Recent FCRA Data Breach Class Action Decision: Statutory violations may be enough to establish Article III standing
In a recent decision, the Third Circuit Court of Appeals reversed the lower court’s ruling on a motion to dismiss and held that class action plaintiffs had Article III standing on the basis of their data security Fair Credit Reporting Act (FCRA) claims.In re Horizon Healthcare Services, Inc., D.N.J. No. 2-13-cv-07418 (3rd Cir. January 20, 2017) marks the latest in a string of Circuit Court decisions struggling to interpret the standing requirements set forth by the U.S. Supreme Court in Spokeo, Inc. v. Robins, where the nation’s high court held that two elements must be established to prove an injury-in-fact: concreteness and particularization. In many recent cases involving data security, the FCRA, and other federal statutes, courts have since grappled with the issue of whether an injury-in-fact is established based on the violation of a statute alone.
In Horizon, two laptop computers containing unencrypted personally identifiable information (PII) and protected healthcare information (PHI) of more than 839,000 members were stolen. Id. at *6. Horizon subsequently notified the potentially affected members of the theft and offered free credit monitoring and ID theft protection. Id. at *6-7. The plaintiffs filed a suit and alleged they were (1) in “imminent, immediate, and continuing increased risk of harm,” (2) required “to take the time and effort to mitigate [their damages],” and (3) caused to sustain “economic damages and other actual harm.” Their claims rested in federal causes of action under FCRA alleging that, as a consumer reporting agency, Horizon furnished their information in “an unauthorized fashion by allowing it to fall into the hands of thieves” and failed “to adopt reasonable procedures to keep sensitive information confidential.” Id. at *9 and 17.
The district court granted Horizon’s motion to dismiss under Rule 12(b)(1) and 12(b)(6), finding that the plaintiffs could not show imminent injury because their alleged injuries were contingent and would only come to pass upon a potential thief stealing their PII and PHI sometime in the future. This potential for harm, according to the lower court, was insufficient to confer standing.
The Appeals court, however, focused on the plaintiffs’ FCRA statutory rights violation allegations. Under the FCRA, consumer reporting agencies that assemble or evaluate consumer credit information for the purpose of furnishing consumer reports to third parties must adopt reasonable procedures to keep consumer information confidential. They are also prohibited from furnishing the information in an unauthorized manner that puts the information at risk of being stolen. The Third Circuit found that a violation of this FCRA requirement established standing because it gave rise to a concrete and cognizable injury based on the plaintiffs’ statutory right to have their PII and PHI safe against unauthorized disclosure. Id. at *27. Most notably, the Court held: “Even without evidence that the Plaintiffs’ information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury.” Id. at *4. Compare Vera v. Mondelez Global LLC, 2017 U.S. Dist. LEXIS 38328 (D.E. Ill. March 17, 2017) (holding that violating the stand-alone disclosure requirement under the FCRA is a procedural technical violation alone insufficient to establish standing).
The Horizon court interpreted Spokeo to provide a two-part test to determine concreteness: (1) whether an alleged harm is closely related to a harm that has traditionally or historically been viewed as the basis for lawsuit and (2) whether Congress has expressed an intent to make an injury redressable. Ultimately, the court determined that Congress had expressed such an intent under the FCRA.
As courts continue to analyze the question of whether a statutory violation by itself may grant Article III standing, time will tell whether they will find persuasive the Third Circuit’s reasoning that the uniquely personal nature of data security breach supports such a finding. In the meantime, the Horizon court reminds entities of a more practical way to help avoid a finding of standing: carefully review your data security practices and ensure that they follow the requisite procedures to maintain confidentiality.