Litigation Alert: The Third Circuit Holds That Allegations That Personal Information Was Improperly Disclosed in Violation of the Fair Credit Reporting Act Are Sufficient to Establish Standing at the Pleading Stage

Last week, the Third Circuit held that allegations of the unauthorized disclosure of personal information in violation of the Fair Credit Reporting Act (FCRA) constituted a de facto injury sufficient to confer standing at the pleading stage in reversing the dismissal of a class action complaint in a data breach case in In re: Horizon Healthcare Services, Inc. Data Breach Litigation, No. 15-2309 (3d Cir. Jan. 20, 2017).

The FCRA was enacted to “ensure fair and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy.” Safeco Ins. Co. of Am. V. Burr, 551 U.S. 47, 52 (2007). It imposes certain requirements on any “consumer reporting agency” that “regularly … assembl[es] or evaluat[es] consumer credit information … for the purpose of furnishing consumer reports to third parties.” 15 U.S.C. § 1681a(f). The FCRA provides a private right of action against consumer reporting agencies for their willful or negligent failures to comply with the FCRA’s requirements. See 15 U.S.C. § 1681n(a) & 1681o(a).

Horizon Healthcare Services, Inc., d/b/a Horizon Blue Cross Blue Shield of New Jersey (“Horizon”) provides health insurance products and services and collects and maintains both personally identifiable information and protected history information in the ordinary course of business. During the week of November 1, 2013, two laptop computers alleged to contain the unencrypted personal information of more than 839,000 members of Horizon insurance plans were stolen from Horizon’s headquarters. After the theft, Horizon alerted the affected members by letter and a press release. Horizon offered one year of credit monitoring and identity theft protection services to the affected members.

The four named plaintiffs — Courtney Diana, Mark Miesel, Karen Pekelney, and Mitchell Rindner — filed a class action complaint on June 27, 2014, on behalf of all Horizon members whose personal information was stored on the stolen laptops, asserting both willful and negligent violations of FCRA and various state law violations. Plaintiffs alleged that Horizon was a consumer reporting agency which “furnish[ed]” their information in an unauthorized manner by allowing it to fall into the hands of thieves. They also alleged that Horizon fell short of its FCRA responsibility to adopt reasonable procedures, such as encryption, to keep their personal information confidential. One of the fourt plaintiffs alleged he had experienced identity theft following the incident.

The district court dismissed the complaint, concluding that plaintiffs had not alleged a cognizable injury sufficient to confer Article III standing. The district court found that any future risk of harm, such as identity fraud or theft, depended on the “conjectural conduct of a third party bandit,” and was too “attenuated” to establish standing.

The Third Circuit reversed the district court’s dismissal and remanded the case for further proceeding in in In re: Horizon Healthcare Services, Inc. Data Breach Litigation, No. 15-2309 (3d Cir. Jan. 20, 2017), concluding that plaintiffs’ allegations that their personal information was disclosed without their authorization in violation of the FCRA was sufficient to establish standing at the pleading stage. Because the district court had not ruled on Horizon’s Rule 12(b)(6)...