:: Third Circuit Reverses District Court Dismissal of FCRA Class Action For Data Breach

So the Plaintiffs here do not allege a mere technical or procedural violation of FCRA.  They allege instead the unauthorized dissemination of their own private information – the very injury that FCRA is intended to prevent.
There is thus a de facto injury that satisfies the concreteness requirement for Article III standing.24 See In re Nickelodeon, 827 F.3d 274 (concluding that the “unlawful disclosure of legally protected information” in and of itself constitutes a “de facto injury”). Accordingly, the District Court erred when it dismissed the Plaintiffs’ claims for lack of standing.
In Re: HORIZON HEALTHCARE SERVICES INC. DATA BREACH LITIGATION Courtney Diana; Mark Meisel; Karen Pekelney; Mitchell Rindner, Appellants, No. 15-2309, 2017 WL 242554, at *11 (3d Cir. Jan. 20, 2017)

The Third Circuit reversed a district court decision that dismissed an action alleging willful and negligent violations of the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681, et seq., as well as numerous violations of state law following a data breach.

Two laptops, containing sensitive personal information, were stolen from health insurer Horizon Healthcare Services, Inc.  The district court held that the plaintiffs did not have Article III standing, stating:

Our precedent and congressional action lead us to conclude that the improper disclosure of one’s personal data in violation of FCRA is a cognizable injury for Article III standing purposes.

Note:  515 U.S.C. § 1681(b) states:

Reasonable procedures [-]
It is the purpose of this subchapter to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information in accordance with the requirements of this subchapter.

Procedural Stage – Several other issues remain pending, including a motion to dismiss based on statutory defenses.  The Court noted that:

[W]e assume for purposes of this appeal that FCRA was violated, as alleged, and analyze standing with that assumption in mind. Likewise, our decision regarding Article III standing does not resolve whether Plaintiffs have suffered compensable damages. Some injuries may be “enough to open the courthouse door” even though they ultimately are not compensable. Doe v. Chao, 540 U.S. 614, 625 (2004).

Practice Pointers – Those providing guidance to claims administrators may find the allegations helpful in a due diligence review:

“In addition to properly securing and monitoring the stolen laptop computers and encrypting Plaintiffs’ and Class Members’ [personal information] on the computers,” Horizon should have – according to the Complaint – conducted periodic risk assessments to identify vulnerabilities, developed information security performance metrics, and taken steps to monitor and secure the room and areas where the laptops were stored.

Proof standard – “Reckless disregard” of a requirement of FCRA would qualify as a “willful” violation within the meaning of § 1681n(a). Safeco Ins. Co. of Am. v. Burr, 551 U.S. 47 (2007)