US District Court for the District of New Jersey Dismisses Data Breach Class Action on Lack of Article III Standing

In re Horizon Healthcare Services, Inc. Data Breach Litigation was a class action law suit arising out of the theft of two of Horizon’s password-protected laptops that contained the personal information of more than 839,000 of Horizon’s members. Horizon is a national health care insurance provider. The data maintained on the laptops included names, dates of birth, Social Security numbers, addresses, medical histories, and the insurance information of Horizon’s members. Withinone month of the theft, Horizon notified the potentially affected members of the theft and offered free credit monitoring and identity theft protection for those members whose Social Security numbers were on the stolen laptops.

Four named plaintiffs filed a putative class action on their own behalf and on behalf of other members whose information was on the stolen laptops asserting allegations under the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq. (“FCRA”), as well as New Jersey state law causes of action.

Horizon filed a 12(b)(1) motion to dismiss arguing the Plaintiffs’ lack of Article III constitutional standing.

Similar to other recent rulings, In ruling that all four named Plaintiffs failed to establish standing to assert their claim under the FCRA, the Court found that three out of the four named Plaintiffs did not allege that they suffered any specific harm as a result of the data breach.

These Plaintiffs sought to rely on the premiums paid by them as a form of economic injury since the premiums were, in part, allocated to database protection. Plaintiffs cited Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012), in their opposition to Horizon’s motion. In Resnick, the 11th Circuit Court of Appeals held that members who paid the health care company for data security through monthly payments and whose data was contained on the two laptops stolen from a health care company satisfied Article III standing. The Court, however, distinguished the Horizon plaintiffs from those in Resnick, since the Horizon plaintiffs did not claim that they were careful about guarding their sensitive information or that they suffered any monetary losses or injuries such as identity theft or identity fraud.

The Court also rejected the Plaintiffs’ argument that the violation of statute or common law alone is sufficient to establish constitutional standing since standing requires proof of an actual injury, not merely a violation of a statute.

The Court reiterated that “an increased risk of identity theft resulting from a security breach [is][] insufficient to secure standing,” and rejected the Plaintiffs’ attempt to rely on hypothetical future injury as a basis for standing.

Plaintiffs’ also argued that the imminence of future harm depends upon whether any of the compromised data was misused post breach and whether the facts surrounding the breach suggest the data theft was sophisticated, intentional or malicious. The Court ruled in any even that the Plaintiffs could not establish any of the data was misused post breach since the loss of data was a result of a mere theft of the laptops without any indication that the data on the laptops was an actual target.

The fourth named Plaintiff alleged that as a result of the data breach, a fraudulent joint tax return was filed under his and his wife’s names and that someone attempted to fraudulently use his credit card. With regard to the claim related to the fraudulent tax return, the Court noted that the wife’s information was not part of the lost data, which suggests that the information used for fraudulent tax return was obtained from sources other than the data breach. The Court also found that the concurrent causation analysis does not support Plaintiff’s argument since, given the facts of this case, the tax fraud injury is not “fairly traceable” to Horizon. Also, since Plaintiff did ultimately receive his tax refund, he was unable to satisfy the redressability element of Article III standing. Finally, the claim that the fraudulent use of Plaintiff’s credit card was related to the Horizon data breach was unsupported by the facts since the credit card information was not included in the lost data.

Based upon all of the foregoing, the Court dismissed Plaintiffs’ federal claims. Due to the lack of supplemental jurisdiction over the state law claims pursuant to 28 U.S.C. §1367, the Court also dismissed the state law claims.

- See more at: http://www.traublieberman.com/cyber-law/2015/0421/6294/#sthash.VZzcfzAH.dpuf

In re Horizon Healthcare Services, Inc. Data Breach Litigation was a class action law suit arising out of the theft of two of Horizon’s password-protected laptops that contained the personal information of more than 839,000 of Horizon’s members. Horizon is a national health care insurance provider. The data maintained on the laptops included names, dates of birth, Social Security numbers, addresses, medical histories, and the insurance information of Horizon’s members. Withinone month of the theft, Horizon notified the potentially affected members of the theft and offered free credit monitoring and identity theft protection for those members whose Social Security numbers were on the stolen laptops.

Four named plaintiffs filed a putative class action on their own behalf and on behalf of other members whose information was on the stolen laptops asserting allegations under the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq. (“FCRA”), as well as New Jersey state law causes of action.

Horizon filed a 12(b)(1) motion to dismiss arguing the Plaintiffs’ lack of Article III constitutional standing.

Similar to other recent rulings, In ruling that all four named Plaintiffs failed to establish standing to assert their claim under the FCRA, the Court found that three out of the four named Plaintiffs did not allege that they suffered any specific harm as a result of the data breach.

These Plaintiffs sought to rely on the premiums paid by them as a form of economic injury since the premiums were, in part, allocated to database protection. Plaintiffs cited Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012), in their opposition to Horizon’s motion. In Resnick, the 11th Circuit Court of Appeals held that members who paid the health care company for data security through monthly payments and whose data was contained on the two laptops stolen from a health care company satisfied Article III standing. The Court, however, distinguished the Horizon plaintiffs from those in Resnick, since the Horizon plaintiffs did not claim that they were careful about guarding their sensitive information or that they suffered any monetary losses or injuries such as identity theft or identity fraud.

The Court also rejected the Plaintiffs’ argument that the violation of statute or common law alone is sufficient to establish constitutional standing since standing requires proof of an actual injury, not merely a violation of a statute.

The Court reiterated that “an increased risk of identity theft resulting from a security breach [is][] insufficient to secure standing,” and rejected the Plaintiffs’ attempt to rely on hypothetical future injury as a basis for standing.

Plaintiffs’ also argued that the imminence of future harm depends upon whether any of the compromised data was misused post breach and whether the facts surrounding the breach suggest the data theft was sophisticated, intentional or malicious. The Court ruled in any even that the Plaintiffs could not establish any of the data was misused post breach since the loss of data was a result of a mere theft of the laptops without any indication that the data on the laptops was an actual target.

The fourth named Plaintiff alleged that as a result of the data breach, a fraudulent joint tax return was filed under his and his wife’s names and that someone attempted to fraudulently use his credit card. With regard to the claim related to the fraudulent tax return, the Court noted that the wife’s information was not part of the lost data, which suggests that the information used for fraudulent tax return was obtained from sources other than the data breach. The Court also found that the concurrent causation analysis does not support Plaintiff’s argument since, given the facts of this case, the tax fraud injury is not “fairly traceable” to Horizon. Also, since Plaintiff did ultimately receive his tax refund, he was unable to satisfy the redressability element of Article III standing. Finally, the claim that the fraudulent use of Plaintiff’s credit card was related to the Horizon data breach was unsupported by the facts since the credit card information was not included in the lost data.

Based upon all of the foregoing, the Court dismissed Plaintiffs’ federal claims. Due to the lack of supplemental jurisdiction over the state law claims pursuant to 28 U.S.C. §1367, the Court also dismissed the state law claims.

- See more at: http://www.traublieberman.com/cyber-law/2015/0421/6294/#sthash.VZzcfzAH.dpuf

In re Horizon Healthcare Services, Inc. Data Breach Litigation was a class action law suit arising out of the theft of two of Horizon’s password-protected laptops that contained the personal information of more than 839,000 of Horizon’s members. Horizon is a national health care insurance provider. The data maintained on the laptops included names, dates of birth, Social Security numbers, addresses, medical histories, and the insurance information of Horizon’s members. Withinone month of the theft, Horizon notified the potentially affected members of the theft and offered free credit monitoring and identity theft protection for those members whose Social Security numbers were on the stolen laptops.

Four named plaintiffs filed a putative class action on their own behalf and on behalf of other members whose information was on the stolen laptops asserting allegations under the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq. (“FCRA”), as well as New Jersey state law causes of action.

Horizon filed a 12(b)(1) motion to dismiss arguing the Plaintiffs’ lack of Article III constitutional standing.

Similar to other recent rulings, In ruling that all four named Plaintiffs failed to establish standing to assert their claim under the FCRA, the Court found that three out of the four named Plaintiffs did not allege that they suffered any specific harm as a result of the data breach.

These Plaintiffs sought to rely on the premiums paid by them as a form of economic injury since the premiums were, in part, allocated to database protection. Plaintiffs cited Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012), in their opposition to Horizon’s motion. In Resnick, the 11th Circuit Court of Appeals held that members who paid the health care company for data security through monthly payments and whose data was contained on the two laptops stolen from a health care company satisfied Article III standing. The Court, however, distinguished the Horizon plaintiffs from those in Resnick, since the Horizon plaintiffs did not claim that they were careful about guarding their sensitive information or that they suffered any monetary losses or injuries such as identity theft or identity fraud.

The Court also rejected the Plaintiffs’ argument that the violation of statute or common law alone is sufficient to establish constitutional standing since standing requires proof of an actual injury, not merely a violation of a statute.

The Court reiterated that “an increased risk of identity theft resulting from a security breach [is][] insufficient to secure standing,” and rejected the Plaintiffs’ attempt to rely on hypothetical future injury as a basis for standing.

Plaintiffs’ also argued that the imminence of future harm depends upon whether any of the compromised data was misused post breach and whether the facts surrounding the breach suggest the data theft was sophisticated, intentional or malicious. The Court ruled in any even that the Plaintiffs could not establish any of the data was misused post breach since the loss of data was a result of a mere theft of the laptops without any indication that the data on the laptops was an actual target.

The fourth named Plaintiff alleged that as a result of the data breach, a fraudulent joint tax return was filed under his and his wife’s names and that someone attempted to fraudulently use his credit card. With regard to the claim related to the fraudulent tax return, the Court noted that the wife’s information was not part of the lost data, which suggests that the information used for fraudulent tax return was obtained from sources other than the data breach. The Court also found that the concurrent causation analysis does not support Plaintiff’s argument since, given the facts of this case, the tax fraud injury is not “fairly traceable” to Horizon. Also, since Plaintiff did ultimately receive his tax refund, he was unable to satisfy the redressability element of Article III standing. Finally, the claim that the fraudulent use of Plaintiff’s credit card was related to the Horizon data breach was unsupported by the facts since the credit card information was not included in the lost data.

Based upon all of the foregoing, the Court dismissed Plaintiffs’ federal claims. Due to the lack of supplemental jurisdiction over the state law claims pursuant to 28 U.S.C. §1367, the Court also dismissed the state law claims.