The United States Court of Appeals for the Third Circuit recently ruled that a data breach class action may proceed on the basis of a Fair Credit Reporting Act (FCRA) violation alone, even where the putative class members do not allege that they were actually harmed by the breach. The ruling, which both relies on and distinguishes the Supreme Court’s recent analysis of FCRA standing in Spokeo v. Robins, suggests that at least in the Third Circuit, “injury” from a data breach may be presumed from the fact of the breach itself. This, in turn, could have the effect of expanding potential liability for any consumer-facing entity that suffers a breach.

The case, In re: Horizon Healthcare Services Inc. Data Breach Litigation, stems from a theft of two laptop computers in November 2013 from Horizon, a New Jersey health insurer with over 3.7 million members. The full text of the Third Circuit’s opinion is available here.

The laptops in question allegedly contained personal identifying information and personal health information belonging to over 839,000 Horizon customers. Horizon promptly notified relevant authorities of the breach, and alerted potentially affected members the following month, offering to provide one year of credit monitoring and identity theft protection services at its expense to minimize or eliminate any potential risk of harm to those customers.

On June 27, 2014, several of these affected individuals filed suit in the United States District Court for the District of New Jersey, alleging, among other things, violations of the FCRA, a federal law requiring consumer credit reporting agencies to fairly and accurately collect and disseminate consumer credit information. According to the Plaintiffs, Horizon was a “consumer reporting agency” within the meaning of the FCRA, which ran afoul of the statute by failing to take necessary steps to protect their credit information when it allowed the laptops to be stolen, and failed—either willfully or negligently—to take sufficient steps to get the stolen information back. (Free credit monitoring, the Plaintiffs allege, wasn’t enough.) Though several plaintiffs were individually named in the original complaint, the action was styled as a putative class action on behalf of all those affected by the breach.

The United States Court for the District of New Jersey dismissed the complaint, finding that the plaintiffs lacked standing to sue under Article III of the U.S. Constitution because the mere fact that their information had been stolen—and not necessarily used—was not a cognizable injury.

On January 20, 2017, the Third Circuit reversed the District Court’s order of dismissal, adopting the plaintiffs’ argument that in enacting the FCRA, Congress intended to confer standing to sue to anyone whose credit information had been improperly disseminated in violation of the act, even if they had suffered no specific harm as a result of that improper dissemination.

Horizon argued that this approach was facially at odds with the Supreme Court’s ruling in Spokeo, which involved a claim that a website, a “people search engine,” had disseminated inaccurate information about the plaintiff’s age, wealth, employment status, education level, and marital status in violation of FCRA, and where the Supreme Court held that for standing to exist in such a situation the plaintiff must allege a statutory harm that is both “particularized” and “concrete,” which the Spokeo plaintiff failed to do.

Responding to Horizon’s argument, the Third Circuit looked to its own precedent and concluded that in cases involving “‘unauthorized disclosures of information’” under the FCRA, “we have no trouble concluding that Congress properly defined an injury that ‘gives rise to a case or controversy where none existed before,’” and Spokeo’s holding was therefore inapposite. The Third Circuit concluded, “the Plaintiffs here do not allege a mere technical or procedural violation of FCRA . . . they allege instead the unauthorized dissemination of their own private information—the very injury that FCRA is intended to prevent. There is thus a de facto injury that satisfies the concreteness requirement for Article III standing.”

This ruling is particularly significant in the context of FCRA data breach litigation because of its acceptance of the plaintiffs’ theory that a mere theft of personal identifying information from an FCRA-regulated defendant—even if that information isn’t used in a way that is specifically injurious to a plaintiff—gives that plaintiff the ability to sue under the statute.

Moreover, as Third Circuit Judge Patty Shwartz noted in her concurring opinion, the reasoning adopted by the court in its majority opinion substantially overlooked the Supreme Court’s ruling in Clapper v. Amnesty International USA, which held that certain public interest lawyers lacked standing to claim that they were injured by a potential release of their private communications under the Foreign Intelligence Surveillance Act because they could not demonstrate that their communications had actually been intercepted. Since Clapper, many courts have concluded that increased risk of harm following a data breach is insufficient to confer Article III standing. (Judge Shwartz concluded that the Horizon plaintiffs had stated a concrete injury because the laptops in question had actually been stolen.)

Nevertheless, many questions relating to this lawsuit will need to be resolved by the District Court as the case proceeds on remand. Among other things, the question of whether plaintiffs’ allegations are sufficient to lead to certification of a class will no doubt be aggressively litigated, as class certification will have a substantial effect on the scope of this case (and the amount of any potential verdict or settlement).

Of course, the Third Circuit’s ruling is only one judicial interpretation of post-Spokeo standing for data breach lawsuits, and it deals only with standing under the FCRA specifically, not data breach suits more generally. The federal courts continue to wrestle with data breach standing in a number of different of contexts, and—as we have previously blogged—have reached a variety of outcomes. But for now, this case demonstrates how the plaintiffs’ bar continues to develop new theories of liability for data breaches, and serves as yet another example of how a single breach—even if it doesn’t result in quantifiable harm to consumers—can have serious (and potentially costly) legal ramifications on many different fronts.