critical in data-breach cases in the Third Circuit.

Conclusion

In re Horizon appears to have shifted the Third Circuit’s prevailing analysis of injuries for standing, at least in the FCRA context and potentially in the context of other federal statutory violations. [30] This decision seems to narrow the lack-of-standing defense in that type of data-breach case, and potentially in others, when the claims involved arise from certain statutory rights, which may allow more lawsuits past the motion-to-dismiss stage. Still, the Third Circuit’s opinion leaves open what other federal statutes beyond FCRA may recognize data breaches as redressable injuries, and leaves open whether and under what circumstances a mere technical violation of a certain statute could constitute a concrete harm for standing. In any case, the Third Circuit’s statutory standing analysis will likely continue to evolve as the court irons out potential discrepancies between its jurisprudence on this issue and those of other circuits post-Spokeo. [31]