The U.S. Court of Appeals for the Third Circuit has vacated a district court’s dismissal of a data breach class action filed against Horizon Healthcare Services Inc., in the wake of the 2013 theft of two computer laptops containing unencrypted personal information of Horizon Healthcare plan members. The decision potentially expands the circumstances under which consumers may pursue class actions against companies from which their digitized personal information is stolen.

The Third Circuit held that the plan members have standing to sue for alleged violations of the Fair Credit Reporting Act (FCRA), based on Horizon’s alleged failure to adequately secure certain personal information against theft. Most significantly for future cases, the Third Circuit reasoned that the failure to maintain the confidentiality of personal information protected by federal privacy law creates a de facto injury sufficient to confer standing, even absent an allegation that the data theft caused the plaintiffs economic harm.

The class action complaint alleges that two laptop computers containing the unencrypted information of more than 839,000 Horizon plan members were stolen from Horizon’s headquarters on a November 2013 weekend. The laptops were cable-locked to workstations and password protected, but the data stored on them was not encrypted. Horizon immediately contacted the police and began an investigation upon discovery of the theft. Approximately one month later, Horizon notified most of the impacted members of the data breach, and provided them with one year of free credit monitoring.

On June 27, 2014, the plaintiffs filed a class action complaint alleging violations of the FCRA and various state laws. The FCRA requires “consumer reporting agencies” to protect consumer credit information by employing “reasonable procedures . . . in a manner that is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information . . . .” An agency that willfully or negligently fails to comply with “any requirement imposed under [FCRA] with respect to any consumer is liable to that consumer,” with willful violations subject to statutory damages. The plaintiffs alleged that Horizon was a consumer reporting agency, but the Third Circuit did not address that issue.

The district court dismissed the complaint for lack of standing in March 2015. The court concluded that the plaintiffs had not alleged a sufficient “injury-in-fact,” because they failed to allege economic loss caused by the data breach. The district court rejected the plaintiffs’ argument that Horizon’s alleged violation of the FCRA alone conferred standing, explaining that standing required “some form of additional, ‘specific harm,’ beyond ‘mere violations of statutory and common law rights[.]'”

The Third Circuit disagreed, holding that a violation of the privacy protection right created by the FCRA constituted a sufficiently concrete injury. The court noted that the U. S. Supreme Court has “repeatedly affirmed the ability of Congress to ‘cast the standing net broadly’ and to grant individuals the ability to sue to enforce their statutory rights.” The Court then went on to explain that “[w]ith passage of the FCRA, Congress established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself—whether or not the disclosure of that information increased the risk of identity theft or some other future harm.” Because the FCRA creates a private “remedy for the unauthorized transfer of personal information, a violation of the FCRA gives rise to an injury sufficient for Article III standing purposes.”

The Third Circuit relied heavily on two recent decisions that similarly rejected defense arguments that a consumer must suffer economic loss to have standing to pursue class actions for alleged violations of various federal and state privacy laws. Those cases dealt with the tracking of internet user activity for advertising and other purposes, and included claims under federal and state wiretap and computer fraud statutes, as well as the federal Stored Communications Act and Video Privacy Protection Act. In re Google Inc. Cookie Placement Consumer Privacy Litigation holds that consumers had standing to sue “solely by virtue of statutes creating legal rights, the invasion of which creates standing, even absent evidence of actual monetary loss.” In re Nickelodeon Consumer Privacy Litigation expands this concept by proclaiming that “when it comes to laws that protect privacy, a focus on economic loss is misplaced.” In Horizon, the Third Circuit has now extended this rule to the consumer data breach class action context.

The Third Circuit also rejected the view that the Court’s 2016 decision in Spokeo, Inc. v. Robins compelled the conclusion that an FCRA violation did not pose a “material risk of harm” to Horizon’s plan members. A number of federal and state courts have read Spokeo— an FCRA case that did not involve a data breach—to impose such a requirement. These courts have dismissed consumer data breach class actions on standing grounds, where the plaintiffs have not sufficiently alleged economic loss tied to the data breach.

The Third Circuit reaffirmed its view that Spokeo does not redefine the injury-in-fact requirement, but instead simply reemphasizes “that Congress ‘has the power to define injuries . . . that were previously inadequate in law.'” The Horizon plaintiffs were not alleging a “mere technical or procedural violation of FCRA,” but the unauthorized dissemination of their personal information, which is “the very injury that FCRA is intended to prevent.”

The Third Circuit’s reasoning is a marked departure from prior data breach cases in which the Third Circuit and other federal and state courts have said that fear of future identity theft alone does not establish Article III standing. One of the key questions for future cases will be whether this or other courts limit this rule to statutes that create private causes of action, as opposed to other remedies. What is clear today, though, is that this latest decision charts a path for consumers who cannot prove economic loss to nonetheless defeat motions to dismiss data breach cases by alleging de facto injuries for violations of various federal and state privacy statutes and regulations.

Ballard Spahr will conduct a webinar titled “Data Breach Litigation: Case Law Update” on March 1, 2017, from 12 p.m. to 1 p.m. ET. A link to register is available here.

Ballard Spahr’s Privacy and Data Security Group is composed of a national, cross-disciplinary team of attorneys who provide counseling, transactional, regulatory, investigative, and litigation services on privacy and cybersecurity issues across industry sectors.

Ballard Spahr’s Consumer Financial Services Group is nationally recognized for its guidance and representation of clients on the full range of federal and state consumer financial services laws throughout the country, and its skill in litigation defense and avoidance.

Ballard Spahr’s Health Care Group provides counsel on regulatory, compliance, transactional, financing, benefits and compensation, and labor and employment matters. Our attorneys represent health care providers, health plans, and business associates in implementing HIPAA/HITECH compliance programs, undertaking data security assessments, preparing breach response plans, conducting breach assessments and notifications, and advising on the use of data for research, marketing, and other purposes.