The Third Circuit recently held that a consumer whose private information was stolen—but not fraudulently used—can bring a claim for damages under the Fair Credit Reporting Act (“FCRA”) for an alleged violation of FCRA’s requirement that consumer reporting agencies adopt reasonable procedures for protecting consumers’ confidential personal data. This requirement gives rise to a statutory right to have personal information secured against unauthorized disclosure that, when violated, constitutes an identifiable injury sufficient for standing.
The case, In Re: Horizon Healthcare Services Inc. Data Breach Litigation, concerns a health insurance company that collects and maintains personally identifiable information of its customers, including names, dates of birth, social security numbers and addresses. In 2013, two laptop computers containing the plaintiffs’ unencrypted personal information were stolen from the company’s headquarters. The plaintiffs made no allegations of identity theft. Rather, they claim the company was negligent in the storage of their personal information by not establishing safeguards to prevent their data from falling into malicious hands. The lower court rejected this claim because it found that plaintiffs suffered no concrete injury by merely having their information stolen, but not used, by an unauthorized third-party.
On appeal to the Third Circuit, the plaintiffs asserted that they need not show actual use of their stolen data by the thief because defendants’ violation of FCRA’s statutory right to have personal information secured against unauthorized disclosure constitutes a sufficient injury. Alternatively, plaintiffs argued that the violation of FCRA placed them in an immediate and continuing increased risk of harm from identify theft, even if it had yet to occur, and this increased risk, in and of itself, is sufficient injury to file a claim.
Reversing the lower court’s denial of standing, the Third Circuit relied on plaintiffs’ statutory rights argument. The violation of a statutory right, according to the court, conveys standing for a consumer to bring suit in federal court. This would not constitute a sufficient injury absent the statutory requirement that companies holding personal and sensitive information take reasonable steps to prevent unauthorized dissemination of that information. According to the Court of Appeals, the theft of the laptops containing plaintiff’s sensitive data was exactly the kind of injury the FCRA was intended to prevent.
Because the lower court ruling was based on standing, the Court of Appeals did not consider the health care services company’s assertions in the court below that it was not, in fact, a consumer reporting agency under FCRA, or that data theft did not implicate FCRA.
The full opinion of the Third Circuit may be found here: http://www2.ca3.uscourts.gov/opinarch/152309p.pdf.