To paraphrase Mark Twain, the rumors of the demise of data breach class actions have been greatly exaggerated, at least in the states within the U.S. Court of Appeals for the Third Circuit (New Jersey, Pennsylvania and Delaware). The Court held in In re Horizon Healthcare Services Inc. Data Breach Litigation that the recent U.S. Supreme court case of Spokeo v. Robins did not preclude such litigation, and that plaintiffs whose injury is limited to disclosure of their personal action have standing to sue.
Horizon arose, as many data breach cases do, from the theft of laptop computers with unencrypted personal information, including Social Security Numbers, member identification numbers, dates of birth and limited clinical information of over 839,000 Horizon subscribers. A class action was brought in the U.S. District Court for the District of New Jersey alleging violations of the Fair Credit Reporting Act (“FCRA”) and violations of New Jersey state law. The District Court granted Horizon’s motion to dismiss, holding that the allegation of loss of personal information was not a sufficiently “concrete” injury for plaintiffs to have standing to sue.
The Third Circuit reversed and remanded the case to the District Court. The appeals court wrote that Congress explicitly provided for protection of personal information under FCRA, and so the loss of that information was a “de facto injury” that conveyed standing to sue. The court cited two of its own decisions that also had held that loss of personal information by itself is an injury that fulfills the constitutional requirement of concrete injury as a basis for a law suit. It also rebutted Horizon’s argument that Spokeo (discussed here) precluded law suits based on breaches of protected data. Spokeo, the Third Circuit wrote, did not concern loss of protected personal information where that protection was mandated by Congress.
The Horizon plaintiffs do not yet have a clear path to trial. The Third Circuit remanded the matter to the District Court for consideration, among other things, of whether Horizon, as a health insurer, is a consumer reporting agency under FCRA. If Horizon does not meet the statutory criteria as a consumer reporting agency, an action under FCRA probably won’t lie, though state claims may continue.
The Horizon decision is significant for its holding, similar to those in the Sixth, Seventh and Eleventh Circuits that the mere disclosure of protected information meets the test for standing to bring a data breach action on a remand to state court.
If you have questions regarding litigation concerning data breaches, please contact Kenneth N. Rashbaum.