PRECEDENTIAL
UNITED STATES COURT OF APPEALS
FOR THE THIRD CIRCUIT
_____________
No. 15-2309
_____________
In Re: HORIZON HEALTHCARE SERVICES INC. DATA
BREACH LITIGATION
Courtney Diana; Mark Meisel; Karen Pekelney;
Mitchell Rindner,
Appellants
_______________
On Appeal from the United States District Court
for the District of New Jersey
(D.N.J. No. 2-13-cv-07418)
District Judge: Honorable Claire C. Cecchi
_______________
Argued: July 12, 2016
Before: JORDAN, VANASKIE, and SHWARTZ, Circuit
Judges.
(Filed: January 20, 2017)
_______________
Ben Barnow
Erich P. Schork [ARGUED]
Barnow & Associates, P.C.
One North LaSalle Street, Suite 4600
Chicago, IL 60602
Joseph J. DePalma
Jeffrey A. Shooman
Lite DePalma Greenberg, LLC
570 Broad Street, Suite 1201
Newark, NJ 07102
Robert N. Kaplan
David A. Straite
Kaplan Fox & Kilsheimer LLP
850 Third Avenue, 14th Floor
New York, NY 10022
Laurence D. King
Kaplan Fox & Kilsheimer LLP
350 Sansome Street, Suite 400
San Francisco, CA 94104
Philip A. Tortoreti
Wilentz, Goldman & Spitzer, PA
90 Woodbridge Center Drive, Suite 900
Woodbridge, NJ 07095
Counsel for Appellants
2
Kenneth L. Chernof [ARGUED]
Arthur Luk
Arnold & Porter LLP
601 Massachusetts Avenue, NW
Washington, DC 20001
David Jay
Philip R. Sellinger
Greenberg Traurig
500 Campus Drive, Suite 400
Florham Park, NJ 07932
Counsel for Appellee
_______________
OPINION
_______________
JORDAN, Circuit Judge.
The dispute at the bottom of this putative class action
began when two laptops, containing sensitive personal
information, were stolen from health insurer Horizon
Healthcare Services, Inc. The four named Plaintiffs filed suit
on behalf of themselves and other Horizon customers whose
personal information was stored on those laptops. They
allege willful and negligent violations of the Fair Credit
Reporting Act (“FCRA”), 15 U.S.C. § 1681, et seq., as well
as numerous violations of state law. Essentially, they say that
Horizon inadequately protected their personal information.
The District Court dismissed the suit under Federal Rule of
Civil Procedure 12(b)(1) for lack of Article III standing.
According to the Court, none of the Plaintiffs had claimed a
cognizable injury because, although their personal
3
information had been stolen, none of them had adequately
alleged that the information was actually used to their
detriment.
We will vacate and remand. In light of the
congressional decision to create a remedy for the
unauthorized transfer of personal information, a violation of
FCRA gives rise to an injury sufficient for Article III standing
purposes. Even without evidence that the Plaintiffs’
information was in fact used improperly, the alleged
disclosure of their personal information created a de facto
injury. Accordingly, all of the Plaintiffs suffered a cognizable
injury, and the Complaint should not have been dismissed
under Rule 12(b)(1).
I. BACKGROUND
A. Factual Background1
Horizon Healthcare Services, Inc., d/b/a Horizon Blue
Cross Blue Shield of New Jersey (“Horizon”) is a New
Jersey-based company that provides health insurance
products and services to approximately 3.7 million members.
In the regular course of its business, Horizon collects and
maintains personally identifiable information (e.g., names,
1
Because this is an appeal from the District Court’s
grant of a motion to dismiss, we recite the facts as alleged and
make all reasonable inferences in the Plaintiffs’ favor.
Oshiver v. Levin, Fishbein, Sedran & Berman, 38 F.3d 1380,
1384 (3d Cir. 1994).
4
dates of birth, social security numbers, and addresses) and
protected health information (e.g., demographic information,
medical histories, test and lab results, insurance information,
and other care-related data) on its customers and potential
customers. The named Plaintiffs – Courtney Diana, Mark
Meisel, Karen Pekelney, and Mitchell Rindner2 – and other
class members are or were participants in, or as Horizon puts
it, members of Horizon insurance plans. They entrusted
Horizon with their personal information.3
Horizon’s privacy policy states that the company
“maintain[s] appropriate administrative, technical and
physical safeguards to reasonably protect [members’] Private
2
Only Diana was listed as a named Plaintiff in the
original complaint. Plaintiffs Pekelney and Meisel filed a
separate putative class action complaint on January 28, 2014.
Pekelney and Meisel then filed a motion to consolidate the
cases on February 10, 2014. Horizon joined the motion. The
cases were consolidated and Rindner was later added as a
Plaintiff in the amended complaint. We will refer to the
amended complaint as “the Complaint.”
3
The Complaint identifies the class members as: “All
persons whose personal identifying information (PII) or
protected health information (PHI) were contained on the
computers stolen from Horizon’s Newark, New Jersey office
on or about November 1-3, 2013.” (App. at 44.) For ease of
reference, we will refer to “personally identifiable
information” and “protected health information” – a
distinction made by the Complaint – together as “personal
information.”
5
Information.” (App. at 29.) The policy also provides that,
any time Horizon relies on a third party to perform a business
service using personal information, it requires the third party
to “safeguard [members’] Private Information” and “agree to
use it only as required to perform its functions for [Horizon]
and as otherwise permitted by … contract and the law.”
(App. at 29.) Through the policy, Horizon pledges to “notify
[members of its insurance plans] without unreasonable delay”
of any breach of privacy. (App. at 29.)
During the weekend of November 1st to 3rd, 2013,
two laptop computers containing the unencrypted personal
information of the named Plaintiffs and more than 839,000
other Horizon members were stolen from Horizon’s
headquarters in Newark, New Jersey. The Complaint alleges
that “[t]he facts surrounding the Data Breach demonstrate that
the stolen laptop computers were targeted due to the storage
of Plaintiffs’ and Class Members’ highly sensitive and private
[personal information] on them.” (App. at 32.) Horizon
discovered the theft the following Monday, and notified the
Newark Police Department that day. It alerted potentially
affected members by letter and a press release a month later,
on December 6. The press release concerning the incident
noted that the computers “may have contained files with
differing amounts of member information, including name
and demographic information (e.g., address, member
identification number, date of birth), and in some instances, a
Social Security number and/or limited clinical information.”
(App. at 33.)
Horizon offered one year of credit monitoring and
identity theft protection services to those affected, which the
Plaintiffs allege was inadequate to remedy the effects of the
6
data breach. At a January 2014 New Jersey Senate hearing,
“Horizon confirmed that it had not encrypted all of its
computers that contained [personal information].” (App. at
35.) Thereafter, “Horizon allegedly established safeguards to
prevent a similar incident in the future—including tougher
policies and stronger encryption processes that could have
been implemented prior to the Data Breach and prevented it.”
(App. at 35.)
Some personal history about the named Plaintiffs is
included in the Complaint. Diana, Meisel, and Pekelney are
all citizens and residents of New Jersey who were Horizon
members who received letters from Horizon indicating that
their personal information was on the stolen laptops. The
Complaint does not include any allegation that their identities
were stolen as a result of the data breach. Plaintiff Rindner is
a citizen and resident of New York. He was a Horizon
member but was not initially notified of the data breach.
After Rindner contacted Horizon in February 2014, the
company confirmed that his personal information was on the
stolen computers. The Plaintiffs allege that, “[a]s a result of
the Data Breach, a thief or thieves submitted to the [IRS] a
fraudulent Income Tax Return for 2013 in Rindner’s and his
wife’s names and stole their 2013 income tax refund.” (App.
at 27.) Rindner eventually did receive the refund, but “spent
time working with the IRS and law enforcement … to remedy
the effects” of the fraud, “incurred other out-of-pocket
expenses to remedy the identity theft[,]” and was “damaged
financially by the related delay in receiving his tax refund.”
(App. at 27, 41.) After that fraudulent tax return, someone
also fraudulently attempted to use Rindner’s credit card
number in an online transaction. Rindner was also “recently
7
denied retail credit because his social security number has
been associated with identity theft.” (App. at 27.)
B. Procedural Background
The Plaintiffs filed suit on June 27, 2014. Count I of
the Complaint claims that Horizon committed a willful
violation of FCRA; Count II alleges a negligent violation of
FCRA; and the remaining counts allege various violations of
state law.4 FCRA was enacted in 1970 “to ensure fair and
accurate credit reporting, promote efficiency in the banking
system, and protect consumer privacy.” Safeco Ins. Co. of
Am. v. Burr, 551 U.S. 47, 52 (2007). With respect to
consumer privacy, the statute imposes certain requirements
on any “consumer reporting agency” that “regularly ...
assembl[es] or evaluat[es] consumer credit information ... for
the purpose of furnishing consumer reports to third parties.”
15 U.S.C. § 1681a(f). Any such agency that either willfully
4
In particular, Count III alleges negligence; Count IV
alleges breach of contract; Count V alleges an invasion of
privacy; Count VI alleges unjust enrichment; Count VII
alleges a violation of the New Jersey Consumer Fraud Act;
Count VIII alleges a failure to destroy certain records, in
violation of N.J.S.A. § 56:8-162; Count IX alleges a failure to
promptly notify customers following the security breach, in
violation of the New Jersey Consumer Fraud Act; and Count
X alleges a violation of the Truth-in-Consumer Contract,
Warranty and Notice Act. In their response to Horizon’s
motion to dismiss, the Plaintiffs consented to the dismissal of
Count X without prejudice.
8
or negligently “fails to comply with any requirement imposed
under [FCRA] with respect to any consumer is liable to that
consumer.” Id. §§ 1681n(a) (willful violations); 1681o(a)
(negligent violations).
In their Complaint, the Plaintiffs assert that Horizon is
a consumer reporting agency and that it violated FCRA in
several respects. They say that Horizon “furnish[ed]” their
information in an unauthorized fashion by allowing it to fall
into the hands of thieves. (App. at 48.) They also allege that
Horizon fell short of its FCRA responsibility to adopt
reasonable procedures5 to keep sensitive information
confidential.6 According to the Plaintiffs, Horizon’s failure to
5
15 U.S.C. § 1681(b) states:
Reasonable procedures [-] It is the purpose of
this subchapter to require that consumer
reporting agencies adopt reasonable procedures
for meeting the needs of commerce for
consumer credit, personnel, insurance, and other
information in a manner which is fair and
equitable to the consumer, with regard to the
confidentiality, accuracy, relevancy, and proper
utilization of such information in accordance
with the requirements of this subchapter.
6
“In addition to properly securing and monitoring the
stolen laptop computers and encrypting Plaintiffs’ and Class
Members’ [personal information] on the computers,” Horizon
should have – according to the Complaint – conducted
periodic risk assessments to identify vulnerabilities,
9
protect their personal information violated the company’s
responsibility under FCRA to maintain the confidentiality of
their personal information.7
The Plaintiffs seek statutory,8 actual, and punitive
damages, an injunction to prevent Horizon from continuing to
developed information security performance metrics, and
taken steps to monitor and secure the room and areas where
the laptops were stored. (App. at 48-49.) Therefore, say the
Plaintiffs, “Horizon failed to take reasonable and appropriate
measures to secure the stolen laptop computers and safeguard
and protect Plaintiffs’ and Class Members’ [personal
information].” (App. at 49.)
7
Section 1681a(d)(3) of title 15 of the U.S. Code
imposes a restriction, with certain exceptions, on the sharing
of medical information with any persons not related by
common ownership or affiliated by corporate control.
Section 1681b(g)(1) states that “[a] consumer reporting
agency shall not furnish for employment purposes, or in
connection with a credit or insurance transaction, a consumer
report that contains medical information … about a
consumer,” with certain limited exceptions.
Section 1681c(a)(6) states that a consumer reporting agency
cannot, with limited exceptions, make a consumer report
containing “[t]he name, address, and telephone number of any
medical information furnisher that has notified the agency of
its status … .”
8
FCRA permits statutory damages, but only for willful
violations. See 15 U.S.C. § 1681n(a) (“Any person who
10
store personal information in an unencrypted manner,
reimbursement for ascertainable losses, pre- and post-
judgment interest, attorneys’ fees and costs, and “such other
and further relief as this Court may deem just and proper.”
(App. at 64.)
Horizon moved to dismiss the Complaint for lack of
subject matter jurisdiction under Federal Rule of Civil
Procedure 12(b)(1) and for failure to state a claim upon which
relief can be granted under Rule 12(b)(6). The District Court
granted dismissal under Rule 12(b)(1), ruling that the
Plaintiffs lack Article III standing. The Court concluded that,
even taking the Plaintiffs’ allegations as true, they did not
have standing because they had not suffered a cognizable
injury. Because the Court granted Horizon’s Rule 12(b)(1)
motion, it did not address Horizon’s Rule 12(b)(6) arguments
and declined to exercise supplemental jurisdiction over the
remaining state law claims.
The Plaintiffs filed this timely appeal.
willfully fails to comply with any requirement imposed under
this subchapter with respect to any consumer is liable to that
consumer in an amount equal to the sum of … any actual
damages sustained by the consumer as a result of the failure
or damages of not less than $100 and not more than $1,000 …
.”).
11
II. DISCUSSION
A. Jurisdiction and Standard of Review
The District Court exercised jurisdiction over the
Plaintiffs’ FCRA claims pursuant to 28 U.S.C. § 1331, though
it ultimately concluded that it did not have jurisdiction due to
the lack of standing. Having decided that the Plaintiffs did
not have standing under FCRA, the District Court also
concluded that it “lack[ed] discretion to retain supplemental
jurisdiction over the state law claims” under 28 U.S.C.
§ 1367. (App. at 23 (citation omitted).) See Storino v.
Borough of Pleasant Beach, 322 F.3d 293, 299 (3d Cir. 2003)
(holding that “because the [plaintiffs] lack standing, the
District Court lacked original jurisdiction over the federal
claim, and it therefore could not exercise supplemental
jurisdiction”). We exercise appellate jurisdiction pursuant to
28 U.S.C. § 1291.
Our review of the District Court’s dismissal of a
complaint pursuant to Federal Rule of Civil Procedure
12(b)(1) is de novo. United States ex rel. Atkinson v. Pa.
Shipbuilding Co., 473 F.3d 506, 514 (3d Cir. 2007). Two
types of challenges can be made under Rule 12(b)(1) – “either
a facial or a factual attack.” Davis v. Wells Fargo, 824 F.3d
333, 346 (3d Cir. 2016). That distinction is significant
because, among other things, it determines whether we accept
as true the non-moving party’s facts as alleged in its
pleadings. Id. (noting that with a factual challenge, “[n]o
presumptive truthfulness attaches to [the] plaintiff’s
allegations … .” (internal quotation marks omitted) (second
alteration in original)). Here, the District Court concluded
12
that Horizon’s motion was a facial challenge because it
“attack[ed] the sufficiency of the consolidated complaint on
the grounds that the pleaded facts d[id] not establish
constitutional standing.” (App. at 10.) We agree. Because
Horizon did not challenge the validity of any of the Plaintiffs’
factual claims as part of its motion, it brought only a facial
challenge. It argues that the allegations of the Complaint,
even accepted as true, are insufficient to establish the
Plaintiffs’ Article III standing.
In reviewing facial challenges to standing, we apply
the same standard as on review of a motion to dismiss under
Rule 12(b)(6). See Petruska v. Gannon Univ., 462 F.3d 294,
299 n.1 (3d Cir. 2006) (noting “that the standard is the same
when considering a facial attack under Rule 12(b)(1) or a
motion to dismiss for failure to state a claim under Rule
12(b)(6)” (citation omitted)). Consequently, we accept the
Plaintiffs’ well-pleaded factual allegations as true and draw
all reasonable inferences from those allegations in the
Plaintiffs’ favor.9 Ashcroft v. Iqbal, 556 U.S. 662, 678
9
In its 12(b)(6) motion, which is not before us,
Horizon questions whether it is bound by FCRA. In
particular, Horizon suggests that it is not a “consumer
reporting agency” and therefore is not subject to the
requirements of FCRA. At oral argument, Horizon also
argued that FCRA does not apply when data is stolen rather
than voluntarily “furnish[ed],” 15 U.S.C. § 1681a(f).
Because we are faced solely with an attack on standing, we
do not pass judgment on the merits of those questions. Our
decision should not be read as expanding a claimant’s rights
under FCRA. Rather, we assume for purposes of this appeal
13
(2009). Nevertheless, “[t]hreadbare recitals of the elements
of [standing], supported by mere conclusory statements, do
not suffice.” Id. We disregard such legal conclusions.
Santiago v. Warminster Twp., 629 F.3d 121, 128 (3d Cir.
2010). Thus, “[t]o survive a motion to dismiss [for lack of
standing], a complaint must contain sufficient factual matter”
that would establish standing if accepted as true. Iqbal, 556
U.S. at 678 (citing Bell Atl. Corp. v. Twombly, 550 U.S. 544,
570 (2007)).
There are three well-recognized elements of Article III
standing: First, an “injury in fact,” or an “invasion of a
legally protected interest” that is “concrete and
particularized.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 560
(1992). Second, a “causal connection between the injury and
the conduct complained of[.]” Id. And third, a likelihood
“that the injury will be redressed by a favorable decision.” Id.
at 561 (citation and internal quotation marks omitted).
This appeal centers entirely on the injury-in-fact
element of standing – more specifically, on the concreteness
requirement of that element.10
that FCRA was violated, as alleged, and analyze standing
with that assumption in mind. Likewise, our decision
regarding Article III standing does not resolve whether
Plaintiffs have suffered compensable damages. Some injuries
may be “enough to open the courthouse door” even though
they ultimately are not compensable. Doe v. Chao, 540 U.S.
614, 625 (2004).
10
There is no doubt that the Plaintiffs complain of a
particularized injury – the disclosure of their own private
14
“In the context of a motion to dismiss, we have held
that the [i]njury-in-fact element is not Mount Everest. The
contours of the injury-in-fact requirement, while not precisely
defined, are very generous, requiring only that claimant
allege[ ] some specific, identifiable trifle of injury.” Blunt v.
Lower Merion Sch. Dist., 767 F.3d 247, 278 (3d Cir. 2014)
(emphasis omitted) (citation and internal quotation marks
omitted) (second alteration in original). “At the pleading
stage, general factual allegations of injury resulting from the
defendant’s conduct may suffice, for on a motion to dismiss
we presum[e] that general allegations embrace those specific
facts that are necessary to support the claim.” Lujan, 504
U.S. at 561 (citation and internal quotation marks omitted)
(alteration in original).
The requirements for standing do not change in the
class action context. “[N]amed plaintiffs who represent a
class must allege and show that they personally have been
injured, not that injury has been suffered by other,
unidentified members of the class to which they belong and
which they purport to represent.” Lewis v. Casey, 518 U.S.
343, 357 (1996) (citation and internal quotation marks
omitted). “[I]f none of the named plaintiffs purporting to
represent a class establishes the requisite of a case or
controversy with the defendants, none may seek relief on
information. Spokeo, Inc. v Robins, 136 S. Ct. 1540, 1548
(2016) (“For an injury to be ‘particularized,’ it ‘must affect
the plaintiff in a personal and individual way.’” (quoting
Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 n.1. (1992))).
15
behalf of himself or any other member of the class.” O’Shea
v. Littleton, 414 U.S. 488, 494 (1974).11 Accordingly, at least
one of the four named Plaintiffs must have Article III
standing in order to maintain this class action.
B. Analysis of the Plaintiffs’ Standing
All four of the named Plaintiffs argue that the violation
of their statutory rights under FCRA gave rise to a cognizable
and concrete injury that satisfies the first element of Article
III standing. They claim that the violation of their statutory
right to have their personal information secured against
unauthorized disclosure constitutes, in and of itself, an injury
in fact. The District Court rejected that argument, concluding
that standing requires some form of additional, “specific
11
Once Article III standing “is determined vis-à-vis
the named parties … there remains no further separate class
standing requirement in the constitutional sense.” In re
Prudential Ins. Co. Am. Sales Practice Litig. Agent Actions,
148 F.3d 283, 306-07 (3d Cir. 1998) (citations and internal
quotation marks omitted). Therefore, “unnamed, putative
class members need not establish Article III standing.
Instead, the ‘cases or controversies’ requirement is satisfied
so long as a class representative has standing, whether in the
context of a settlement or litigation class.” Neale v. Volvo
Cars of N. Am., LLC, 794 F.3d 353, 362 (3d Cir. 2015); see
also 2 William B. Rubenstein, Newberg on Class Actions
§ 2:8 (5th ed. 2012); id. § 2:1 (“Once threshold individual
standing by the class representative is met, a proper party to
raise a particular issue is before the court; there is no further,
separate ‘class action standing’ requirement.”).
16
harm,” beyond “mere violations of statutory and common law
rights[.]” (App. at 15-16.)
In the alternative, the Plaintiffs argue that Horizon’s
violation of FCRA “placed [them] at an imminent,
immediate, and continuing increased risk of harm from
identity theft, identity fraud, and medical fraud … .” (App. at
40.) They say the increased risk constitutes a concrete injury
for Article III standing purposes. In their Complaint, they
assert that those whose personal information has been stolen
are “approximately 9.5 times more likely than the general
public to suffer identity fraud or identity theft.” (App. at 36.)
They go on to note the various ways that identity thieves can
inflict injury, such as draining a bank account, filing for a tax
refund in another’s name, or getting medical treatment using
stolen health insurance information. The District Court
rejected that argument as well because it found that any future
risk of harm necessarily depended on the “conjectural
conduct of a third party bandit,” and was, therefore, too
“attenuated” to sustain standing. (App. at 18.) (relying on
Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011)).12
12
On appeal, Plaintiffs argue that Horizon’s offer of
free credit monitoring can be taken as proof that Horizon
“knows that its conduct has put Plaintiffs and Class Members
at a significantly increased risk of identity theft.” (Opening
Br. at 8.) We agree with Horizon that its offer should not be
used against it as a concession or recognition that the
Plaintiffs have suffered injury. We share its concern that such
a rule would “disincentivize[] companies from offering credit
or other monitoring services in the wake of a breach.”
(Answering Br. at 19.) Cf. FED. R. EVID. 407-08 (excluding
17
We resolve this appeal on the basis of Plaintiffs’ first
argument and conclude that they have standing due to
Horizon’s alleged violation of FCRA.
That the violation of a statute can cause an injury in
fact and grant Article III standing is not a new doctrine. The
Supreme Court has repeatedly affirmed the ability of
Congress to “cast the standing net broadly” and to grant
individuals the ability to sue to enforce their statutory rights.
Fed. Election Comm’n v. Akins, 524 U.S. 11, 19 (1998);13 see
also Warth v. Seldin, 422 U.S. 490, 500 (1975) (“The actual
or threatened injury required by Art[icle] III may exist solely
by virtue of statutes creating legal rights, the invasion of
which creates standing.” (citation, internal quotation marks,
and ellipses omitted)); Linda R.S. v. Richard D., 410 U.S.
614, 617 n.3 (1973) (“Congress may enact statutes creating
legal rights, the invasion of which creates standing, even
though no injury would exist without the statute.”); Havens
Realty Corp. v. Coleman, 455 U.S. 363, 373-74 (1982)
admission of evidence of subsequent remedial measures and
compromise offers as proof of negligence or culpable
conduct).
13
Many cases focus on the question of whether
Congress truly intended to create a private right of action and
whether a particular individual was in the “zone of interests”
of the statute. But traditionally, once it was clear that
Congress intended to create an enforceable right and that an
individual falls into the“zone of interests” that individual was
found to have standing. See Akins, 524 U.S. at 20.
18
(explaining that one “who has been the object of a
misrepresentation made unlawful under [the statute] has
suffered injury in precisely the form the statute was intended
to guard against, and therefore has standing to maintain a
claim for damages under the Act’s provisions”).
Despite those precedents, our pronouncements in this
area have not been entirely consistent. In some cases, we
have appeared to reject the idea that the violation of a statute
can, by itself, cause an injury sufficient for purposes of
Article III standing.14 But we have also accepted the
argument, in some circumstances, that the breach of a statute
14
For instance, we have observed that “[t]he proper
analysis of standing focuses on whether the plaintiff suffered
an actual injury, not on whether a statute was violated.
Although Congress can expand standing by enacting a law
enabling someone to sue on what was already a de facto
injury to that person, it cannot confer standing by statute
alone.” Doe v. Nat’l Bd. of Med. Exam’rs, 199 F.3d 146, 153
(3d Cir. 1999) (holding that a violation of the Americans with
Disabilities Act could not, by itself, confer standing without
evidence “demonstrating more than a mere possibility” of
harm); cf. Fair Hous. Council of Sub. Phila. v. Main Line
Times, 141 F.3d 439, 443-44 (3d Cir. 1998) (holding that a
government agency could not sue on behalf of third parties
injured by discriminatory advertisements because it could not
“demonstrate that it has suffered injury in fact” (emphasis
removed)).
19
is enough to cause a cognizable injury – even without
economic or other tangible harm.15
Fortunately, a pair of recent cases touching upon this
question, specifically in the context of statutes protecting data
privacy, provide welcome clarity. Those cases have been
decidedly in favor of allowing individuals to sue to remedy
violations of their statutory rights, even without additional
injury.
15
The Plaintiffs rely heavily upon Alston v.
Countrywide Financial Corp., 585 F.3d 753 (3d Cir. 2009).
That case involved a consumer class action in which
homebuyers sought statutory treble damages under the Real
Estate Settlement Procedures Act (“RESPA”). They claimed
that their private mortgage insurance premiums were funneled
into an unlawful kickback scheme operated by their mortgage
lender and its reinsurer, in violation of RESPA. “The thrust
of their complaint was that, in enacting and amending
[RESPA], Congress bestowed upon the consumer the right to
a real estate settlement free from unlawful kickbacks and
unearned fees, and Countrywide’s invasion of that statutory
right, even without a resultant overcharge, was an injury in
fact for purposes of Article III standing.” Id. at 755. We
agreed. We emphasized that the injury need not be monetary
in nature to confer standing and that RESPA authorizes suits
by those who receive a loan accompanied by a kickback or
unlawful referral. Id. at 763. That statutory injury – even
where it did not also do any economic harm to the plaintiffs –
was sufficient for purposes of Article III standing.
20
First, in In re Google Inc. Cookie Placement
Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015),
certain internet users brought an action against internet
advertising providers alleging that their placement of so-
called “cookies” – i.e. small files with identifying information
left by a web server on users’ browsers – violated a number
of federal and state statutes, including the Stored
Communications Act. Id. at 133. The defendants argued that
because the users had not suffered economic loss as a result
of the violations of the SCA, they did not have standing. Id.
at 134. We emphasized that, so long as an injury “affect[s]
the plaintiff in a personal and individual way,” the plaintiff
need not “suffer any particular type of harm to have
standing.” Id. (citation and internal quotation marks and
citation omitted). Instead, “the actual or threatened injury
required by Art[icle] III may exist solely by virtue of statutes
creating legal rights, the invasion of which creates standing,”
even absent evidence of actual monetary loss. Id. (citation
and internal quotation marks omitted) (emphasis added).
We then reaffirmed Google’s holding in In re
Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d
Cir. 2016). That case involved a class action in which the
plaintiffs alleged that Viacom and Google had unlawfully
collected personal information on the Internet, including what
webpages the plaintiffs had visited and what videos they
watched on Viacom websites. Id. at 267. We addressed the
plaintiffs’ basis for standing, relying heavily upon our prior
analysis in Google, id. at 271-272, saying that, “when it
comes to laws that protect privacy, a focus on economic loss
is misplaced.” Id. at 272-73 (citation and internal quotation
marks omitted). Instead, “the unlawful disclosure of legally
protected information” constituted “a clear de facto injury.”
21
Id. at 274. We noted that “Congress has long provided
plaintiffs with the right to seek redress for unauthorized
disclosures of information that, in Congress’s judgment,
ought to remain private.” Id.
In light of those two rulings, our path forward in this
case is plain. The Plaintiffs here have at least as strong a
basis for claiming that they were injured as the plaintiffs had
in Google and Nickelodeon.16
Horizon nevertheless argues that the Supreme Court’s
recent decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540
(2016), compels a different outcome. We disagree. In
Spokeo, a consumer sued a website operator for an allegedly
willful violation of FCRA for publishing inaccurate
information about him. Id. at 1544. The complaint did not
include any allegation that the false information was actually
used to the plaintiff’s detriment. Id.; Robins v. Spokeo, Inc.,
742 F.3d 409,411 (9th Cir. 2014). Nonetheless, the United
States Court of Appeals for the Ninth Circuit held that the
plaintiff had standing because his “personal interests in the
handling of his credit information” meant that the harm he
suffered was “individualized rather than collective.” Robins,
742 F.3d at 413.
The Supreme Court vacated and remanded. 136 S. Ct.
at 1550. It highlighted that there are two elements that must
16
Again, whether that injury is actionable under FCRA
is a different question, one which we are presently assuming
(without deciding) has an affirmative answer. See supra note
9.
22
be established to prove an injury in fact – concreteness and
particularization. Id. at 1545. The Ninth Circuit had relied
solely on the “particularization” aspect of the injury-in-fact
inquiry and did not address the “concreteness” aspect. Id.
The Supreme Court therefore provided guidance as to what
constituted a “concrete” injury and remanded to the Ninth
Circuit to determine in the first instance whether the harm
was concrete. Id.
In laying out its reasoning, the Supreme Court rejected
the argument that an injury must be “tangible” in order to be
“concrete.” Id. at 1549. It noted that many intangible
injuries have nevertheless long been understood as cognizable
– for instance violations of the right to freedom of speech or
the free exercise of religion. Id. It then explained that “both
history and the judgment of Congress play important roles” in
determining whether “an intangible injury constitutes injury
in fact.” Id. There are thus two tests for whether an
intangible injury can (despite the obvious linguistic
contradiction) be “concrete.” The first test, the one of history,
asks whether “an alleged intangible harm” is closely related
“to a harm that has traditionally been regarded as providing a
basis for a lawsuit in English or American Courts.” Id. If so,
it is likely to be sufficient to satisfy the injury-in-fact element
of standing. Id. But even if an injury was “‘previously
inadequate in law,’” Congress may elevate it “‘to the status of
[a] legally cognizable injur[y].’” Id. (quoting Lujan, 504 U.S.
at 578). Because “Congress is well positioned to identify
intangible harms that meet minimum Article III requirements,
its judgment is … instructive and important.” Id. The second
test therefore asks whether Congress has expressed an intent
to make an injury redressable.
23
The Supreme Court cautioned, however, that
congressional power to elevate intangible harms into concrete
injuries is not without limits. A “bare procedural violation,
divorced from any concrete harm,” is not enough. Id. On the
other hand, the Court said, “the violation of a procedural right
granted by statute can be sufficient in some circumstances to
constitute injury in fact. In other words, a plaintiff in such a
case need not allege any additional harm beyond the one
Congress has identified.” Id.
Although it is possible to read the Supreme Court’s
decision in Spokeo as creating a requirement that a plaintiff
show a statutory violation has caused a “material risk of
harm” before he can bring suit,17 id. at 1550, we do not
believe that the Court so intended to change the traditional
standard for the establishment of standing. As we noted in
Nickelodeon, “[t]he Supreme Court’s recent decision in
17
Some other courts have interpreted Spokeo in such a
manner – most notably the Eighth Circuit. See Braitberg v.
Charter Commc’ns, Inc., 836 F.3d 925, 930 (8th Cir. 2016)
(concluding that, in light of Spokeo, the improper retention of
information under the Cable Communications Policy Act did
not provide an injury in fact absent proof of “material risk of
harm from the retention”); see also Gubala v. Time Warner
Cable, Inc., No. 15-CV-1078-PP, 2016 WL 3390415, at *4
(E.D. Wis. June 17, 2016) (finding that, as a result of Spokeo,
the unlawful retention of an individual’s personal information
under the Cable Communications Policy Act did not
constitute a cognizable injury absent a concrete risk of harm).
24
Spokeo … does not alter our prior analysis in Google.”
Nickelodeon, 827 F.3d at 273 (citation omitted).
We reaffirm that conclusion today. Spokeo itself does
not state that it is redefining the injury-in-fact requirement.
Instead, it reemphasizes that Congress “has the power to
define injuries,” 136 S. Ct. at 1549 (citation and internal
quotation marks omitted), “that were previously inadequate in
law.” Id. (citation and internal quotation marks omitted). In
the absence of any indication to the contrary, we understand
that the Spokeo Court meant to reiterate traditional notions of
standing,18 rather than erect any new barriers that might
prevent Congress from identifying new causes of action
though they may be based on intangible harms. In short, out
of a respect for stare decisis, we assume that the law is stable
unless there is clear precedent to the contrary. And that
means that we do not assume that the Supreme Court has
altered the law unless it says so. Cf. Rodriguez de Quijas v.
Shearson/Am. Exp., Inc., 490 U.S. 477, 484 (1989) (“If a
precedent of this Court has direct application in a case, yet
appears to rest on reasons rejected in some other line of
18
Justice Thomas’s concurrence also illustrates that
Spokeo was merely a restatement of traditional standing
principles. In that concurrence, he reiterated that a plaintiff is
not required to “assert an actual injury beyond the violation of
his personal legal rights to satisfy the ‘injury-in-fact’
requirement.” Spokeo, 136 S. Ct. at 1552 (Thomas, J.,
concurring). Yet Justice Thomas joined the majority opinion
in full. And nowhere in his concurrence did he critique the
majority for creating a new injury-in-fact requirement.
25
decisions, the Court of Appeals should follow the case which
directly controls, leaving to this Court the prerogative of
overruling its own decisions.”).
It is nevertheless clear from Spokeo that there are some
circumstances where the mere technical violation of a
procedural requirement of a statute cannot, in and of itself,
constitute an injury in fact. 136 S. Ct. at 1549 (“Congress’
role in identifying and elevating intangible harms does not
mean that a plaintiff automatically satisfies the injury-in-fact
requirement whenever a statute grants a person a statutory
right and purports to authorize that person to sue to vindicate
that right.”). Those limiting circumstances are not defined in
Spokeo and we have no occasion to consider them now. In
some future case, we may be required to consider the full
reach of congressional power to elevate a procedural violation
into an injury in fact, but this case does not strain that reach.
As we noted in Nickelodeon, “unauthorized
disclosures of information” have long been seen as injurious.
827 F.3d at 274 (emphasis added). The common law alone
will sometimes protect a person’s right to prevent the
dissemination of private information. See Restatement
(Second) of Torts § 652A (2016) (“One who invades the right
of privacy of another is subject to liability for the resulting
harm to the interests of the other.”); see also Samuel D.
Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv.
L. Rev. 193, 193 (1890) (advancing the argument for a “right
to be let alone”). Indeed, it has been said that “the privacy
torts have become well-ensconced in the fabric of American
law.” David A. Elder, Privacy Torts § 1:1 (2016). And with
privacy torts, improper dissemination of information can
itself constitute a cognizable injury. Because “[d]amages for
26
a violation of an individual's privacy are a quintessential
example of damages that are uncertain and possibly
unmeasurable,” such causes of action “provide[] privacy tort
victims with a monetary award calculated
without proving actual damages.” Pichler v. UNITE, 542
F.3d 380, 399 (3d Cir. 2008) (citation omitted).
We are not suggesting that Horizon’s actions would
give rise to a cause of action under common law. No
common law tort proscribes the release of truthful
information that is not harmful to one’s reputation or
otherwise offensive. But with the passage of FCRA,
Congress established that the unauthorized dissemination of
personal information by a credit reporting agency causes an
injury in and of itself – whether or not the disclosure of that
information increased the risk of identity theft or some other
future harm.19 It created a private right of action to enforce
19
Again, it is Congress’s decision to protect personal
information from disclosure that “elevates to the status of
legally cognizable injuries concrete, de facto injuries that
were previously inadequate in law.” Lujan, 504 U.S. at 578
(emphasis in original). That is the focus of our decision
today. Nevertheless, we note our disagreement with our
concurring colleague’s view that “the risk of future harm” in
this case “requires too much supposition to satisfy Article III
standing.” (Concurring Op. at 6 n.5.) The facts of this case
suggest that the data breach did create a “material risk of
harm.” Spokeo, 136 S. Ct. at 1550. The information that was
stolen was highly personal and could be used to steal one’s
identity. Id. (noting that with the “dissemination of an
incorrect zip code,” it is difficult to see the risk of concrete
27
the provisions of FCRA, and even allowed for statutory
damages for willful violations – which clearly illustrates that
Congress believed that the violation of FCRA causes a
concrete harm to consumers.20 And since the “intangible
harm). The theft appears to have been directed towards the
acquisition of such personal information. Cf. In re Sci.
Applications Int’l. Corp. (SAIC) Backup Tape Data Theft
Litig., 45 F. Supp. 3d 14, 25 (D.D.C. 2014) (concluding that
plaintiffs did not suffer an injury in fact as a result of the theft
of devices with their personal information when it appeared
that the theft was not directed at accessing the personal
information). The stolen laptops were unencrypted, meaning
that the personal information was easily accessible. Cf. id.
(noting that the stolen data had been encrypted which made it
unlikely that anyone could access it). And Rindner alleged
that he had already been a victim of identity theft as a result
of the breach. Cf. Remijas v. Neiman Marcus Grp., LLC, 794
F.3d 688, 692-95 (7th Cir. 2015) (concluding that the plaintiff
suffered an injury in fact in light of credible evidence that
others had experienced identity theft as a result of the same
breach). Plaintiffs make a legitimate argument that they face
an increased risk of future injury, which at least weighs in
favor of standing.
20
Congress’s decision to prohibit unauthorized
disclosure of data is something that distinguishes this case
from a prior case in which we addressed Article III standing
after a data breach. In Reilly v. Ceridian Corp, 664 F.3d 38
(3rd Cir. 2011), we concluded that a security breach that
compromised private information held by a payroll
processing firm did not cause an injury in fact. In that case,
28
harm” that FCRA seeks to remedy “has a close relationship to
a harm [i.e. invasion of privacy] that has traditionally been
regarded as providing a basis for a lawsuit in English or
American courts,” Spokeo, 136 S. Ct. at 1549, we have no
trouble concluding that Congress properly defined an injury
that “give[s] rise to a case or controversy where none existed
before.” Id. (citation and internal quotation marks omitted).
So the Plaintiffs here do not allege a mere technical or
procedural violation of FCRA.21 They allege instead the
the claims were based solely on the common law and
concerned the increased risk of identity theft, the incurred
costs, and the emotional distress suffered. See id. at 40. For
those common law claims, we held that the plaintiffs did not
have standing because their risk of harm was too speculative.
See id. at 42. In Reilly, the plaintiffs’ claims centered on the
future injuries that they expected to suffer as a result of a data
breach such as the increased risk of identity theft. Id. at 40.
And we concluded that those future injuries were too
speculative. Id at 42. Here, in contrast, the Plaintiffs are not
complaining solely of future injuries. Congress has elevated
the unauthorized disclosure of information into a tort. And so
there is nothing speculative about the harm that Plaintiffs
allege.
21
In this way, the failure to protect data privacy under
FCRA is distinguishable from the Fifth Circuit’s recent
treatment of a violation of the Employee Retirement Income
Security Act (ERISA) as a result of improper “plan
management.” Lee v. Verizon Commc’ns. Inc., 837 F.3d 523,
529 (5th Cir. 2016). In that case, the court concluded that a
29
unauthorized dissemination of their own private information22
– the very injury that FCRA is intended to prevent.23 There is
participant’s interest was in his right to “the defined level of
benefits” rather than in the procedural protections of the act.
Id. at 530 (citation and internal quotation marks omitted). A
mere procedural violation, without proof of the diminution of
benefits, was not a cognizable Article III injury. Here, the
privacy of one’s data is a cognizable interest even without
consequent harm.
22
Horizon has expressed concern that a reporting
agency could be inundated with lawsuits for a technical
breach of FCRA (such as failing to post a required 1-800
number). But in addition to concreteness, a plaintiff must
also allege a particularized injury. Here the Plaintiffs are
suing on their own behalf with respect to the disclosure of
their personal information. See Beaudry v. TeleCheck Servs.,
Inc., 579 F.3d 702, 707 (6th Cir. 2009) (explaining that
FCRA “creates an individual right not to have unlawful
practices occur ‘with respect to’ one’s own credit
information” (citations omitted)). The particularization
requirement may impose limits on the ability of consumers to
bring suit due to more generalized grievances such as those
mentioned by Horizon.
23
Our conclusion that it was within Congress’s
discretion to elevate the disclosure of private information into
a concrete injury is strengthened by the difficulty that would
follow from requiring proof of identity theft or some other
tangible injury. “[R]equiring Plaintiffs to wait for the
threatened harm to materialize in order to sue would pose a
30
thus a de facto injury that satisfies the concreteness
requirement for Article III standing.24 See In re Nickelodeon,
standing problem of its own … .” In re Adobe Sys., Inc.
Privacy Litig., 66 F. Supp. 3d 1197, 1215 n.5 (N.D. Cal.
2014). Namely, the “more time that passes between a data
breach and an instance of identity theft, the more latitude a
defendant has to argue that the identity theft is not ‘fairly
traceable’ to the defendant’s data breach.” Id.
24
The weight of precedent in our sister circuits is to
the same effect. See Sterk v. Redbox Automated Retail, LLC,
770 F.3d 618, 623 (7th Cir. 2014) (noting that “’technical’
violations of the statute … are precisely what Congress
sought to illegalize” and that therefore tangible harm is not
required to confer standing); accord Remijas v. Neiman
Marcus Grp., LLC, 794 F.3d 688, 692 (7th Cir. 2015)
(observing that the alleged harm suffered by the loss of
privacy incurred by a data breach “go[es] far beyond the
complaint about a website’s publication of inaccurate
information” in Spokeo); Beaudry v. TeleCheck Services, Inc.,
579 F.3d 702, 707 (6th Cir. 2009) (holding that bare
procedural violations of FCRA are sufficient to confer
standing); accord Galaria v. Nationwide Mut. Ins. Co., No.
15-3386/3387, 2016 WL 4728027, at *3 (6th Cir. Sept. 12,
2016) (concluding that a data breach in violation of FCRA
causes a concrete injury – at least when there is proof of a
substantial risk of harm); see also Church v. Accretive Health,
Inc., 654 Fed.Appx. 990, 993 (11th Cir. 2016) (concluding
that a health company’s failure to provide required
disclosures under the Fair Debt Collections Practices Act
caused a concrete injury because Congress had created a right
31
827 F.3d 274 (concluding that the “unlawful disclosure of
legally protected information” in and of itself constitutes a
“de facto injury”). Accordingly, the District Court erred
when it dismissed the Plaintiffs’ claims for lack of standing.25
III. CONCLUSION
Our precedent and congressional action lead us to
conclude that the improper disclosure of one’s personal data
in violation of FCRA is a cognizable injury for Article III
standing purposes. We will therefore vacate the District
Court’s order of dismissal and remand for further proceedings
consistent with this opinion.
and a remedy in the statute); Robey v. Shapiro, Marianos &
Cejda, L.L.C., 434 F.3d 1208, 1211-12 (10th Cir. 2006)
(holding that a violation of the Fair Debt Collection Practices
Act in the form of an unlawful demand for attorney’s fees –
even where the fees are not actually paid and so no economic
injury was inflicted – is a cognizable injury for Article III
standing).
25
The Plaintiffs also argue that they were injured by
systematically overpaying for their Horizon insurance
because “Horizon either did not allocate a portion of their
premiums to protect their [personal information] or allocated
an inadequate portion of the premiums to protect [personal
information].” (Opening Br. at 19-20.) Because they have
standing under FCRA, we do not reach that purported basis
for standing; nor do we address Rindner’s alternative
argument for standing based on the fraudulent tax return or
his denial of credit.
32
SHWARTZ, Circuit Judge, concurring in the judgment.
I agree with my colleagues that Plaintiffs have
standing, but I reach this conclusion for different reasons. In
short, Plaintiffs allege that the theft of the laptops caused a
loss of privacy, which is itself an injury in fact. Thus,
regardless of whether a violation of a statute itself constitutes
an injury in fact, and mindful that under our precedent, a risk
of identity theft or fraud is too speculative to constitute an
injury in fact, see Reilly v. Ceridian Corp., 664 F.3d 38 (3d
Cir. 2011), Plaintiffs have nonetheless alleged an injury in
fact sufficient to give them standing.
I
As my colleagues have explained, Horizon Healthcare
Services provides insurance to individuals in New Jersey.
Horizon obtains personally identifiable information (“PII”),
including names, dates of birth, and social security numbers,
as well as protected health information (“PHI”), such as
medical histories and test results, from its insureds. This
information is viewed as private and those in possession of it
are required to ensure that it is kept secure and used only for
proper purposes.
PII and PHI were stored on laptop computers kept at
Horizon’s Newark, New Jersey headquarters. In January,
November, and December 2008, as well as April and
November 2013, laptop computers were stolen. The laptop
computers stolen in November 2013 were cable-locked to
workstations and password-protected, but the contents, which
1
included the PII/PHI of 839,000 people, were not encrypted.1
Plaintiffs assert this theft places them at risk of future identity
theft and fraud, and subjected them to a loss of privacy, in
violation of the Fair Credit Reporting Act, 15 U.S.C. § 1681
et seq. (“FCRA”), and various state laws. The District Court
concluded that Plaintiffs lack standing to bring a claim under
the FCRA because the pleadings failed to allege any plaintiff
suffered an injury in fact.2
1
My colleagues infer that these thefts were committed
to obtain the PII/PHI. Maj. Op. at 27 n.19. I would not
necessarily draw that inference. Plaintiffs do not allege that
any of the 839,000 individuals whose information was stored
on the laptop computers, or on the laptop computers taken in
the earlier thefts, suffered any loss or that their identities were
misused. Given the number of laptop computer thefts, and
the absence of any allegation of a loss tied to their contents, it
is at least equally reasonable to infer that the laptop
computers were taken for their hardware, not their contents. I
acknowledge, however, that we are to draw a reasonable
inference in Plaintiffs’ favor in the context of a facial
challenge pursuant to a Rule 12(b)(1) motion. See Petruska
v. Gannon Univ., 462 F.3d 294, 299 n.1 (3d Cir. 2006)
(“[T]he standard is the same when considering a facial attack
under Rule 12(b)(1) or a motion to dismiss for failure to state
a claim under Rule 12(b)(6).”); Mortensen v. First Fed. Sav.
& Loan Ass’n, 549 F.2d 884, 891 (3d Cir. 1977) (explaining
that Rule 12(b)(6) safeguards apply to facial attacks under
Rule 12(b)(1) and provide that plaintiffs’ allegations are taken
as true and all inferences are drawn in plaintiffs’ favor).
2
The District Court declined to exercise supplemental
jurisdiction over the state law claims.
2
II
As my colleagues accurately state, there are three
elements of Article III standing: (1) injury in fact, or “an
invasion of a legally protected interest” that is “concrete and
particularized”; (2) traceability, that is a “causal connection
between the injury and the conduct complained of”; and (3)
redressability, meaning a likelihood “that the injury will be
redressed by a favorable decision.” Lujan v. Defs. of
Wildlife, 504 U.S. 555, 560-61 (1992).
The injury-in-fact element most often determines
standing. See Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547
(2016). Such injury must be particularized and concrete. Id.
at 1548. “For an injury to be particularized, it must affect the
plaintiff in a personal and individual way.” Id. (internal
quotation marks and citation omitted). To be “concrete,” an
injury must be “real” as opposed to “abstract,” but it need not
be “tangible.” Id. at 1548-49.
As my colleagues eloquently explain, the Spokeo
Court identified two approaches for determining whether an
intangible injury is sufficient to constitute an injury in fact.
Maj. Op. at 23 (citing Spokeo, 136 S. Ct. at 1549). Under the
first approach, a court considers history and asks whether the
intangible harm is closely related “to a harm that has
traditionally been regarded as providing a basis for a lawsuit
in English or American courts.” Id. at 1549; Maj. Op. at 23.
If so, “it is likely sufficient to satisfy the injury-in-fact
element of standing.” Maj. Op. at 23 (citing Spokeo, 136 S.
Ct. at 1549). Under the second approach, a court considers
whether Congress has “expressed an intent to make an injury
redressable.” Maj. Op. at 23. My colleagues rely on this
3
latter approach, but I rely on the former.
The common law has historically recognized torts
based upon invasions of privacy and permitted such claims to
proceed even in the absence of proof of actual damages. See,
e.g., Pichler v. UNITE, 542 F.3d 380, 399 (3d Cir. 2008)
(citing Doe v. Chao, 540 U.S. 614, 621 n.3 (2004));
Restatement (Second) Torts §652A (2016) (stating that “[o]ne
who invades the right of privacy of another is subject to
liability for the resulting harm to the interest of the other”).
While Plaintiffs do not allege that the laptop thieves looked at
or used their PII and PHI, Plaintiffs lost their privacy once it
got into the hands of those not intended to have it. Cf. United
States v. Westinghouse Elec. Corp., 638 F.2d 570, 577 n.5
(3d Cir. 1980) (observing that “[p]rivacy . . . is control over
knowledge about oneself” (citation omitted)). While this may
or may not be sufficient to state a claim for relief under Fed.
R. Civ. P. 12(b)(6), Maj. Op. at 27, the intangible harm from
the loss of privacy appears to have sufficient historical roots
to satisfy the requirement that Plaintiffs have alleged a
sufficiently concrete harm for standing purposes.
Our Court has embraced the view that an invasion of
privacy provides a basis for standing. In In re Google Cookie
Placement Consumer Privacy Litigation, 806 F.3d 125 (3d
Cir. 2015), and In re Nickelodeon Consumer Privacy
Litigation, 827 F.3d 262 (3d Cir. 2016), Google and
Nickelodeon were alleged to have invaded the plaintiffs’
privacy by placing cookies into the plaintiffs’ computers,
which allowed the companies to monitor the plaintiffs’
computer activities. In these cases, the injury was invasion of
privacy and not economic loss, and thus the standing analysis
4
focused on a loss of privacy.3 In re Nickelodeon, 827 F.3d at
272-73; In re Google, 806 F.3d at 134. Although the
perpetrators of the invasion of privacy here are the laptop
thieves and in Google and Nickelodeon the invaders were the
defendants themselves, the injury was the same: a loss of
privacy. Thus, those cases provide a basis for concluding
Plaintiffs here have suffered an injury in fact based on the
loss of privacy.4
III
While I have concluded that Plaintiffs have alleged an
injury in fact by asserting that that they sustained a loss of
privacy, the other grounds that Plaintiffs rely upon are
unavailing. Although this is not necessary for my analysis, I
offer these observations to help explain the types of “injuries”
that are not sufficient to provide standing in the context of
data thefts. First, under our precedent, the increased risk of
identity theft or fraud due to a data breach, without more,
3
My colleagues view In re Google Cookie Placement
Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015),
and In re Nickelodeon Consumer Privacy Litigation, 827 F.3d
262 (3d Cir. 2016), as providing a basis for Plaintiffs to assert
that a violation of the FCRA, without any resulting harm,
satisfies the injury-in-fact requirement. I do not rely on the
possible existence of a statutory violation as the basis for
standing, and am not persuaded that these cases support that
particular point.
4
I also conclude that Plaintiffs have sufficiently
alleged that the injury was traceable, in part, to the failure to
encrypt the data, and am satisfied that if proven, the injury
could be redressable.
5
does not establish the kind of imminent or substantial risk
required to establish standing. See Reilly, 664 F.3d at 42.
Like in Reilly, the feared economic injury here depends on a
speculative chain of events beginning with an assumption that
the thief knew or discovered that the laptop contained
valuable information, that the thief was able to access the data
despite the password protection, and that the thief opted to
use the data maliciously.5 See Reilly, 664 F.3d at 42; see also
Clapper v. Amnesty Int’l USA, 133 S. Ct 1138, 1150 n.5
(2013). Second, Reilly and Clapper have rejected Plaintiffs’
assertion that standing exists because they expended time and
money to monitor for misuse of their information. The
Clapper Court reasoned that a plaintiff cannot “manufacture”
standing by choosing to undertake burdens or “make
expenditures” based on a “hypothetical future harm” that does
not itself qualify as an injury in fact. Clapper, 133 S. Ct. at
1050-51; see also Reilly, 664 F.3d at 46 (rejecting a claim for
standing based upon “expenditures to monitor their financial
information . . . because costs incurred to watch for a
speculative chain of future events based on hypothetical
future criminal acts are no more ‘actual’ injuries than the
5
As noted earlier, my colleagues rely on the second
approach, finding standing based upon a statutory violation.
The alleged statutory violation here, however, creates only an
increased risk of future harm. Although Spokeo says that a
violation of a statute can provide standing, Spokeo, 136 S. Ct.
at 1549-50, standing still requires a showing of a concrete,
particularized, nonspeculative injury in fact and, under Reilly,
the link between the theft here and the risk of future harm
requires too much supposition to satisfy Article III standing,
Reilly, 664 F.3d at 42; see also Clapper, 133 S. Ct. at 1148-
50.
6
alleged ‘increased risk of injury’ which forms the basis for
Appellants’ claims”).6 The Supreme Court observed that to
conclude otherwise would have problematic implications, as
“an enterprising plaintiff would be able to secure a lower
standard for Article III standing simply by making an
expenditure based on a nonparanoid fear.” Clapper, 133 S.
Ct. at 1151. Third, courts have rejected claims of standing
based on assertions that plaintiffs suffered economic harm by
paying insurance premiums that allegedly included additional
fees for measures to secure PII/PHI, but such measures were
not implemented. See, e.g., Remijas v. Neiman Marcus, 794
F.3d 688, 694-95 (7th Cir. 2015) (describing this type of
overpayment theory as “problematic” and suggesting that
6
Plaintiffs also assert in a conclusory fashion that, “as
a result of the Data Breach,” plaintiff Mitchell Rindner was
the victim of identity theft. While Plaintiffs allege that a false
tax return was submitted to the Internal Revenue Service
bearing Mr. Rindner’s and his wife’s names, and that
someone used his credit card, the factual allegations do not
show that these events were tied to theft. First, the Amended
Complaint does not allege that any of Mrs. Rindner’s PII/PHI
was included in the stolen data. Second, there is no allegation
that the stolen data contained Mr. Rindner’s credit card
information. This leads to “[t]he inescapable conclusion . . .
that [Rindner] has been subjected to another . . . data breach
involving his financial . . . records.” In re Sci. Applications
Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F.
Supp. 3d 14, 32 (D.D.C. 2014). Because Plaintiffs do not
plausibly plead that this injury was “fairly traceable” to
Horizon’s alleged failure to adequately guard Plaintiffs’ data,
this particular injury fails to provide standing for a claim
against Horizon. See Lujan, 504 U.S. at 560-61.
7
such a theory is limited to the products liability context); Katz
v. Pershing, LLC, 672 F.3d 64, 77-78 (1st Cir. 2012) (holding
that the “bare hypothesis” that brokerage fees were artificially
inflated to cover security measures was implausible); In re
Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft
Litig., 45 F. Supp. 3d 14, 30 (D.D.C. 2014) (rejecting the
overpayment theory since the plaintiffs had paid for health
insurance and did not allege that they were denied such
coverage or services).7 Accordingly, none of these grounds
provides a basis for standing in a data theft case like we have
here.
IV
For these reasons, I concur in the judgment.
7
Plaintiffs identify two cases to support their
overpayment theory: Resnick v. AcMed, Inc., 693 F.3d 1317,
1328 (11th Cir. 2012), and In re Insurance Brokerage
Antitrust Litigation, 579 F.3d 241, 264 (3d Cir. 2009).
Neither supports their position. Resnick’s endorsement of an
overpayment theory occurred only in the context of a Fed. R.
Civ. P. 12(b)(6) motion to dismiss the claim for unjust
enrichment, and was not used to support standing. 698 F.3d
at 1323. In re Insurance Brokerage involved a kickback
scheme that artificially inflated premiums. 579 F.3d at 264.
Here, Plaintiffs do not allege that the premiums they paid
were artificially inflated because funds that were to be used
for securing their data were not used for that purpose, nor do
they allege that their premiums would otherwise have been
cheaper.
8