In re Horizon Healthcare Servs. Inc. Data Breach Litig.

846 F.3d 625

IN RE: HORIZON HEALTHCARE SERVICES INC. DATA BREACH LITIGATION

Courtney Diana; Mark Meisel ; Karen Pekelney; Mitchell Rindner, Appellants

No. 15-2309

United States Court of Appeals, Third Circuit.

Argued: July 12, 2016

Filed: January 20, 2017

Ben Barnow, Erich P. Schork [ARGUED], Barnow & Associates, P.C., One North LaSalle Street, Suite 4600, Chicago, IL 60602

Joseph J. DePalma, Jeffrey A. Shooman, Lite DePalma Greenberg, LLC, 570 Broad Street, Suite 1201, Newark, NJ 07102

Robert N. Kaplan, David A. Straite, Kaplan Fox & Kilsheimer LLP, 850 Third Avenue, 14th Floor, New York, NY 10022

Laurence D. King, Kaplan Fox & Kilsheimer LLP, 350 Sansome Street, Suite 400, San Francisco, CA 94104

Philip A. Tortoreti, Wilentz, Goldman & Spitzer, PA, 90 Woodbridge Center Drive, Suite 900, Woodbridge, NJ 07095, Counsel for Appellants

Kenneth L. Chernof [ARGUED], Arthur Luk, Arnold & Porter LLP, 601 Massachusetts Avenue, NW, Washington, DC 20001

David Jay, Philip R. Sellinger, Greenberg Traurig, 500 Campus Drive, Suite 400, Florham Park, NJ 07932, Counsel for Appellee

Before: JORDAN, VANASKIE, and SHWARTZ, Circuit Judges.

OPINION

JORDAN, Circuit Judge.

The dispute at the bottom of this putative class action began when two laptops, containing sensitive personal information, were stolen from health insurer Horizon Healthcare Services, Inc. The four named Plaintiffs filed suit on behalf of themselves and other Horizon customers whose personal information was stored on those laptops. They allege willful and negligent violations of the Fair Credit Reporting Act ("FCRA"), 15 U.S.C. § 1681, et seq. , as well as numerous violations of state law. Essentially, they say that Horizon inadequately protected their personal information. The District Court dismissed the suit under Federal Rule of Civil Procedure 12(b)(1) for lack of Article III standing. According to the Court, none of the Plaintiffs had claimed a cognizable injury because, although their personal information had been stolen, none of them had adequately alleged that the information was actually used to their detriment.

We will vacate and remand. In light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes. Even without evidence that the Plaintiffs' information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury. Accordingly, all of the Plaintiffs suffered a cognizable injury, and the Complaint should not have been dismissed under Rule 12(b)(1).

I. BACKGROUND

A. Factual Background¹

Horizon Healthcare Services, Inc., d/b/a Horizon Blue Cross Blue Shield of New Jersey ("Horizon") is a New Jersey-based company that provides health insurance products and services to approximately 3.7 million members. In the regular course of its business, Horizon collects and maintains personally identifiable information (e.g. , names, dates of birth, social security numbers, and addresses) and protected health information (e.g. , demographic information, medical histories, test and lab results, insurance information, and other care-related data) on its customers and potential customers. The named Plaintiffs—Courtney Diana, Mark Meisel, Karen Pekelney, and Mitchell Rindner² —and other class members are or were participants in, or as Horizon puts it, members of Horizon insurance plans. They entrusted Horizon with their personal information.³

Horizon's privacy policy states that the company "maintain[s] appropriate administrative, technical and physical safeguards to reasonably protect [members'] Private Information." (App. at 29.) The policy also provides that, any time Horizon relies on a third party to perform a business service using personal information, it requires the third party to "safeguard [members'] Private Information" and "agree to use it only as required to perform its functions for [Horizon] and as otherwise permitted by ... contract and the law." (App. at 29.) Through the policy, Horizon pledges to "notify [members of its insurance plans] without unreasonable delay" of any breach of privacy. (App. at 29.)

During the weekend of November 1st to 3rd, 2013, two laptop computers containing the unencrypted personal information of the named Plaintiffs and more than 839,000 other Horizon members were stolen from Horizon's headquarters in Newark, New Jersey. The Complaint alleges that "[t]he facts surrounding the Data Breach demonstrate that the stolen laptop computers were targeted due to the storage of Plaintiffs' and Class Members' highly sensitive and private [personal information] on them." (App. at 32.) Horizon discovered the theft the following Monday, and notified the Newark Police Department that day. It alerted potentially affected members by letter and a press release a month later, on December 6. The press release concerning the incident noted that the computers "may have contained files with differing amounts of member information, including name and demographic information (e.g., address, member identification number, date of birth), and in some instances, a Social Security number and/or limited clinical information." (App. at 33.)

Horizon offered one year of credit monitoring and identity theft protection services to those affected, which the Plaintiffs allege was inadequate to remedy the effects of the data breach. At a January 2014 New Jersey Senate hearing, "Horizon confirmed that it had not encrypted all of its computers that contained [personal information]." (App. at 35.) Thereafter, "Horizon allegedly established safeguards to prevent a similar incident in the future—including tougher policies and stronger encryption processes that could have been implemented prior to the Data Breach and prevented it." (App. at 35.)

Some personal history about the named Plaintiffs is included in the Complaint. Diana, Meisel, and Pekelney are all citizens and residents of New Jersey who were Horizon members who received letters from Horizon indicating that their personal information was on the stolen laptops. The Complaint does not include any allegation that their identities were stolen as a result of the data breach. Plaintiff Rindner is a citizen and resident of New York. He was a Horizon member but was not initially notified of the data breach. After Rindner contacted Horizon in February 2014, the company confirmed that his personal information was on the stolen computers. The Plaintiffs allege that, "[a]s a result of the Data Breach, a thief or thieves submitted to the [IRS] a fraudulent Income Tax Return for 2013 in Rindner's and his wife's names and stole their 2013 income tax refund." (App. at 27.) Rindner eventually did receive the refund, but "spent time working with the IRS and law enforcement ... to remedy the effects" of the fraud, "incurred other out-of-pocket expenses to remedy the identity theft[,]" and was "damaged financially by the related delay in receiving his tax refund." (App. at 27, 41.) After that fraudulent tax return, someone also fraudulently attempted to use Rindner's credit card number in an online transaction. Rindner was also "recently denied retail credit because his social security number has been associated with identity theft." (App. at 27.)

B. Procedural Background

The Plaintiffs filed suit on June 27, 2014. Count I of the Complaint claims that Horizon committed a willful violation of FCRA; Count II alleges a negligent violation of FCRA; and the remaining counts allege various violations of state law.⁴ FCRA was enacted in 1970 "to ensure fair and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy." Safeco Ins. Co. of Am. v. Burr , 551 U.S. 47, 52, 127 S.Ct. 2201, 167 L.Ed.2d 1045 (2007). With respect to consumer privacy, the statute imposes certain requirements on any "consumer reporting agency" that "regularly ... assembl[es] or evaluat[es] consumer credit information ... for the purpose of furnishing consumer reports to third parties." 15 U.S.C. § 1681a(f). Any such agency that either willfully or negligently "fails to comply with any requirement imposed under [FCRA] with respect to any consumer is liable to that consumer." Id . §§ 1681n(a) (willful violations); 1681o(a) (negligent violations).

In their Complaint, the Plaintiffs assert that Horizon is a consumer reporting agency and that it violated FCRA in several respects. They say that Horizon "furnish[ed]" their information in an unauthorized fashion by allowing it to fall into the hands of thieves. (App. at 48.) They also allege that Horizon fell short of its FCRA responsibility to adopt reasonable procedures⁵ to keep sensitive information confidential.⁶ According to the Plaintiffs, Horizon's failure to protect their personal information violated the company's responsibility under FCRA to maintain the confidentiality of their personal information.⁷

The Plaintiffs seek statutory,⁸ actual, and punitive damages, an injunction to prevent Horizon from continuing to store personal information in an unencrypted manner, reimbursement for ascertainable losses, pre- and post-judgment interest, attorneys' fees and costs, and "such other and further relief as this Court may deem just and proper." (App. at 64.)

Horizon moved to dismiss the Complaint for lack of subject matter jurisdiction under Federal Rule of Civil Procedure 12(b)(1) and for failure to state a claim upon which relief can be granted under Rule 12(b)(6). The District Court granted dismissal under Rule 12(b)(1), ruling that the Plaintiffs lack Article III standing. The Court concluded that, even taking the Plaintiffs' allegations as true, they did not have standing because they had not suffered a cognizable injury. Because the Court granted Horizon's Rule 12(b)(1) motion, it did not address Horizon's Rule 12(b)(6) arguments and declined to exercise supplemental jurisdiction over the remaining state law...