On January 20, 2017, the U.S. Third Circuit Court of Appeals vacated the dismissal of a class action arising from a data breach affecting a health insurance provider, Horizon Healthcare Services, Inc. In In re Horizon Healthcare Servs. Data Breach Litig., No. 15-2309, 2017 U.S. App. LEXIS 1019 (3d Cir. Jan. 20, 2017), the Third Circuit ruled that a breach of the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. (FCRA), was sufficient to confer standing on the plaintiffs, even in the absence of an alleged economic loss or proof that the plaintiffs' confidential information was actually used by the perpetrator.
In November 2013, two Horizon laptops containing unencrypted personal information on more than 839,000 members of Horizon insurance plans were stolen from Horizon's headquarters in Newark, New Jersey, over the course of a weekend. In December 2013, it notified its members that "files with differing amounts of member information, including name and demographic information (e.g., address, member identification number, date of birth), and in some instances, a Social Security number and/or limited clinical information" may have been compromised as a result of the breach, and offered one-year of free credit monitoring and protection services.
Four members whose data was contained on the laptops filed suit, alleging that Horizon willfully and negligently violated the FCRA by "furnishing" their confidential protected information to unauthorized persons and by failing to adopt reasonable measures to protect said information. The plaintiffs, however, did not allege that their identities had been stolen or that they had suffered an economic loss as a result of the breach. The district court granted Horizon's motion to dismiss on the basis that the plaintiffs had no Article III standing because they had not alleged a cognizable injury beyond a "mere" statutory violation.
The Third Circuit vacated the dismissal. Citing its prior ruling in In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262 (3d Cir. 2016), the court stated that "'the actual or threatened injury required by Art[icle] III may exist solely by virtue of statutes creating legal rights, the invasion of which creates standing,' even absent evidence of actual monetary loss….[W]ith the passage of the FCRA, Congress established that the unauthorized dissemination of [Plaintiffs'] private information by a credit reporting agency causes an injury in and of itself—whether or not the disclosure of that information increased the risk of identity theft or some future harm." The Third Circuit rejected Horizon's argument that the Supreme Court's decision in Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 194 L. Ed. 2d 635 (2016) mandated dismissal of the suit: "In the absence of any indication to the contrary, we understand that the Spokeo Court meant to reiterate traditional notions of standing, rather than erect any new barriers that might prevent Congress from identifying new causes of action though they may be based on intangible harms."
The Horizon decision highlights the conflicting post-Spokeo authority regarding standing in data breach cases. The Sixth Circuit in Galaria v. Nationwide Mut. Ins. Co., No. 15-3386/3387, 2016 U.S. App. LEXIS 16840 (6th Cir. Sep. 12, 2016) has similarly held that plaintiffs whose sensitive personal information (including Social Security and driver's license numbers) had been stolen by hackers via an attack on the defendant insurer's computer system had alleged sufficient actual or threatened harm sufficient to confer standing under the FCRA even though none of the plaintiffs had alleged their identities had been stolen or that their data had been misused by the hackers. But some post-Spokeo district courts have held that "the mere loss of data—without any evidence that it has been either viewed or misused—does not constitute an injury sufficient to confer standing." Attias v. CareFirst, Inc., 2016 U.S. Dist. LEXIS 105480, *14 (D.D.C. Aug. 10, 2016); see also Chambliss v. CareFirst, Inc., 189 F. Supp. 3d 564 (D. Md. 2016). In these cases, the courts ruled that the threat of identity theft was speculative due to the fact that the data breach did not compromise the plaintiffs' most sensitive personal information such as Social Security and credit card numbers.
These conflicting rulings demonstrate the fact-specific nature of Article III standing inquiries in data breach cases. To the extent that a plaintiff can establish that the most sensitive categories of personal information have been compromised in a data breach, courts appear more likely to find that standing has been established, even if no economic loss is alleged.