holding that "the improper disclosure of one's personal data in violation of FCRA is a cognizable injury for Article III standing purposes."Summary of this case from Katz v. Six Flags Great Adventure, LLC
Ben Barnow, Erich P. Schork [ARGUED], Barnow & Associates, P.C., One North LaSalle Street, Suite 4600, Chicago, IL 60602 Joseph J. DePalma, Jeffrey A. Shooman, Lite DePalma Greenberg, LLC, 570 Broad Street, Suite 1201, Newark, NJ 07102 Robert N. Kaplan, David A. Straite, Kaplan Fox & Kilsheimer LLP, 850 Third Avenue, 14th Floor, New York, NY 10022 Laurence D. King, Kaplan Fox & Kilsheimer LLP, 350 Sansome Street, Suite 400, San Francisco, CA 94104 Philip A. Tortoreti, Wilentz, Goldman & Spitzer, PA, 90 Woodbridge Center Drive, Suite 900, Woodbridge, NJ 07095, Counsel for Appellants Kenneth L. Chernof [ARGUED], Arthur Luk, Arnold & Porter LLP, 601 Massachusetts Avenue, NW, Washington, DC 20001 David Jay, Philip R. Sellinger, Greenberg Traurig, 500 Campus Drive, Suite 400, Florham Park, NJ 07932, Counsel for Appellee
Ben Barnow, Erich P. Schork [ARGUED], Barnow & Associates, P.C., One North LaSalle Street, Suite 4600, Chicago, IL 60602
Joseph J. DePalma, Jeffrey A. Shooman, Lite DePalma Greenberg, LLC, 570 Broad Street, Suite 1201, Newark, NJ 07102
Robert N. Kaplan, David A. Straite, Kaplan Fox & Kilsheimer LLP, 850 Third Avenue, 14th Floor, New York, NY 10022
Laurence D. King, Kaplan Fox & Kilsheimer LLP, 350 Sansome Street, Suite 400, San Francisco, CA 94104
Philip A. Tortoreti, Wilentz, Goldman & Spitzer, PA, 90 Woodbridge Center Drive, Suite 900, Woodbridge, NJ 07095, Counsel for Appellants
Kenneth L. Chernof [ARGUED], Arthur Luk, Arnold & Porter LLP, 601 Massachusetts Avenue, NW, Washington, DC 20001
David Jay, Philip R. Sellinger, Greenberg Traurig, 500 Campus Drive, Suite 400, Florham Park, NJ 07932, Counsel for Appellee
Before: JORDAN, VANASKIE, and SHWARTZ, Circuit Judges.
JORDAN, Circuit Judge.
The dispute at the bottom of this putative class action began when two laptops, containing sensitive personal information, were stolen from health insurer Horizon Healthcare Services, Inc. The four named Plaintiffs filed suit on behalf of themselves and other Horizon customers whose personal information was stored on those laptops. They allege willful and negligent violations of the Fair Credit Reporting Act ("FCRA"), 15 U.S.C. § 1681, et seq. , as well as numerous violations of state law. Essentially, they say that Horizon inadequately protected their personal information. The District Court dismissed the suit under Federal Rule of Civil Procedure 12(b)(1) for lack of Article III standing. According to the Court, none of the Plaintiffs had claimed a cognizable injury because, although their personal information had been stolen, none of them had adequately alleged that the information was actually used to their detriment.
We will vacate and remand. In light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes. Even without evidence that the Plaintiffs' information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury. Accordingly, all of the Plaintiffs suffered a cognizable injury, and the Complaint should not have been dismissed under Rule 12(b)(1).
Because this is an appeal from the District Court's grant of a motion to dismiss, we recite the facts as alleged and make all reasonable inferences in the Plaintiffs' favor. Oshiver v. Levin, Fishbein, Sedran & Berman, 38 F.3d 1380, 1384 (3d Cir. 1994).
Horizon Healthcare Services, Inc., d/b/a Horizon Blue Cross Blue Shield of New Jersey ("Horizon") is a New Jersey-based company that provides health insurance products and services to approximately 3.7 million members. In the regular course of its business, Horizon collects and maintains personally identifiable information (e.g. , names, dates of birth, social security numbers, and addresses) and protected health information (e.g. , demographic information, medical histories, test and lab results, insurance information, and other care-related data) on its customers and potential customers. The named Plaintiffs—Courtney Diana, Mark Meisel, Karen Pekelney, and Mitchell Rindner —and other class members are or were participants in, or as Horizon puts it, members of Horizon insurance plans. They entrusted Horizon with their personal information.
Only Diana was listed as a named Plaintiff in the original complaint. Plaintiffs Pekelney and Meisel filed a separate putative class action complaint on January 28, 2014. Pekelney and Meisel then filed a motion to consolidate the cases on February 10, 2014. Horizon joined the motion. The cases were consolidated and Rindner was later added as a Plaintiff in the amended complaint. We will refer to the amended complaint as "the Complaint."
The Complaint identifies the class members as: "All persons whose personal identifying information (PII) or protected health information (PHI) were contained on the computers stolen from Horizon's Newark, New Jersey office on or about November 1–3, 2013." (App. at 44.) For ease of reference, we will refer to "personally identifiable information" and "protected health information"—a distinction made by the Complaint—together as "personal information."
During the weekend of November 1st to 3rd, 2013, two laptop computers containing the unencrypted personal information of the named Plaintiffs and more than 839,000 other Horizon members were stolen from Horizon's headquarters in Newark, New Jersey. The Complaint alleges that "[t]he facts surrounding the Data Breach demonstrate that the stolen laptop computers were targeted due to the storage of Plaintiffs' and Class Members' highly sensitive and private [personal information] on them." (App. at 32.) Horizon discovered the theft the following Monday, and notified the Newark Police Department that day. It alerted potentially affected members by letter and a press release a month later, on December 6. The press release concerning the incident noted that the computers "may have contained files with differing amounts of member information, including name and demographic information (e.g., address, member identification number, date of birth), and in some instances, a Social Security number and/or limited clinical information." (App. at 33.)
Horizon offered one year of credit monitoring and identity theft protection services to those affected, which the Plaintiffs allege was inadequate to remedy the effects of the data breach. At a January 2014 New Jersey Senate hearing, "Horizon confirmed that it had not encrypted all of its computers that contained [personal information]." (App. at 35.) Thereafter, "Horizon allegedly established safeguards to prevent a similar incident in the future—including tougher policies and stronger encryption processes that could have been implemented prior to the Data Breach and prevented it." (App. at 35.)
Some personal history about the named Plaintiffs is included in the Complaint. Diana, Meisel, and Pekelney are all citizens and residents of New Jersey who were Horizon members who received letters from Horizon indicating that their personal information was on the stolen laptops. The Complaint does not include any allegation that their identities were stolen as a result of the data breach. Plaintiff Rindner is a citizen and resident of New York. He was a Horizon member but was not initially notified of the data breach. After Rindner contacted Horizon in February 2014, the company confirmed that his personal information was on the stolen computers. The Plaintiffs allege that, "[a]s a result of the Data Breach, a thief or thieves submitted to the [IRS] a fraudulent Income Tax Return for 2013 in Rindner's and his wife's names and stole their 2013 income tax refund." (App. at 27.) Rindner eventually did receive the refund, but "spent time working with the IRS and law enforcement ... to remedy the effects" of the fraud, "incurred other out-of-pocket expenses to remedy the identity theft[,]" and was "damaged financially by the related delay in receiving his tax refund." (App. at 27, 41.) After that fraudulent tax return, someone also fraudulently attempted to use Rindner's credit card number in an online transaction. Rindner was also "recently denied retail credit because his social security number has been associated with identity theft." (App. at 27.) B. Procedural Background
The Plaintiffs filed suit on June 27, 2014. Count I of the Complaint claims that Horizon committed a willful violation of FCRA; Count II alleges a negligent violation of FCRA; and the remaining counts allege various violations of state law. FCRA was enacted in 1970 "to ensure fair and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy." Safeco Ins. Co. of Am. v. Burr , 551 U.S. 47, 52, 127 S.Ct. 2201, 167 L.Ed.2d 1045 (2007). With respect to consumer privacy, the statute imposes certain requirements on any "consumer reporting agency" that "regularly ... assembl[es] or evaluat[es] consumer credit information ... for the purpose of furnishing consumer reports to third parties." 15 U.S.C. § 1681a(f). Any such agency that either willfully or negligently "fails to comply with any requirement imposed under [FCRA] with respect to any consumer is liable to that consumer." Id . §§ 1681n(a) (willful violations); 1681o(a) (negligent violations).
In particular, Count III alleges negligence; Count IV alleges breach of contract; Count V alleges an invasion of privacy; Count VI alleges unjust enrichment; Count VII alleges a violation of the New Jersey Consumer Fraud Act; Count VIII alleges a failure to destroy certain records, in violation of N.J.S.A. § 56:8–162 ; Count IX alleges a failure to promptly notify customers following the security breach, in violation of the New Jersey Consumer Fraud Act; and Count X alleges a violation of the Truth-in-Consumer Contract, Warranty and Notice Act. In their response to Horizon's motion to dismiss, the Plaintiffs consented to the dismissal of Count X without prejudice.
In their Complaint, the Plaintiffs assert that Horizon is a consumer reporting agency and that it violated FCRA in several respects. They say that Horizon "furnish[ed]" their information in an unauthorized fashion by allowing it to fall into the hands of thieves. (App. at 48.) They also allege that Horizon fell short of its FCRA responsibility to adopt reasonable procedures to keep sensitive information confidential. According to the Plaintiffs, Horizon's failure to protect their personal information violated the company's responsibility under FCRA to maintain the confidentiality of their personal information. The Plaintiffs seek statutory, actual, and punitive damages, an injunction to prevent Horizon from continuing to store personal information in an unencrypted manner, reimbursement for ascertainable losses, pre- and post-judgment interest, attorneys' fees and costs, and "such other and further relief as this Court may deem just and proper." (App. at 64.)
15 U.S.C. § 1681(b) states:
Reasonable procedures [-] It is the purpose of this subchapter to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information in accordance with the requirements of this subchapter.
"In addition to properly securing and monitoring the stolen laptop computers and encrypting Plaintiffs' and Class Members' [personal information] on the computers," Horizon should have—according to the Complaint—conducted periodic risk assessments to identify vulnerabilities, developed information security performance metrics, and taken steps to monitor and secure the room and areas where the laptops were stored. (App. at 48–49.) Therefore, say the Plaintiffs, "Horizon failed to take reasonable and appropriate measures to secure the stolen laptop computers and safeguard and protect Plaintiffs' and Class Members' [personal information]." (App. at 49.)
Section 1681a(d)(3) of title 15 of the U.S. Code imposes a restriction, with certain exceptions, on the sharing of medical information with any persons not related by common ownership or affiliated by corporate control. Section 1681b(g)(1) states that "[a] consumer reporting agency shall not furnish for employment purposes, or in connection with a credit or insurance transaction, a consumer report that contains medical information ... about a consumer," with certain limited exceptions. Section 1681c(a)(6) states that a consumer reporting agency cannot, with limited exceptions, make a consumer report containing "[t]he name, address, and telephone number of any medical information furnisher that has notified the agency of its status...."
FCRA permits statutory damages, but only for willful violations. See 15 U.S.C. § 1681n(a) ("Any person who willfully fails to comply with any requirement imposed under this subchapter with respect to any consumer is liable to that consumer in an amount equal to the sum of ... any actual damages sustained by the consumer as a result of the failure or damages of not less than $100 and not more than $1,000....").
Horizon moved to dismiss the Complaint for lack of subject matter jurisdiction under Federal Rule of Civil Procedure 12(b)(1) and for failure to state a claim upon which relief can be granted under Rule 12(b)(6). The District Court granted dismissal under Rule 12(b)(1), ruling that the Plaintiffs lack Article III standing. The Court concluded that, even taking the Plaintiffs' allegations as true, they did not have standing because they had not suffered a cognizable injury. Because the Court granted Horizon's Rule 12(b)(1) motion, it did not address Horizon's Rule 12(b)(6) arguments and declined to exercise supplemental jurisdiction over the remaining state law claims.
The Plaintiffs filed this timely appeal.
A. Jurisdiction and Standard of Review
The District Court exercised jurisdiction over the Plaintiffs' FCRA claims pursuant to 28 U.S.C. § 1331, though it ultimately concluded that it did not have jurisdiction due to the lack of standing. Having decided that the Plaintiffs did not have standing under FCRA, the District Court also concluded that it "lack[ed] discretion to retain supplemental jurisdiction over the state law claims" under 28 U.S.C. § 1367. (App. at 23 (citation omitted).) See Storino v. Borough of Pleasant Beach , 322 F.3d 293, 299 (3d Cir. 2003) (holding that "because the [plaintiffs] lack standing, the District Court lacked original jurisdiction over the federal claim, and it therefore could not exercise supplemental jurisdiction"). We exercise appellate jurisdiction pursuant to 28 U.S.C. § 1291.
Our review of the District Court's dismissal of a complaint pursuant to Federal Rule of Civil Procedure 12(b)(1) is de novo . United States ex rel. Atkinson v. Pa. Shipbuilding Co. , 473 F.3d 506, 514 (3d Cir. 2007). Two types of challenges can be made under Rule 12(b)(1) —"either a facial or a factual attack." Davis v. Wells Fargo , 824 F.3d 333, 346 (3d Cir. 2016). That distinction is significant because, among other things, it determines whether we accept as true the non-moving party's facts as alleged in its pleadings. Id. (noting that with a factual challenge, "[n]o presumptive truthfulness attaches to [the] plaintiff's allegations...." (internal quotation marks omitted) (second alteration in original)). Here, the District Court concluded that Horizon's motion was a facial challenge because it "attack[ed] the sufficiency of the consolidated complaint on the grounds that the pleaded facts d[id] not establish constitutional standing." (App. at 10.) We agree. Because Horizon did not challenge the validity of any of the Plaintiffs' factual claims as part of its motion, it brought only a facial challenge. It argues that the allegations of the Complaint, even accepted as true, are insufficient to establish the Plaintiffs' Article III standing.
In reviewing facial challenges to standing, we apply the same standard as on review of a motion to dismiss under Rule 12(b)(6). See Petruska v. Gannon Univ. , 462 F.3d 294, 299 n.1 (3d Cir. 2006) (noting "that the standard is the same when considering a facial attack under Rule 12(b)(1) or a motion to dismiss for failure to state a claim under Rule 12(b)(6)" (citation omitted)). Consequently, we accept the Plaintiffs' well-pleaded factual allegations as true and draw all reasonable inferences from those allegations in the Plaintiffs' favor. Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). Nevertheless, "[t]hreadbare recitals of the elements of [standing], supported by mere conclusory statements, do not suffice." Id . We disregard such legal conclusions. Santiago v. Warminster Twp. , 629 F.3d 121, 128 (3d Cir. 2010). Thus, "[t]o survive a motion to dismiss [for lack of standing], a complaint must contain sufficient factual matter" that would establish standing if accepted as true. Iqbal , 556 U.S. at 678, 129 S.Ct. 1937 (citing Bell Atl. Corp. v. Twombly , 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ).
In its 12(b)(6) motion, which is not before us, Horizon questions whether it is bound by FCRA. In particular, Horizon suggests that it is not a "consumer reporting agency" and therefore is not subject to the requirements of FCRA. At oral argument, Horizon also argued that FCRA does not apply when data is stolen rather than voluntarily "furnish[ed]," 15 U.S.C. § 1681a(f). Because we are faced solely with an attack on standing, we do not pass judgment on the merits of those questions. Our decision should not be read as expanding a claimant's rights under FCRA. Rather, we assume for purposes of this appeal that FCRA was violated, as alleged, and analyze standing with that assumption in mind. Likewise, our decision regarding Article III standing does not resolve whether Plaintiffs have suffered compensable damages. Some injuries may be "enough to open the courthouse door" even though they ultimately are not compensable. Doe v. Chao, 540 U.S. 614, 625, 124 S.Ct. 1204, 157 L.Ed.2d 1122 (2004).
There are three well-recognized elements of Article III standing: First, an "injury in fact," or an "invasion of a legally protected interest" that is "concrete and particularized." Lujan v. Defs. of Wildlife , 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992). Second, a "causal connection between the injury and the conduct complained of[.]" Id. And third, a likelihood "that the injury will be redressed by a favorable decision." Id. at 561, 112 S.Ct. 2130 (citation and internal quotation marks omitted).
There is no doubt that the Plaintiffs complain of a particularized injury—the disclosure of their own private information. Spokeo, Inc. v Robins, ––– U.S. ––––, 136 S.Ct. 1540, 1548, 194 L.Ed.2d 635 (2016) ("For an injury to be ‘particularized,’ it ‘must affect the plaintiff in a personal and individual way.’ " (quoting Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 n.1, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) )).
"In the context of a motion to dismiss, we have held that the [i]njury-in-fact element is not Mount Everest. The contours of the injury-in-fact requirement, while not precisely defined, are very generous, requiring only that claimant allege[ ] some specific, identifiable trifle of injury." Blunt v. Lower Merion Sch. Dist. , 767 F.3d 247, 278 (3d Cir. 2014) (emphasis omitted) (citation and internal quotation marks omitted) (second alteration in original). "At the pleading stage, general factual allegations of injury resulting from the defendant's conduct may suffice, for on a motion to dismiss we presum[e] that general allegations embrace those specific facts that are necessary to support the claim." Lujan , 504 U.S. at 561, 112 S.Ct. 2130 (citation and internal quotation marks omitted) (alteration in original).
The requirements for standing do not change in the class action context. "[N]amed plaintiffs who represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent." Lewis v. Casey , 518 U.S. 343, 357, 116 S.Ct. 2174, 135 L.Ed.2d 606 (1996) (citation and internal quotation marks omitted). "[I]f none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class." O'Shea v. Littleton , 414 U.S. 488, 494, 94 S.Ct. 669, 38 L.Ed.2d 674 (1974). Accordingly, at least one of the four named Plaintiffs must have Article III standing in order to maintain this class action.
Once Article III standing "is determined vis-à -vis the named parties ... there remains no further separate class standing requirement in the constitutional sense." In re Prudential Ins. Co. Am. Sales Practice Litig. Agent Actions, 148 F.3d 283, 306–07 (3d Cir. 1998) (citations and internal quotation marks omitted). Therefore, "unnamed, putative class members need not establish Article III standing. Instead, the ‘cases or controversies' requirement is satisfied so long as a class representative has standing, whether in the context of a settlement or litigation class." Neale v. Volvo Cars of N. Am., LLC, 794 F.3d 353, 362 (3d Cir. 2015) ; see also 2 William B. Rubenstein, Newberg on Class Actions § 2:8 (5th ed. 2012) ; id. § 2:1 ("Once threshold individual standing by the class representative is met, a proper party to raise a particular issue is before the court; there is no further, separate ‘class action standing’ requirement.").
B. Analysis of the Plaintiffs' Standing
All four of the named Plaintiffs argue that the violation of their statutory rights under FCRA gave rise to a cognizable and concrete injury that satisfies the first element of Article III standing. They claim that the violation of their statutory right to have their personal information secured against unauthorized disclosure constitutes, in and of itself, an injury in fact. The District Court rejected that argument, concluding that standing requires some form of additional, "specific harm," beyond "mere violations of statutory and common law rights[.]" (App. at 15–16.)
In the alternative, the Plaintiffs argue that Horizon's violation of FCRA "placed [them] at an imminent, immediate, and continuing increased risk of harm from identity theft, identity fraud, and medical fraud...." (App. at 40.) They say the increased risk constitutes a concrete injury for Article III standing purposes. In their Complaint, they assert that those whose personal information has been stolen are "approximately 9.5 times more likely than the general public to suffer identity fraud or identity theft." (App. at 36.) They go on to note the various ways that identity thieves can inflict injury, such as draining a bank account, filing for a tax refund in another's name, or getting medical treatment using stolen health insurance information. The District Court rejected that argument as well because it found that any future risk of harm necessarily depended on the "conjectural conduct of a third party bandit," and was, therefore, too "attenuated" to sustain standing. (App. at 18.) (relying on Reilly v. Ceridian Corp. , 664 F.3d 38, 42 (3d Cir. 2011) ). We resolve this appeal on the basis of Plaintiffs' first argument and conclude that they have standing due to Horizon's alleged violation of FCRA.
On appeal, Plaintiffs argue that Horizon's offer of free credit monitoring can be taken as proof that Horizon "knows that its conduct has put Plaintiffs and Class Members at a significantly increased risk of identity theft." (Opening Br. at 8.) We agree with Horizon that its offer should not be used against it as a concession or recognition that the Plaintiffs have suffered injury. We share its concern that such a rule would "disincentivize[ ] companies from offering credit or other monitoring services in the wake of a breach." (Answering Br. at 19.) Cf. Fed. R. Evid.407 –08 (excluding admission of evidence of subsequent remedial measures and compromise offers as proof of negligence or culpable conduct).
That the violation of a statute can cause an injury in fact and grant Article III standing is not a new doctrine. The Supreme Court has repeatedly affirmed the ability of Congress to "cast the standing net broadly" and to grant individuals the ability to sue to enforce their statutory rights. Fed. Election Comm'n v. Akins , 524 U.S. 11, 19, 118 S.Ct. 1777, 141 L.Ed.2d 10 (1998) ; see also Warth v. Seldin , 422 U.S. 490, 500, 95 S.Ct. 2197, 45 L.Ed.2d 343 (1975) ("The actual or threatened injury required by Art [icle] III may exist solely by virtue of statutes creating legal rights, the invasion of which creates standing." (citation, internal quotation marks, and ellipses omitted)); Linda R.S. v. Richard D. , 410 U.S. 614, 617 n.3, 93 S.Ct. 1146, 35 L.Ed.2d 536 (1973) ("Congress may enact statutes creating legal rights, the invasion of which creates standing, even though no injury would exist without the statute."); Havens Realty Corp. v. Coleman , 455 U.S. 363, 373–74, 102 S.Ct. 1114, 71 L.Ed.2d 214 (1982) (explaining that one "who has been the object of a misrepresentation made unlawful under [the statute] has suffered injury in precisely the form the statute was intended to guard against, and therefore has standing to maintain a claim for damages under the Act's provisions").
Many cases focus on the question of whether Congress truly intended to create a private right of action and whether a particular individual was in the "zone of interests" of the statute. But traditionally, once it was clear that Congress intended to create an enforceable right and that an individual falls into the "zone of interests" that individual was found to have standing. See Akins, 524 U.S. at 20, 118 S.Ct. 1777.
Despite those precedents, our pronouncements in this area have not been entirely consistent. In some cases, we have appeared to reject the idea that the violation of a statute can, by itself, cause an injury sufficient for purposes of Article III standing. But we have also accepted the argument, in some circumstances, that the breach of a statute is enough to cause a cognizable injury—even without economic or other tangible harm. Fortunately, a pair of recent cases touching upon this question, specifically in the context of statutes protecting data privacy, provide welcome clarity. Those cases have been decidedly in favor of allowing individuals to sue to remedy violations of their statutory rights, even without additional injury.
For instance, we have observed that "[t]he proper analysis of standing focuses on whether the plaintiff suffered an actual injury, not on whether a statute was violated. Although Congress can expand standing by enacting a law enabling someone to sue on what was already a de facto injury to that person, it cannot confer standing by statute alone." Doe v. Nat'l Bd. of Med. Exam'rs, 199 F.3d 146, 153 (3d Cir. 1999) (holding that a violation of the Americans with Disabilities Act could not, by itself, confer standing without evidence "demonstrating more than a mere possibility" of harm); cf. Fair Hous. Council of Sub. Phila. v. Main Line Times, 141 F.3d 439, 443–44 (3d Cir. 1998) (holding that a government agency could not sue on behalf of third parties injured by discriminatory advertisements because it could not "demonstrate that it has suffered injury in fact" (emphasis removed)).
The Plaintiffs rely heavily upon Alston v. Countrywide Financial Corp., 585 F.3d 753 (3d Cir. 2009). That case involved a consumer class action in which homebuyers sought statutory treble damages under the Real Estate Settlement Procedures Act ("RESPA"). They claimed that their private mortgage insurance premiums were funneled into an unlawful kickback scheme operated by their mortgage lender and its reinsurer, in violation of RESPA. "The thrust of their complaint was that, in enacting and amending [RESPA], Congress bestowed upon the consumer the right to a real estate settlement free from unlawful kickbacks and unearned fees, and Countrywide's invasion of that statutory right, even without a resultant overcharge, was an injury in fact for purposes of Article III standing." Id. at 755. We agreed. We emphasized that the injury need not be monetary in nature to confer standing and that RESPA authorizes suits by those who receive a loan accompanied by a kickback or unlawful referral. Id. at 763. That statutory injury—even where it did not also do any economic harm to the plaintiffs—was sufficient for purposes of Article III standing.
First, in In re Google Inc. Cookie Placement Consumer Privacy Litigation , 806 F.3d 125 (3d Cir. 2015), certain internet users brought an action against internet advertising providers alleging that their placement of so-called "cookies"—i.e. small files with identifying information left by a web server on users' browsers—violated a number of federal and state statutes, including the Stored Communications Act. Id. at 133. The defendants argued that because the users had not suffered economic loss as a result of the violations of the SCA, they did not have standing. Id. at 134. We emphasized that, so long as an injury "affect[s] the plaintiff in a personal and individual way," the plaintiff need not "suffer any particular type of harm to have standing." Id. (citation and internal quotation marks and citation omitted). Instead, "the actual or threatened injury required by Art[icle] III may exist solely by virtue of statutes creating legal rights , the invasion of which creates standing," even absent evidence of actual monetary loss. Id. (citation and internal quotation marks omitted) (emphasis added).
We then reaffirmed Google 's holding in In re Nickelodeon Consumer Privacy Litigation , 827 F.3d 262 (3d Cir. 2016). That case involved a class action in which the plaintiffs alleged that Viacom and Google had unlawfully collected personal information on the Internet, including what webpages the plaintiffs had visited and what videos they watched on Viacom websites. Id. at 267. We addressed the plaintiffs' basis for standing, relying heavily upon our prior analysis in Google , id . at 271–272, saying that, "when it comes to laws that protect privacy, a focus on economic loss is misplaced." Id . at 272–73 (citation and internal quotation marks omitted). Instead, "the unlawful disclosure of legally protected information" constituted "a clear de facto injury." Id. at 274. We noted that "Congress has long provided plaintiffs with the right to seek redress for unauthorized disclosures of information that, in Congress's judgment, ought to remain private." Id.
In light of those two rulings, our path forward in this case is plain. The Plaintiffs here have at least as strong a basis for claiming that they were injured as the plaintiffs had in Google and Nickelodeon .
Again, whether that injury is actionable under FCRA is a different question, one which we are presently assuming (without deciding) has an affirmative answer. See supra note 9.
Horizon nevertheless argues that the Supreme Court's recent decision in Spokeo, Inc. v. Robins , ––– U.S. ––––, 136 S.Ct. 1540, 194 L.Ed.2d 635 (2016), compels a different outcome. We disagree. In Spokeo , a consumer sued a website operator for an allegedly willful violation of FCRA for publishing inaccurate information about him. Id. at 1544. The complaint did not include any allegation that the false information was actually used to the plaintiff's detriment. Id. ; Robins v. Spokeo, Inc. , 742 F.3d 409, 411 (9th Cir. 2014). Nonetheless, the United States Court of Appeals for the Ninth Circuit held that the plaintiff had standing because his "personal interests in the handling of his credit information" meant that the harm he suffered was "individualized rather than collective." Robins, 742 F.3d at 413.
The Supreme Court vacated and remanded. 136 S.Ct. at 1550. It highlighted that there are two elements that must be established to prove an injury in fact—concreteness and particularization. Id. at 1545. The Ninth Circuit had relied solely on the "particularization" aspect of the injury-in-fact inquiry and did not address the "concreteness" aspect. Id. The Supreme Court therefore provided guidance as to what constituted a "concrete" injury and remanded to the Ninth Circuit to determine in the first instance whether the harm was concrete. Id.
In laying out its reasoning, the Supreme Court rejected the argument that an injury must be "tangible" in order to be "concrete." Id. at 1549. It noted that many intangible injuries have nevertheless long been understood as cognizable—for instance violations of the right to freedom of speech or the free exercise of religion. Id. It then explained that "both history and the judgment of Congress play important roles" in determining whether "an intangible injury constitutes injury in fact." Id. There are thus two tests for whether an intangible injury can (despite the obvious linguistic contradiction) be "concrete." The first test, the one of history, asks whether "an alleged intangible harm" is closely related "to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American Courts." Id. If so, it is likely to be sufficient to satisfy the injury-in-fact element of standing. Id. But even if an injury was " ‘previously inadequate in law,’ " Congress may elevate it " ‘to the status of [a] legally cognizable injur[y].’ " Id. (quoting Lujan , 504 U.S. at 578, 112 S.Ct. 2130 ). Because "Congress is well positioned to identify intangible harms that meet minimum Article III requirements, its judgment is ... instructive and important." Id. The second test therefore asks whether Congress has expressed an intent to make an injury redressable.
The Supreme Court cautioned, however, that congressional power to elevate intangible harms into concrete injuries is not without limits. A "bare procedural violation, divorced from any concrete harm," is not enough. Id. On the other hand, the Court said, "the violation of a procedural right granted by statute can be sufficient in some circumstances to constitute injury in fact. In other words, a plaintiff in such a case need not allege any additional harm beyond the one Congress has identified." Id .
Although it is possible to read the Supreme Court's decision in Spokeo as creating a requirement that a plaintiff show a statutory violation has caused a "material risk of harm" before he can bring suit, id . at 1550, we do not believe that the Court so intended to change the traditional standard for the establishment of standing. As we noted in Nickelodeon , "[t]he Supreme Court's recent decision in Spokeo ... does not alter our prior analysis in Google ." Nickelodeon , 827 F.3d at 273 (citation omitted).
Some other courts have interpreted Spokeo in such a manner—most notably the Eighth Circuit. See Braitberg v. Charter Commc'ns, Inc., 836 F.3d 925, 930 (8th Cir. 2016) (concluding that, in light of Spokeo, the improper retention of information under the Cable Communications Policy Act did not provide an injury in fact absent proof of "material risk of harm from the retention"); see also Gubala v. Time Warner Cable, Inc., No. 15–CV–1078–PP, 2016 WL 3390415, at *4 (E.D. Wis. June 17, 2016) (finding that, as a result of Spokeo, the unlawful retention of an individual's personal information under the Cable Communications Policy Act did not constitute a cognizable injury absent a concrete risk of harm).
We reaffirm that conclusion today. Spokeo itself does not state that it is redefining the injury-in-fact requirement. Instead, it reemphasizes that Congress "has the power to define injuries," 136 S.Ct. at 1549 (citation and internal quotation marks omitted), "that were previously inadequate in law." Id. (citation and internal quotation marks omitted). In the absence of any indication to the contrary, we understand that the Spokeo Court meant to reiterate traditional notions of standing, rather than erect any new barriers that might prevent Congress from identifying new causes of action though they may be based on intangible harms. In short, out of a respect for stare decisis , we assume that the law is stable unless there is clear precedent to the contrary. And that means that we do not assume that the Supreme Court has altered the law unless it says so. Cf. Rodriguez de Quijas v. Shearson/Am. Exp., Inc. , 490 U.S. 477, 484, 109 S.Ct. 1917, 104 L.Ed.2d 526 (1989) ("If a precedent of this Court has direct application in a case, yet appears to rest on reasons rejected in some other line of decisions, the Court of Appeals should follow the case which directly controls, leaving to this Court the prerogative of overruling its own decisions.").
Justice Thomas's concurrence also illustrates that Spokeo was merely a restatement of traditional standing principles. In that concurrence, he reiterated that a plaintiff is not required to "assert an actual injury beyond the violation of his personal legal rights to satisfy the ‘injury-in-fact’ requirement." Spokeo, 136 S.Ct. at 1552 (Thomas, J., concurring). Yet Justice Thomas joined the majority opinion in full. And nowhere in his concurrence did he critique the majority for creating a new injury-in-fact requirement.
It is nevertheless clear from Spokeo that there are some circumstances where the mere technical violation of a procedural requirement of a statute cannot, in and of itself, constitute an injury in fact. 136 S.Ct. at 1549 ("Congress' role in identifying and elevating intangible harms does not mean that a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right."). Those limiting circumstances are not defined in Spokeo and we have no occasion to consider them now. In some future case, we may be required to consider the full reach of congressional power to elevate a procedural violation into an injury in fact, but this case does not strain that reach.
As we noted in Nickelodeon , "unauthorized disclosures of information" have long been seen as injurious. 827 F.3d at 274 (emphasis added). The common law alone will sometimes protect a person's right to prevent the dissemination of private information. See Restatement (Second) of Torts § 652A (2016) ("One who invades the right of privacy of another is subject to liability for the resulting harm to the interests of the other."); see also Samuel D. Warren & Louis D. Brandeis, The Right to Privacy , 4 Harv. L. Rev. 193, 193 (1890) (advancing the argument for a "right to be let alone"). Indeed, it has been said that "the privacy torts have become well-ensconced in the fabric of American law." David A. Elder, Privacy Torts § 1:1 (2016). And with privacy torts, improper dissemination of information can itself constitute a cognizable injury. Because "[d]amages for a violation of an individual's privacy are a quintessential example of damages that are uncertain and possibly unmeasurable," such causes of action "provide[ ] privacy tort victims with a monetary award calculated without proving actual damages." Pichler v. UNITE , 542 F.3d 380, 399 (3d Cir. 2008) (citation omitted).
We are not suggesting that Horizon's actions would give rise to a cause of action under common law. No common law tort proscribes the release of truthful information that is not harmful to one's reputation or otherwise offensive. But with the passage of FCRA, Congress established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself—whether or not the disclosure of that information increased the risk of identity theft or some other future harm. It created a private right of action to enforce the provisions of FCRA, and even allowed for statutory damages for willful violations—which clearly illustrates that Congress believed that the violation of FCRA causes a concrete harm to consumers. And since the "intangible harm" that FCRA seeks to remedy "has a close relationship to a harm [i.e. invasion of privacy] that has traditionally been regarded as providing a basis for a lawsuit in English or American courts," Spokeo , 136 S.Ct. at 1549, we have no trouble concluding that Congress properly defined an injury that "give[s] rise to a case or controversy where none existed before." Id. (citation and internal quotation marks omitted).
Again, it is Congress's decision to protect personal information from disclosure that "elevates to the status of legally cognizable injuries concrete, de facto injuries that were previously inadequate in law." Lujan, 504 U.S. at 578, 112 S.Ct. 2130 (emphasis in original). That is the focus of our decision today. Nevertheless, we note our disagreement with our concurring colleague's view that "the risk of future harm" in this case "requires too much supposition to satisfy Article III standing." (Concurring Op. at 643 n.5.) The facts of this case suggest that the data breach did create a "material risk of harm." Spokeo, 136 S.Ct. at 1550. The information that was stolen was highly personal and could be used to steal one's identity. Id. (noting that with the "dissemination of an incorrect zip code," it is difficult to see the risk of concrete harm). The theft appears to have been directed towards the acquisition of such personal information. Cf. In re Sci. Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F.Supp.3d 14, 25 (D.D.C. 2014) (concluding that plaintiffs did not suffer an injury in fact as a result of the theft of devices with their personal information when it appeared that the theft was not directed at accessing the personal information). The stolen laptops were unencrypted, meaning that the personal information was easily accessible. Cf. id. (noting that the stolen data had been encrypted which made it unlikely that anyone could access it). And Rindner alleged that he had already been a victim of identity theft as a result of the breach. Cf. Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692–95 (7th Cir. 2015) (concluding that the plaintiff suffered an injury in fact in light of credible evidence that others had experienced identity theft as a result of the same breach). Plaintiffs make a legitimate argument that they face an increased risk of future injury, which at least weighs in favor of standing.
Congress's decision to prohibit unauthorized disclosure of data is something that distinguishes this case from a prior case in which we addressed Article III standing after a data breach. In Reilly v. Ceridian Corp, 664 F.3d 38 (3rd Cir. 2011), we concluded that a security breach that compromised private information held by a payroll processing firm did not cause an injury in fact. In that case, the claims were based solely on the common law and concerned the increased risk of identity theft, the incurred costs, and the emotional distress suffered. See id. at 40. For those common law claims, we held that the plaintiffs did not have standing because their risk of harm was too speculative. See id. at 42. In Reilly, the plaintiffs' claims centered on the future injuries that they expected to suffer as a result of a data breach such as the increased risk of identity theft. Id. at 40. And we concluded that those future injuries were too speculative. Id. at 42. Here, in contrast, the Plaintiffs are not complaining solely of future injuries. Congress has elevated the unauthorized disclosure of information into a tort. And so there is nothing speculative about the harm that Plaintiffs allege.
So the Plaintiffs here do not allege a mere technical or procedural violation of FCRA. They allege instead the unauthorized dissemination of their own private information —the very injury that FCRA is intended to prevent. There is thus a de facto injury that satisfies the concreteness requirement for Article III standing. See In re Nickelodeon , 827 F.3d at 274 (concluding that the "unlawful disclosure of legally protected information" in and of itself constitutes a "de facto injury"). Accordingly, the District Court erred when it dismissed the Plaintiffs' claims for lack of standing.
In this way, the failure to protect data privacy under FCRA is distinguishable from the Fifth Circuit's recent treatment of a violation of the Employee Retirement Income Security Act (ERISA) as a result of improper "plan management." Lee v. Verizon Commc'ns. Inc., 837 F.3d 523, 529 (5th Cir. 2016). In that case, the court concluded that a participant's interest was in his right to "the defined level of benefits" rather than in the procedural protections of the act. Id. at 530 (citation and internal quotation marks omitted). A mere procedural violation, without proof of the diminution of benefits, was not a cognizable Article III injury. Here, the privacy of one's data is a cognizable interest even without consequent harm.
Horizon has expressed concern that a reporting agency could be inundated with lawsuits for a technical breach of FCRA (such as failing to post a required 1–800 number). But in addition to concreteness, a plaintiff must also allege a particularized injury. Here the Plaintiffs are suing on their own behalf with respect to the disclosure of their personal information. See Beaudry v. TeleCheck Servs., Inc., 579 F.3d 702, 707 (6th Cir. 2009) (explaining that FCRA "creates an individual right not to have unlawful practices occur ‘with respect to’ one's own credit information" (citations omitted)). The particularization requirement may impose limits on the ability of consumers to bring suit due to more generalized grievances such as those mentioned by Horizon.
Our conclusion that it was within Congress's discretion to elevate the disclosure of private information into a concrete injury is strengthened by the difficulty that would follow from requiring proof of identity theft or some other tangible injury. "[R]equiring Plaintiffs to wait for the threatened harm to materialize in order to sue would pose a standing problem of its own...." In re Adobe Sys., Inc. Privacy Litig., 66 F.Supp.3d 1197, 1215 n.5 (N.D. Cal. 2014). Namely, the "more time that passes between a data breach and an instance of identity theft, the more latitude a defendant has to argue that the identity theft is not ‘fairly traceable’ to the defendant's data breach." Id.
The weight of precedent in our sister circuits is to the same effect. See Sterk v. Redbox Automated Retail, LLC, 770 F.3d 618, 623 (7th Cir. 2014) (noting that " ‘technical’ violations of the statute ... are precisely what Congress sought to illegalize" and that therefore tangible harm is not required to confer standing); accord Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692 (7th Cir. 2015) (observing that the alleged harm suffered by the loss of privacy incurred by a data breach "go[es] far beyond the complaint about a website's publication of inaccurate information" in Spokeo ); Beaudry v. TeleCheck Services, Inc., 579 F.3d 702, 707 (6th Cir. 2009) (holding that bare procedural violations of FCRA are sufficient to confer standing); accord Galaria v. Nationwide Mut. Ins. Co., No. 15–3386/3387, 663 Fed.Appx. 384, 387, 2016 WL 4728027, at *3 (6th Cir. Sept. 12, 2016) (concluding that a data breach in violation of FCRA causes a concrete injury—at least when there is proof of a substantial risk of harm); see also Church v. Accretive Health, Inc., 654 Fed.Appx. 990, 993 (11th Cir. 2016) (concluding that a health company's failure to provide required disclosures under the Fair Debt Collections Practices Act caused a concrete injury because Congress had created a right and a remedy in the statute); Robey v. Shapiro, Marianos & Cejda, L.L.C., 434 F.3d 1208, 1211–12 (10th Cir. 2006) (holding that a violation of the Fair Debt Collection Practices Act in the form of an unlawful demand for attorney's fees—even where the fees are not actually paid and so no economic injury was inflicted—is a cognizable injury for Article III standing).
The Plaintiffs also argue that they were injured by systematically overpaying for their Horizon insurance because "Horizon either did not allocate a portion of their premiums to protect their [personal information] or allocated an inadequate portion of the premiums to protect [personal information]." (Opening Br. at 19–20.) Because they have standing under FCRA, we do not reach that purported basis for standing; nor do we address Rindner's alternative argument for standing based on the fraudulent tax return or his denial of credit.
Our precedent and congressional action lead us to conclude that the improper disclosure of one's personal data in violation of FCRA is a cognizable injury for Article III standing purposes. We will therefore vacate the District Court's order of dismissal and remand for further proceedings consistent with this opinion.
SHWARTZ, Circuit Judge, concurring in the judgment.
I agree with my colleagues that Plaintiffs have standing, but I reach this conclusion for different reasons. In short, Plaintiffs allege that the theft of the laptops caused a loss of privacy, which is itself an injury in fact. Thus, regardless of whether a violation of a statute itself constitutes an injury in fact, and mindful that under our precedent, a risk of identity theft or fraud is too speculative to constitute an injury in fact, see Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), Plaintiffs have nonetheless alleged an injury in fact sufficient to give them standing.
As my colleagues have explained, Horizon Healthcare Services provides insurance to individuals in New Jersey. Horizon obtains personally identifiable information ("PII"), including names, dates of birth, and social security numbers, as well as protected health information ("PHI"), such as medical histories and test results, from its insureds. This information is viewed as private and those in possession of it are required to ensure that it is kept secure and used only for proper purposes.
PII and PHI were stored on laptop computers kept at Horizon's Newark, New Jersey headquarters. In January, November, and December 2008, as well as April and November 2013, laptop computers were stolen. The laptop computers stolen in November 2013 were cable-locked to workstations and password-protected, but the contents, which included the PII/PHI of 839,000 people, were not encrypted. Plaintiffs assert this theft places them at risk of future identity theft and fraud, and subjected them to a loss of privacy, in violation of the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. ("FCRA"), and various state laws. The District Court concluded that Plaintiffs lack standing to bring a claim under the FCRA because the pleadings failed to allege any plaintiff suffered an injury in fact.
My colleagues infer that these thefts were committed to obtain the PII/PHI. Maj. Op. at 639 n.19. I would not necessarily draw that inference. Plaintiffs do not allege that any of the 839,000 individuals whose information was stored on the laptop computers, or on the laptop computers taken in the earlier thefts, suffered any loss or that their identities were misused. Given the number of laptop computer thefts, and the absence of any allegation of a loss tied to their contents, it is at least equally reasonable to infer that the laptop computers were taken for their hardware, not their contents. I acknowledge, however, that we are to draw a reasonable inference in Plaintiffs' favor in the context of a facial challenge pursuant to a Rule 12(b)(1) motion. SeePetruska v. Gannon Univ., 462 F.3d 294, 299 n.1 (3d Cir. 2006) ("[T]he standard is the same when considering a facial attack under Rule 12(b)(1) or a motion to dismiss for failure to state a claim under Rule 12(b)(6)."); Mortensen v. First Fed. Sav. & Loan Ass'n, 549 F.2d 884, 891 (3d Cir. 1977) (explaining that Rule 12(b)(6) safeguards apply to facial attacks under Rule 12(b)(1) and provide that plaintiffs' allegations are taken as true and all inferences are drawn in plaintiffs' favor).
The District Court declined to exercise supplemental jurisdiction over the state law claims.
As my colleagues accurately state, there are three elements of Article III standing: (1) injury in fact, or "an invasion of a legally protected interest" that is "concrete and particularized"; (2) traceability, that is a "causal connection between the injury and the conduct complained of"; and (3) redressability, meaning a likelihood "that the injury will be redressed by a favorable decision." Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992).
The injury-in-fact element most often determines standing. See Spokeo, Inc. v. Robins,––– U.S. ––––, 136 S.Ct. 1540, 1547, 194 L.Ed.2d 635 (2016). Such injury must be particularized and concrete. Id. at 1548. "For an injury to be particularized, it must affect the plaintiff in a personal and individual way." Id.(internal quotation marks and citation omitted). To be "concrete," an injury must be "real" as opposed to "abstract," but it need not be "tangible." Id. at 1548–49.
As my colleagues eloquently explain, the Spokeo Court identified two approaches for determining whether an intangible injury is sufficient to constitute an injury in fact. Maj. Op. at 637 (citing Spokeo, 136 S.Ct. at 1549 ). Under the first approach, a court considers history and asks whether the intangible harm is closely related "to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts." Id. at 1549 ; Maj. Op. at 637. If so, "it is likely sufficient to satisfy the injury-in-fact element of standing." Maj. Op. at 637 (citing Spokeo, 136 S.Ct. at 1549 ). Under the second approach, a court considers whether Congress has "expressed an intent to make an injury redressable." Maj. Op. at 637. My colleagues rely on this latter approach, but I rely on the former.
The common law has historically recognized torts based upon invasions of privacy and permitted such claims to proceed even in the absence of proof of actual damages. See, e.g., Pichler v. UNITE, 542 F.3d 380, 399 (3d Cir. 2008) (citing Doe v. Chao, 540 U.S. 614, 621 n.3, 124 S.Ct. 1204, 157 L.Ed.2d 1122 (2004) ); Restatement (Second) Torts § 652A (2016) (stating that "[o]ne who invades the right of privacy of another is subject to liability for the resulting harm to the interest of the other"). While Plaintiffs do not allege that the laptop thieves looked at or used their PII and PHI, Plaintiffs lost their privacy once it got into the hands of those not intended to have it. Cf. United States v. Westinghouse Elec. Corp., 638 F.2d 570, 577 n.5 (3d Cir. 1980) (observing that "[p]rivacy ... is control over knowledge about oneself" (citation omitted)). While this may or may not be sufficient to state a claim for relief under Fed. R. Civ. P. 12(b)(6), Maj. Op. at 639, the intangible harm from the loss of privacy appears to have sufficient historical roots to satisfy the requirement that Plaintiffs have alleged a sufficiently concrete harm for standing purposes.
Our Court has embraced the view that an invasion of privacy provides a basis for standing. In In re Google Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015), and In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016), Google and Nickelodeon were alleged to have invaded the plaintiffs' privacy by placing cookies into the plaintiffs' computers, which allowed the companies to monitor the plaintiffs' computer activities. In these cases, the injury was invasion of privacy and not economic loss, and thus the standing analysis focused on a loss of privacy. In re Nickelodeon, 827 F.3d at 272–73 ; In re Google, 806 F.3d at 134. Although the perpetrators of the invasion of privacy here are the laptop thieves and in Google and Nickelodeon the invaders were the defendants themselves, the injury was the same: a loss of privacy. Thus, those cases provide a basis for concluding Plaintiffs here have suffered an injury in fact based on the loss of privacy.
My colleagues view In re Google Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015), and In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016), as providing a basis for Plaintiffs to assert that a violation of the FCRA, without any resulting harm, satisfies the injury-in-fact requirement. I do not rely on the possible existence of a statutory violation as the basis for standing, and am not persuaded that these cases support that particular point.
I also conclude that Plaintiffs have sufficiently alleged that the injury was traceable, in part, to the failure to encrypt the data, and am satisfied that if proven, the injury could be redressable.
While I have concluded that Plaintiffs have alleged an injury in fact by asserting that they sustained a loss of privacy, the other grounds that Plaintiffs rely upon are unavailing. Although this is not necessary for my analysis, I offer these observations to help explain the types of "injuries" that are not sufficient to provide standing in the context of data thefts. First, under our precedent, the increased risk of identity theft or fraud due to a data breach, without more, does not establish the kind of imminent or substantial risk required to establish standing. See Reilly, 664 F.3d at 42. Like in Reilly, the feared economic injury here depends on a speculative chain of events beginning with an assumption that the thief knew or discovered that the laptop contained valuable information, that the thief was able to access the data despite the password protection, and that the thief opted to use the data maliciously. See Reilly, 664 F.3d at 42 ; see also Clapper v. Amnesty Int'l USA, ––– U.S. ––––, 133 S.Ct. 1138, 1150 n.5, 185 L.Ed.2d 264 (2013). Second, Reilly and Clapper have rejected Plaintiffs' assertion that standing exists because they expended time and money to monitor for misuse of their information. The Clapper Court reasoned that a plaintiff cannot "manufacture" standing by choosing to undertake burdens or "make expenditures" based on a "hypothetical future harm" that does not itself qualify as an injury in fact. Clapper, 133 S.Ct. at 1050–51 ; see also Reilly, 664 F.3d at 46 (rejecting a claim for standing based upon "expenditures to monitor their financial information ... because costs incurred to watch for a speculative chain of future events based on hypothetical future criminal acts are no more ‘actual’ injuries than the alleged ‘increased risk of injury’ which forms the basis for Appellants' claims"). The Supreme Court observed that to conclude otherwise would have problematic implications, as "an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear." Clapper, 133 S.Ct. at 1151. Third, courts have rejected claims of standing based on assertions that plaintiffs suffered economic harm by paying insurance premiums that allegedly included additional fees for measures to secure PII/PHI, but such measures were not implemented. See, e.g., Remijas v. Neiman Marcus, 794 F.3d 688, 694–95 (7th Cir. 2015) (describing this type of overpayment theory as "problematic" and suggesting that such a theory is limited to the products liability context); Katz v. Pershing, LLC, 672 F.3d 64, 77–78 (1st Cir. 2012) (holding that the "bare hypothesis" that brokerage fees were artificially inflated to cover security measures was implausible); In re Sci. Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F.Supp.3d 14, 30 (D.D.C. 2014) (rejecting the overpayment theory since the plaintiffs had paid for health insurance and did not allege that they were denied such coverage or services). Accordingly, none of these grounds provides a basis for standing in a data theft case like we have here.
As noted earlier, my colleagues rely on the second approach, finding standing based upon a statutory violation. The alleged statutory violation here, however, creates only an increased risk of future harm. Although Spokeosays that a violation of a statute can provide standing, Spokeo, 136 S.Ct. at 1549–50, standing still requires a showing of a concrete, particularized, nonspeculative injury in fact and, under Reilly, the link between the theft here and the risk of future harm requires too much supposition to satisfy Article III standing, Reilly, 664 F.3d at 42 ; see alsoClapper, 133 S.Ct. at 1148–50.
Plaintiffs also assert in a conclusory fashion that, "as a result of the Data Breach," plaintiff Mitchell Rindner was the victim of identity theft. While Plaintiffs allege that a false tax return was submitted to the Internal Revenue Service bearing Mr. Rindner's and his wife's names, and that someone used his credit card, the factual allegations do not show that these events were tied to theft. First, the Amended Complaint does not allege that any of Mrs. Rindner's PII/PHI was included in the stolen data. Second, there is no allegation that the stolen data contained Mr. Rindner's credit card information. This leads to "[t]he inescapable conclusion ... that [Rindner] has been subjected to another ... data breach involving his financial ... records." In re Sci. Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F.Supp.3d 14, 32 (D.D.C. 2014). Because Plaintiffs do not plausibly plead that this injury was "fairly traceable" to Horizon's alleged failure to adequately guard Plaintiffs' data, this particular injury fails to provide standing for a claim against Horizon. SeeLujan, 504 U.S. at 560–61, 112 S.Ct. 2130.
Plaintiffs identify two cases to support their overpayment theory: Resnick v. AvMed, Inc., 693 F.3d 1317, 1328 (11th Cir. 2012), and In re Insurance Brokerage Antitrust Litigation,579 F.3d 241, 264 (3d Cir. 2009). Neither supports their position. Resnick's endorsement of an overpayment theory occurred only in the context of a Fed. R. Civ. P. 12(b)(6) motion to dismiss the claim for unjust enrichment, and was not used to support standing. 698 F.3d at 1323. In re Insurance Brokerageinvolved a kickback scheme that artificially inflated premiums. 579 F.3d at 264. Here, Plaintiffs do not allege that the premiums they paid were artificially inflated because funds that were to be used for securing their data were not used for that purpose, nor do they allege that their premiums would otherwise have been cheaper.
For these reasons, I concur in the judgment.