IN RE: HORIZON HEALTHCARE SERVICES INC. DATA BREACH LITIGATION
Courtney Diana; Mark Meisel; Karen Pekelney; Mitchell Rindner, Appellants
No. 15-2309
United States Court of Appeals, Third Circuit.
Argued: July 12, 2016 (Filed: January 20, 2017)
846 F.3d 625
CONCLUSION
We hold that Amendment 759‘s application prohibiting Ramirez from taking advantage of Amendment 782 does not violate the Ex Post Facto Clause. We therefore AFFIRM the district court‘s order denying Ramirez‘s motion for sentence reduction under
Joseph J. DePalma, Jeffrey A. Shooman, Lite DePalma Greenberg, LLC, 570 Broad Street, Suite 1201, Newark, NJ 07102
Robert N. Kaplan, David A. Straite, Kaplan Fox & Kilsheimer LLP, 850 Third Avenue, 14th Floor, New York, NY 10022
Laurence D. King, Kaplan Fox & Kilsheimer LLP, 350 Sansome Street, Suite 400, San Francisco, CA 94104
Philip A. Tortoreti, Wilentz, Goldman & Spitzer, PA, 90 Woodbridge Center Drive, Suite 900, Woodbridge, NJ 07095, Counsel for Appellants
Kenneth L. Chernof [ARGUED], Arthur Luk, Arnold & Porter LLP, 601 Massachusetts Avenue, NW, Washington, DC 20001
David Jay, Philip R. Sellinger, Greenberg Traurig, 500 Campus Drive, Suite 400, Florham Park, NJ 07932, Counsel for Appellee
Before: JORDAN, VANASKIE, and SHWARTZ, Circuit Judges.
JORDAN, Circuit Judge.
The dispute at the bottom of this putative class action began when two laptops, containing sensitive personal information, were stolen from health insurer Horizon Healthcare Services, Inc. The four named Plaintiffs filed suit on behalf of themselves and other Horizon customers whose personal information was stored on those laptops. They allege willful and negligent violations of the Fair Credit Reporting Act (“FCRA“),
We will vacate and remand. In light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes. Even without evidence that the Plaintiffs’ information was in fact used improperly, the alleged disclosure of their personal information created1 a de facto injury. Accordingly, all of the Plaintiffs suffered a cognizable injury, and the Complaint should not have been dismissed under
I. BACKGROUND
A. Factual Background1
Horizon Healthcare Services, Inc., d/b/a Horizon Blue Cross Blue Shield of New Jersey (“Horizon“) is a New Jersey-based company that provides health insurance products and services to approximately 3.7 million members. In the regular course of its business, Horizon collects and maintains personally identifiable information (e.g., names, dates of birth, social security numbers, and addresses) and protected health information (e.g., demographic information, medical histories, test and lab results, insurance information, and other care-related data) on its customers and potential customers. The named Plaintiffs—Courtney Diana, Mark Meisel, Karen Pekelney, and Mitchell Rindner2—and other class members are or were participants in, or as Horizon puts it, members of Horizon insurance plans. They entrusted Horizon with their personal information.3
Horizon‘s privacy policy states that the company “maintain[s] appropriate administrative, technical and physical safeguards
During the weekend of November 1st to 3rd, 2013, two laptop computers containing the unencrypted personal information of the named Plaintiffs and more than 839,000 other Horizon members were stolen from Horizon‘s headquarters in Newark, New Jersey. The Complaint alleges that “[t]he facts surrounding the Data Breach demonstrate that the stolen laptop computers were targeted due to the storage of Plaintiffs’ and Class Members’ highly sensitive and private [personal information] on them.” (App. at 32.) Horizon discovered the theft the following Monday, and notified the Newark Police Department that day. It alerted potentially affected members by letter and a press release a month later, on December 6. The press release concerning the incident noted that the computers “may have contained files with differing amounts of member information, including name and demographic information (e.g., address, member identification number, date of birth), and in some instances, a Social Security number and/or limited clinical information.” (App. at 33.)
Horizon offered one year of credit monitoring and identity theft protection services to those affected, which the Plaintiffs allege was inadequate to remedy the effects of the data breach. At a January 2014 New Jersey Senate hearing, “Horizon confirmed that it had not encrypted all of its computers that contained [personal information].” (App. at 35.) Thereafter, “Horizon allegedly established safeguards to prevent a similar incident in the future—including tougher policies and stronger encryption processes that could have been implemented prior to the Data Breach and prevented it.” (App. at 35.)
Some personal history about the named Plaintiffs is included in the Complaint. Diana, Meisel, and Pekelney are all citizens and residents of New Jersey who were Horizon members who received letters from Horizon indicating that their personal information was on the stolen laptops. The Complaint does not include any allegation that their identities were stolen as a result of the data breach. Plaintiff Rindner is a citizen and resident of New York. He was a Horizon member but was not initially notified of the data breach. After Rindner contacted Horizon in February 2014, the company confirmed that his personal information was on the stolen computers. The Plaintiffs allege that, “[a]s a result of the Data Breach, a thief or thieves submitted to the [IRS] a fraudulent Income Tax Return for 2013 in Rindner‘s and his wife‘s names and stole their 2013 income tax refund.” (App. at 27.) Rindner eventually did receive the refund, but “spent time working with the IRS and law enforcement to remedy the effects” of the fraud, “incurred other out-of-pocket expenses to remedy the identity theft[,]” and was “damaged financially by the related delay in receiving his tax refund.” (App. at 27, 41.) After that fraudulent tax return, someone also fraudulently attempted to use Rindner‘s credit card number in an online transaction. Rindner was also “recently denied retail credit because his social security number has been associated with identity theft.” (App. at 27.)
The Plaintiffs filed suit on June 27, 2014. Count I of the Complaint claims that Horizon committed a willful violation of FCRA; Count II alleges a negligent violation of FCRA; and the remaining counts allege various violations of state law.4 FCRA was enacted in 1970 “to ensure fair and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy.” Safeco Ins. Co. of Am. v. Burr, 551 U.S. 47, 52 (2007). With respect to consumer privacy, the statute imposes certain requirements on any “consumer reporting agency” that “regularly ... assembl[es] or evaluat[es] consumer credit information ... for the purpose of furnishing consumer reports to third parties.”
In their Complaint, the Plaintiffs assert that Horizon is a consumer reporting agency and that it violated FCRA in several respects. They say that Horizon “furnish[ed]” their information in an unauthorized fashion by allowing it to fall into the hands of thieves. (App. at 48.) They also allege that Horizon fell short of its FCRA responsibility to adopt reasonable procedures6 to keep sensitive information confidential.7 According to the Plaintiffs, Horizon‘s failure to protect their personal information violated the company‘s responsibility under FCRA to maintain the confidentiality of their personal information.
Horizon moved to dismiss the Complaint for lack of subject matter jurisdiction under
The Plaintiffs filed this timely appeal.
II. DISCUSSION
A. Jurisdiction and Standard of Review
The District Court exercised jurisdiction over the Plaintiffs’ FCRA claims pursuant to
Our review of the District Court‘s dismissal of a complaint pursuant to
In reviewing facial challenges to standing, we apply the same standard as on review of a motion to dismiss under
There are three well-recognized elements of Article III standing: First, an “injury in fact,” or an “invasion of a legally protected interest” that is “concrete and particularized.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992). Second, a “causаl connection between the injury and the conduct complained of[.]” Id. And third, a likelihood “that the injury will be redressed by a favorable decision.” Id. at 561 (citation and internal quotation marks omitted).
This appeal centers entirely on the injury-in-fact element of standing—more specifically, on the concreteness requirement of that element.10
“In the context of a motion to dismiss, we have held that the [i]njury-in-fact element is not Mount Everest. The contours of the injury-in-fact requirement, while not precisely defined, are very generous, requiring only that claimant allege[] some specific, identifiable trifle of injury.” Blunt v. Lower Merion Sch. Dist., 767 F.3d 247, 278 (3d Cir. 2014) (emphasis omitted) (citation and internal quotation marks omitted) (second alteration in original). “At the pleading stage, general factual allegations of injury resulting from the defendant‘s conduct may suffice, for on a
The requirements for standing do not change in the class action context. “[N]amed plaintiffs who represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.” Lewis v. Casey, 518 U.S. 343, 357 (1996) (citation and internal quotation marks omitted). “[I]f none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class.” O‘Shea v. Littleton, 414 U.S. 488, 494 (1974).11 Accordingly, at least one of the four named Plaintiffs must have Article III standing in order to maintain this class action.
B. Analysis of the Plaintiffs’ Standing
All four of the named Plaintiffs argue that the violation of their statutory rights under FCRA gave rise to a cognizable and concrete injury that satisfies the first element of Article III standing. They claim that the violation of their statutory right to have their personal information secured against unauthorized disclosure constitutes, in and of itself, an injury in fact. The District Court rejected that argument, concluding that standing requires some form of additional, “specific harm,” beyond “mere violations of statutory and common law rights[.]” (App. at 15-16.)
In the alternative, the Plaintiffs argue that Hоrizon‘s violation of FCRA “placed [them] at an imminent, immediate, and continuing increased risk of harm from identity theft, identity fraud, and medical fraud....” (App. at 40.) They say the increased risk constitutes a concrete injury for Article III standing purposes. In their Complaint, they assert that those whose personal information has been stolen are “approximately 9.5 times more likely than the general public to suffer identity fraud or identity theft.” (App. at 36.) They go on to note the various ways that identity thieves can inflict injury, such as draining a bank account, filing for a tax refund in another‘s name, or getting medical treatment using stolen health insurance information. The District Court rejected that argument as well because it found that any future risk of harm necessarily depended on the “conjectural conduct of a third party bandit,” and was, therefore, too “attenuated” to sustain standing. (App. at 18.) (relying on Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011)).12
That the violation of a statute can cause an injury in fact and grant Article III standing is not a new doctrine. The Supreme Court has repeatedly affirmed the ability of Congress to “cast the standing net broadly” and to grant individuals the ability to sue to enforce their statutory rights. Fed. Election Comm‘n v. Akins, 524 U.S. 11, 19 (1998);13 see also Warth v. Seldin, 422 U.S. 490, 500 (1975) (“The actual or threatened injury required by Art[icle] III may exist solely by virtue of statutes creating legal rights, the invasion of which creates standing.” (citation, internal quotation marks, and ellipses omitted)); Linda R.S. v. Richard D., 410 U.S. 614, 617 n.3 (1973) (“Congress may enact statutes creating legal rights, the invasion of which creates standing, even though no injury would exist without the statute.“); Havens Realty Corp. v. Coleman, 455 U.S. 363, 373-74 (1982) (explaining that one “who has been the object of a misrepresentation made unlawful under [the statute] has suffered injury in precisely the form the statute was intended to guard against, and therefore has standing to maintain a claim for damages under the Act‘s provisions“).
Despite those precedents, our pronouncements in this area have not been entirely consistent. In some cases, we have appeared to reject the idea that the violation of a statute can, by itself, cause an injury sufficient for purposes of Article III standing.14 But we have also accepted the argument, in some circumstances, that the breach of a statute is enough to cause a cognizable injury—even without economic or other tangible harm.15
First, in In re Google Inc. Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015), certain internet users brought an action against internet advertising providers alleging that their placement of so-called “cookies“—i.e. small files with identifying information left by a web server on users’ browsers—violated a number of federal and state statutes, including the Stored Communications Act. Id. at 133. The defendants argued that because the users had not suffered economic loss as a result of the violations of the SCA, they did not have standing. Id. at 134. We emphasized that, so long as an injury “affect[s] the plaintiff in a personal and individual way,” the plaintiff need not “suffer any particular type of harm to have standing.” Id. (сitation and internal quotation marks and citation omitted). Instead, “the actual or threatened injury required by Art[icle] III may exist solely by virtue of statutes creating legal rights, the invasion of which creates standing,” even absent evidence of actual monetary loss. Id. (citation and internal quotation marks omitted) (emphasis added).
We then reaffirmed Google‘s holding in In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016). That case involved a class action in which the plaintiffs alleged that Viacom and Google had unlawfully collected personal information on the Internet, including what webpages the plaintiffs had visited and what videos they watched on Viacom websites. Id. at 267. We addressed the plaintiffs’ basis for standing, relying heavily upon our prior analysis in Google, id. at 271-272, saying that, “when it comes to laws that protect privacy, a focus on economic loss is misplaced.” Id. at 272-73 (citation and internal quotation marks omitted). Instead, “the unlawful disclosure of legally protected information” constituted “a clear de facto injury.” Id. at 274. We noted that “Congress has long provided plaintiffs with the right to seek redress for unauthorized disclosures of information that, in Congress‘s judgment, ought to remain private.” Id.
In light of those two rulings, our path forwаrd in this case is plain. The Plaintiffs here have at least as strong a basis for claiming that they were injured as the plaintiffs had in Google and Nickelodeon.16
Horizon nevertheless argues that the Supreme Court‘s recent decision in Spokeo, Inc. v. Robins, 578 U.S. 330, 136 S.Ct. 1540, 194 L.Ed.2d 635 (2016), compels a different outcome. We disagree. In Spokeo, a consumer sued a website operator for an allegedly willful violation of FCRA for
The Supreme Court vacated and remanded. 136 S.Ct. at 1550. It highlighted that there are two elements that must be established to prove an injury in fact—concreteness and particularization. Id. at 1545. The Ninth Circuit had relied solely on the “particularization” aspect of the injury-in-fact inquiry and did not address the “concreteness” aspect. Id. The Supreme Court therefore provided guidance as to what constituted a “concrete” injury and remanded to the Ninth Circuit to determine in the first instance whether the harm was concrete. Id.
In laying out its reasoning, thе Supreme Court rejected the argument that an injury must be “tangible” in order to be “concrete.” Id. at 1549. It noted that many intangible injuries have nevertheless long been understood as cognizable—for instance violations of the right to freedom of speech or the free exercise of religion. Id. It then explained that “both history and the judgment of Congress play important roles” in determining whether “an intangible injury constitutes injury in fact.” Id. There are thus two tests for whether an intangible injury can (despite the obvious linguistic contradiction) be “concrete.” The first test, the one of history, asks whether “an alleged intangible harm” is closely related “to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American Courts.” Id. If so, it is likely to be sufficient to satisfy the injury-in-fact element of standing. Id. But even if an injury was “previously inadequate in law,” Congress may elevate it “to the status of [a] legally cognizable injur[y].” Id. (quoting Lujan, 504 U.S. at 578). Because “Congress is well positioned to identify intangible harms that meet minimum Article III requirements, its judgment is ... instructive and important.” Id. The second test therefore asks whether Congress has expressed an intent to make an injury redressable.
The Supreme Court cautioned, however, that congressional power to elevate intangible harms into concrete injuries is not without limits. A “bare procedural violation, divorced from any concrete harm,” is not enough. Id. On the other hand, the Court said, “the violation of a procedural right granted by statute can be sufficient in some circumstances to constitute injury in fact. In other words, a plaintiff in such a case need not allege any additional harm beyond the one Congress has identified.” Id.
Although it is possible to read the Supreme Court‘s decision in Spokeo as creating a requirement that a plaintiff show a statutory violation has caused a “material risk of harm” before he can bring suit,17
We reaffirm that conclusion today. Spokeo itself does not state that it is redefining the injury-in-fact requirement. Instead, it reemphasizes that Congress “has the power to define injuries,” 136 S.Ct. at 1549 (citation and internal quotation marks omitted), “that were previously inadequate in law.” Id. (citation and internal quotation marks omitted). In the absence of any indication tо the contrary, we understand that the Spokeo Court meant to reiterate traditional notions of standing,18 rather than erect any new barriers that might prevent Congress from identifying new causes of action though they may be based on intangible harms. In short, out of a respect for stare decisis, we assume that the law is stable unless there is clear precedent to the contrary. And that means that we do not assume that the Supreme Court has altered the law unless it says so. Cf. Rodriguez de Quijas v. Shearson/Am. Exp., Inc., 490 U.S. 477, 484 (1989) (“If a precedent of this Court has direct application in a case, yet appears to rest on reasons rejected in some other line of decisions, the Court of Appeals should follow the case which directly controls, leaving to this Court the prerogative of overruling its own decisions.“).
It is nevertheless clear from Spokeo that there are some circumstances where the mere technical violation of a procedural requirement of a statute cannot, in and of itself, constitute an injury in fact. 136 S.Ct. at 1549 (“Congress’ role in identifying and elevating intangible harms does not mean that a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.“). Those limiting circumstances are not defined in Spokeo and we have no occasion to consider them now. In some future case, we may be required to consider the full reach of congressional power to elevate a procedural violation into an injury in fact, but this case does not strain that reach.
As we noted in Nickelodeon, “unauthorized disclosures of information” have long been seen as injurious. 827 F.3d at 274 (emphasis added). The common law alone will sometimes protect a person‘s right to prevent the dissemination of private information. See Restatement (Second) of Torts § 652A (2016) (“One who invades the right of privacy of another is subject to liability for the resulting harm to the interests of the other.“); see also Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193, 193 (1890) (advancing the argument for a “right to be let alone“). Indeed, it has been said that “the privacy torts have become well-ensconced in the fabric of American law.” David A. Elder, Privacy Torts § 1:1 (2016). And with privacy torts, improper dissemination of information can itself con
We are not suggesting that Horizon‘s actions would give rise to a cause of action under common law. No common law tort proscribes the release of truthful information that is not harmful to one‘s reputation or otherwise offensive. But with the passage of FCRA, Congress established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself—whether or not the disclosure of that information increased the risk of identity theft or some other future harm.19 It created a private right of action to enforce the provisions of FCRA, and even allowed for statutory damages for willful violations—which clearly illustrates that Congress believed that the violation of FCRA causes a concrete harm to consumers.20 And since the “intangible harm” that FCRA seeks to remedy “has a close relationship to a harm [i.e. invаsion of privacy] that has traditionally been regarded as providing a basis for
So the Plaintiffs here do not allege a mere technical or procedural violation of FCRA.21 They allege instead the unauthorized dissemination of their own private information22—the very injury that FCRA is intended to prevent.23 There is thus a de facto injury that satisfies the concreteness requirement for Article III standing.24 See In re Nickelodeon, 827 F.3d at 274 (concluding that the “unlawful disclosure of legally protected information” in and of
III. CONCLUSION
Our precedent and congressional action lead us to conclude that the improper disclosure of one‘s personal data in violation of FCRA is a cognizable injury for Article III standing purposes. We will therefore vacate the District Court‘s order of dismissal and remand for further proceedings consistent with this opinion.
SHWARTZ, Circuit Judge, concurring in the judgment.
I agree with my colleagues that Plaintiffs have standing, but I reach this conclusion for different rеasons. In short, Plaintiffs allege that the theft of the laptops caused a loss of privacy, which is itself an injury in fact. Thus, regardless of whether a violation of a statute itself constitutes an injury in fact, and mindful that under our precedent, a risk of identity theft or fraud is too speculative to constitute an injury in fact, see Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), Plaintiffs have nonetheless alleged an injury in fact sufficient to give them standing.
I
As my colleagues have explained, Horizon Healthcare Services provides insurance to individuals in New Jersey. Horizon obtains personally identifiable information (“PII“), including names, dates of birth, and social security numbers, as well as protected health information (“PHI“), such as medical histories and test results, from its insureds. This information is viewed as private and those in possession of it are required to ensure that it is kept secure and used only for proper purposes.
PII and PHI were stored on laptop computers kept at Horizon‘s Newark, New Jersey headquarters. In January, November, and December 2008, as well as April and November 2013, laptop computers were stolen. The laptop computers stolen in Nоvember 2013 were cable-locked to workstations and password-protected, but the contents, which included the PII/PHI of 839,000 people, were not encrypted.1 Plaintiffs assert this theft places them at
II
As my colleagues accurately state, there are three elements of Article III standing: (1) injury in fact, or “an invasion of a legally protected interest” that is “concrete and particularized“; (2) traceability, that is a “causal connection between the injury and the conduct complained of“; and (3) redressability, meaning a likelihood “that the injury will be redressed by a favorable decision.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992).
The injury-in-fact element most often determines standing. See Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 1547 (2016). Such injury must be particularized and concrete. Id. at 1548. “For an injury to be particularized, it must affect the plaintiff in a personal and individual way.” Id. (internal quotation marks and citation omitted). To be “concrete,” an injury must be “real” as opposed to “abstract,” but it need not be “tangible.” Id. at 1548-49.
As my colleagues eloquently explain, the Spokeo Court identified two approaches for determining whether an intangible injury is sufficient to constitute an injury in fact. Maj. Op. at 637 (citing Spokeo, 136 S.Ct. at 1549). Under the first approach, a court considers history and asks whether the intangible harm is closely related “to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” Id. at 1549; Maj. Op. at 637. If so, “it is likely sufficient to satisfy the injury-in-fact element of standing.” Maj. Op. at 637 (citing Spokeo, 136 S.Ct. at 1549). Under the second approach, a court considers whether Congress has “expressed an intent to make an injury redressable.” Maj. Op. at 637. My colleagues rely on this latter approach, but I rely on the former.
The common law has historically recognized torts based upon invasions of privacy and permitted such claims to proceed even in the absence of proof of actual damages. See, e.g., Pichler v. UNITE, 542 F.3d 380, 399 (3d Cir. 2008) (citing Doe v. Chao, 540 U.S. 614, 621 n.3 (2004)); Restatement (Second) Torts § 652A (2016) (stating that “[o]ne who invades the right of privacy of another is subject to liability for the resulting harm to the interests of the other“). While Plaintiffs do not allege that the laptop thieves looked at or used their PII and PHI, Plaintiffs lоst their privacy once it got into the hands of those not intended to have it. Cf. United States v. Westinghouse Elec. Corp., 638 F.2d 570, 577 n.5 (3d Cir. 1980) (observing that “[p]rivacy ... is control over knowledge about oneself” (citation omitted)). While this may or may not be sufficient to state a claim for relief under
Our Court has embraced the view that an invasion of privacy provides a basis for
III
While I have concluded that Plaintiffs have alleged an injury in fact by asserting that they sustained a loss of privacy, the other grounds that Plaintiffs rely upon are unavailing. Although this is not necessary for my analysis, I offer these observations to help explain the types of “injuries” that are not sufficient to provide standing in the context of data thefts. First, under our precedent, the increased risk of identity theft or fraud due to a data breach, without more, does not establish the kind of imminent or substantial risk required to establish standing. See Reilly, 664 F.3d at 42. Like in Reilly, the feared economic injury here depends on a speculative chain of events beginning with an assumption that the thief knew or discovered that the laptop contained valuable information, that the thief was able to access the data despite the password protection, and that the thief opted to use the data maliciously.5 See Reilly, 664 F.3d at 42; see also Clapper v. Amnesty Int‘l USA, 133 S.Ct. 1138, 1150 n.5 (2013). Second, Reilly and Clapper have rejected Plaintiffs’ assertion that standing exists because they expended time and money to monitor for misuse of their information. The Clapper Court reasoned that a plaintiff cannot “manufacture” standing by choosing to undertake burdens or “make expenditures” based on a “hypothetical future harm” that does not itself qualify as an injury in fact. Clapper, 133 S.Ct. at 1050-51; see also Reilly, 664 F.3d at 46 (rejecting a claim for standing based upon
sis” that brokerage fees were artificially inflated to cover security measures was implausible); In re Sci. Applications Int‘l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F.Supp.3d 14, 30 (D.D.C. 2014) (rejecting the overpayment theory since the plaintiffs had paid for health insurance and did not allege that they were denied such coverage or services).7 Accordingly, none of these grounds provides a basis for standing in a data theft case like we have here.
IV
For these reasons, I concur in the judgment.