The U.S. Court of Appeals for the Third Circuit recently reversed the dismissal of a putative class action under the federal Fair Credit Reporting Act (FCRA) based on the theft of laptops from a health insurer containing sensitive personal information, holding that the plaintiffs had standing to sue because Congress created a statutory remedy for the unauthorized transfer of personal information, the disclosure of which constituted a cognizable injury, regardless of whether the stolen information was actually used improperly.
A copy of the opinion in In re Horizon Healthcare Inc. Data Breach Litigation is available at: Link to Opinion.
The defendant insurer collected and maintained “personally identifiable information (e.g., names, dates of birth, social security numbers and addresses) and protected health information (e.g., demographic information, medical histories, test and lab results, insurance information, and other care-related data) on its customers and potential customers.” The plaintiffs were insured under the insurer’s managed-care health plans.
In November 2013, two laptop computers containing unencrypted personal information of more than 839,000 insureds were stolen from the company’s headquarters. The insurer discovered the theft a few days later and notified its affected insureds one month later, offering one year of credit monitoring and identity theft protection services to those affected.
In June 2014, the plaintiffs filed their 10-count complaint in federal district court, alleging willful and negligent violation of the FCRA, and common law and statutory claims under New Jersey law.
The plaintiffs argued that the credit monitoring and identity theft protection services offered by the defendant insurer were insufficient to remedy the consequences of the data breach. The complaint alleged that only one of the plaintiffs had his identity stolen as the result of the breach — someone submitted a false tax return to the I.R.S. and stole his and his wife’s income tax refund, although he eventually received the refund. He alleged that he incurred out-of-pocket expenses to remedy the identity theft. He also alleged that someone attempted to use his credit for an online purchase and was denied credit because his social security number “has been associated with identity theft.”
The complaint alleged that the insurer is a “consumer reporting agency” under FCRA, and that the insurer violated FCRA § 1681(b) by “furnish[ing] their information in an unauthorized fashion” because it allowed the information to end up in the hands of thieves.
Section 1681(b) requires that consumer reporting agencies “adopt reasonable procedures … for consumer credit, personnel, insurance and other information … with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information….”
The plaintiffs also alleged that by failing to protect their personal information, the insurer violated 15 U.S.C. §§ 1681a(d)(3), 1681b(g)(1) and 1681c(a)(6).
Subsection 1681a(d)(3) “imposes a restriction, with certain exceptions, on the sharing of medical information with any persons not related by common ownership or affiliated by corporate control.”
Subsection 1681b(g)(1) provides that, with certain limited exceptions, “[a] consumer reporting agency shall not furnish for employment purposes, or in connection with a credit or insurance transaction, a consumer report that contains medical information .. about a consumer.”
Subsection 1681c(a)(6) prohibits a consumer reporting agency, with certain limited exceptions, from issuing a consumer report containing “[t]he name, address, and telephone number of any medical information furnisher….”
The complaint sought actual, statutory and punitive damages, plus an injunction prohibiting the insurer from storing unencrypted personal information, attorney’s fees and costs.
FCRA provides for the recovery of actual plus statutory damages between $100 and $1,000, plus attorney’s fees and punitive damages, for willful violations. See 15 U.S.C. § 1681n. FCRA also provides for the recovery of actual damages and attorney’s fees for negligent violations. See 15 U.S.C. § 16810.
The insurer moved to dismiss the complaint for lack of subject matter jurisdiction, and for failure to state a claim. The district court dismissed the case, reasoning that plaintiffs lacked standing to sue under Article III of the U.S. Constitution because they did not adequately allege that they were actually harmed by the theft of their information. The plaintiffs appealed.
Because the district court dismissed based on lack of standing, the Third Circuit addressed only that issue and not the insurer’s arguments that it was not bound by the FCRA because it was not a “consumer reporting agency” and the FCRA did not apply to information that is stolen, only to information that is “furnished.” The Court assumed, for purposes of the appeal, that the FCRA had been violated.
The Third Circuit then explained that “‘[t]o survive a motion to dismiss [for lack of standing], a complaint must contain sufficient factual matter’ that would establish standing if accepted as true.”
The Court noted that under Supreme Court precedent “[t]here are three well-recognized elements of Article III standing: First, an ‘injury in fact,’ or an ‘invasion of a legally protected interest’ that is ‘concrete and particularized.’ … Second, a ‘causal connection between the injury and the conduct complained of[.]’ … And third, a likelihood ‘that the injury will be redressed by a favorable decision.'”
The Court clarified that while the plaintiffs undoubtedly suffered a particularized injury because their personal information was disclosed, the appeal before it focused only “on the concreteness requirement of that element.”
The plaintiffs argued that “the violation of their statutory right to have their personal information secured against unauthorized disclosure constitutes, in and of itself, an injury in fact[,]” which the district court rejected. In the alternative, the plaintiffs argued that the insurer’s failure to protect their information put them at risk of harm from identity theft and such increased risk was a concrete injury for purposes of Article III standing. The district court also rejected this argument because it found that any future risk of harm was too speculative and “attenuated” to support standing.
The Third Circuit agreed with the plaintiff’s first argument, concluding that they had standing based on the insurer’s alleged violation of the FCRA. The Court reasoned that because Congress created a statutory remedy for the unauthorized transfer of personal information in the FCRA, a violation of the statute constitutes an injury sufficient to confer Article III standing to sue, regardless of whether the information was actually used improperly.
In so ruling, the Court noted that, “with the passage of FCRA, Congress established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself – whether or not the disclosure of that information increased the risk of identity theft or some other future harm,” and that Congress “created a private right of action to enforce the provisions of FCRA, and even allowed for statutory damages for willful violations – which clearly illustrates that Congress believed that the violation of FCRA causes a concrete harm to consumers.”
Moreover, the Third Circuit noted, “since the ‘intangible harm’ that FCRA seeks to remedy has a close relationship to a harm [i.e. invasion of privacy] that has traditionally been regarded as providing a basis for a lawsuit in English or American courts,” the Court had “no trouble concluding that Congress properly defined an injury that gives rise to a case or controversy where none existed before.”
The Court relied on two recent opinions dealing with statutes protecting data privacy, which allowed individuals to sue to remedy violations of their statutory rights even in the absence of actual damages.
In the Google, Inc. Cookie Placement Consumer Privacy Litigation, decided in 2015, the Third Circuit held that “so long as an injury ‘affect[s] the plaintiff in a personal and individual way,’ the plaintiff need not ‘suffer any particular type of harm to have standing.’ … Instead, ‘the actual or threatened injury required by Article III may exist solely by virtue of statutes creating legal rights, the invasion of which creates standing,’ even absent evidence of actual monetary loss.”
The Third Circuit in 2016 “reaffirmed Google’s holding in In re Nickelodeon Consumer Privacy Litigation, … [which] involved a class action in which the plaintiffs alleged that Viacom and Google had unlawfully collected personal information on the Internet, including what webpages the plaintiffs had visited and what videos they watched on Viacom websites.” Relying on its holding in Google, the Court reasoned that “when it comes to laws that protect privacy, a focus on economic loss is misplaced. … Instead, ‘the unlawful disclosure of legally protected information’ constituted ‘a clear de facto injury.'”
Reasoning that the plaintiffs before it “have at least as strong a basis for claiming that they were injured as the plaintiffs in Google and Nickelodeon,” the Court reversed and vacated the district court’s order of dismissal and remanded the case for further proceedings.