Plaintiffs in Horizon Breach Win Key Article III Ruling at 3rd Circuit

hacker's hands on laptop keyboardRecently, the Third Circuit Court of Appeals overturned a United States District Court for the District of New Jersey dismissal of a class action filed in the aftermath of a data breach at Horizon Healthcare Services Inc., (“Horizon”). The appellate decision in In Re: Horizon Healthcare Services Inc. Data Breach Litigation may expand the conditions under which a plaintiff can file suit against a company for loss of digitalized personal information. According to the Third Circuit, it appears that violations of federal privacy law are considered de facto injuries, providing plaintiffs with standing regardless of whether they suffer an economic loss.

In November 2013, two laptops containing the unencrypted information of 839,000 Horizon customers were stolen from the company’s New Jersey headquarters. A class of Horizon members quickly filed a class action lawsuit that included claims of willful and negligent violations of the Fair Credit Reporting Act (“FCRA”), among other state-based claims.

At the core of the plaintiffs’ claim was the assertion that Horizon is a consumer reporting agency that had violated the FCRA by allowing their private information to fall into the hands of thieves and failing to adopt procedures that would keep sensitive information confidential. The plaintiffs sought statutory, actual and punitive damages, and an injunction to prevent Horizon from continuing to store personal information in an unencrypted manner. The plaintiffs claimed that the violation of their statutory right to have their information secured against unauthorized disclosure is in and of itself an injury.

The district court rejected this argument and dismissed the case for lack of Article III standing, writing that none of the plaintiffs had asserted a cognizable injury stemming from the data breach. Plaintiffs filed an appeal and presented arguments at the U.S. Court of Appeals for the Third Circuit.

In its January 2017 ruling, the appellate court declined to follow the district court’s analysis. Drawing heavily from two cases (In re Google Inc. Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015) and In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016)), the Third Circuit explained that the violation of a statute can provide an injury in fact to confer Article III standing.

In Google, the court found that by placing “cookies” inside consumers’ computers, plaintiffs had indeed suffered harm, even though none of the plaintiffs had suffered any sort of loss. The Google court wrote, “So long as an injury ‘affect[s] the plaintiff in a personal and individual way,’ the plaintiff need not ‘suffer any particular type of harm to have standing.’” Likewise, in In re Nickelodeon, plaintiffs alleged that Viacom and Google had collected personal information from webpages the plaintiffs had visited. In that case, the Third Circuit held that a clear de facto injury occurs when legally protected information is unlawfully disclosed.

The Third Circuit in Horizon cited these cases to explain how the unauthorized disclosure of information has long been seen as injurious. Damages from a violation of one’s privacy are, indeed, hard to define and difficult to measure, but common law torts allow victims to recover a monetary award. Here, the Court did not claim that Horizon’s actions would allow for recovery under common law. Rather, it found recovery rights through the FCRA, in which Congress created a private right of action by stating that the unauthorized release of personal information by a credit reporting agency causes consumers an injury.

The Third Circuit also addressed Spokeo, Inc., v. Robins, 136 S. Ct. 1540 (2016), in which a consumer sued a website for a willful violation of the FCRA by publishing incorrect information about him. The Supreme Court ultimately overturned a Ninth Circuit decision to confer standing, ruling that the plaintiff in Spokeo satisfied only the first of the two elements needed to establish an injury in fact—particularization and concreteness. In terms of concreteness, the Supreme Court laid out a two-part test: (1) whether an intangible harm is closely related to an injury that has traditionally been considered as a basis for a lawsuit, and (2) whether Congress intended to make an injury redressable. The Court wrote that while a simple procedural infraction that bears no concrete harm is not enough, the violation of a procedural right granted by statute can be enough for standing. The Third Circuit interpreted Spokeo to mean that Congress can define de facto injuries, such as when the FCRA may be violated.

In Horizon, the Third Circuit determined that plaintiffs have Article III standing because they are alleging unauthorized dissemination of their private information—the exact injury the FCRA was created to prevent. The district court’s decision was vacated, and the case remanded.

About The Author
Tagged with: , , , ,
Posted in Data Breach
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Receive Email Updates

Email:

Cozen O’Connor Blogs