Lead Opinion
The dispute at the bottom of this putative class action began when two laptops, containing sensitive personal information, were stolen from health insurer Horizon Healthcare Services, Inc. The four named Plaintiffs filed suit on behalf of themselves and other Horizon customers whose personal information was stored on those laptops. They allege willful and negligent violations of the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681, et seq., as well as numerous violations of state law. Essentially, they say that Horizon inadequately protected their personal information. The District Court dismissed the suit under Federal Rule of Civil Procedure 12(b)(1) for lack of Article III standing. According to the Court, none of the Plaintiffs had claimed a cognizable injury because, although their personal information had been stolen, none of them had adequately alleged that the information was actually used to their detriment.
We will vacate and remand. In light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing рurposes. Even without evidence that the Plaintiffs’ information was in fact used improperly, the alleged diselo-sure of their personal information created a de facto injury. Accordingly, all of the Plaintiffs suffered a cognizable injury, and the Complaint should not have been dismissed under Rule 12(b)(1).
I. Backgkound
A. Factual Background
Horizon Healthcare Services, Inc., d/b/a Horizon Blue Cross Blue Shield of New Jersey (“Horizon”) is a New Jersey-based company that provides health insurance products and services to approximately 3.7 million members. In the regular course of its business, Horizon collects and maintains personally identifiable information (e.g., names, dates of birth, social security numbers, and addresses) and protected health information (e.g., demographic information, medical histories, test and lab results, insurance information, and other care-related data) on its customers and potential customers. The named Plaintiffs—Courtney Diana, Mark Meisel, Karen Pekelney, and Mitchell Rindner
Horizon’s privacy policy states that the company “maintain[s] appropriate administrative, technical and physical safeguards
During the weekend of November 1st to 3rd, 2013, two laptop computers containing the unencrypted personal information of the named Plaintiffs and more than 839,-000 other Horizon members were stolen from Horizon’s headquarters in Newark, New Jersey. The Complaint alleges that “[t]he facts surrounding the Data Breach demonstrate that the stolen laptop computers were targeted due to the storage of Plaintiffs’ and Class Members’ highly sensitive and private [personal information] on them.” (App. at 32.) Horizon discovered the theft the following Monday, and notified the Newark Police Department that day. It alerted potentially affected members by letter and a press release a month later, on December 6. The press release concerning the incident noted that the computers “may have contained files with differing amounts of member information, including name and demographic information (e.g., address, member identification number, date of birth), and in some instances, a Social Security number and/or limited clinical information.” (App. at 33.)
Horizon offered one year of credit monitoring and identity theft protection services to those affected, which the Plaintiffs allege was inadequate to remedy the effects of the data breach. At a January 2014 New Jersey Senate hearing, “Horizon confirmed that it had not encrypted all of its computers that contained [personal information].” (App. at 35.) Thereafter, “Horizon allegedly еstablished safeguards to prevent a similar incident in the future— including tougher policies and stronger encryption processes that could have been implemented prior to the Data Breach and prevented it.” (App. at 35.)
Some personal history about the named Plaintiffs is included in the Complaint. Diana, Meisel, and Pekelney are all citizens and residents of New Jersey who were Horizon members who received letters from Horizon indicating that their personal information was on the stolen laptops. The Complaint does not include any allegation that their identities were stolen as a result of the data breach. Plaintiff Rindner is a citizen and resident of New York. He was a Horizon member but was not initially notified of the data breach. After Rindner contacted Horizon in February 2014, the company confirmed that his personal information was on the stolen computers. The Plaintiffs allege that, “[a]s a result of the Data Breach, a thief or thieves submitted to the [IRS] a fraudulent Income Tax Return for 2013 in Rindner’s and his wife’s names and stole their 2013 income tax refund.” (App. at 27.) Rindner eventually did receive the refund, but “spent time working with the IRS and law enforcement ... to remedy the effects” of the fraud, “incurred other out-of-pocket expenses to remedy the identity theft[,]” and was “damaged financially by the related delay in receiving his tax refund.” (App. at 27, 41.) After that fraudulent tax return, someone also fraudulently attempted to use Rindner’s credit card number in an online transaction. Rindner was also “recently denied retail credit because his social security number has been associated with identity theft.” (App. at 27.)
The Plaintiffs filed suit on June 27, 2014. Count I of the Complaint claims that Horizon committed a willful violation of FCRA; Count II alleges a negligent violation of FCRA; and the remaining counts allege various violations of state law.
In their Complaint, the Plaintiffs assert that Horizon is a consumer reporting agency and that it violated FCRA in several respects. They say that Horizon “furnish[ed]” their information in an unauthorized fashion by allowing it to fall into the hands of thieves. (App. at 48.) They also allege that Horizon fell short of its FCRA responsibility to adopt reasonable procedures
Horizon moved to dismiss the Complaint for lack of subject matter jurisdiction under Federal Rule of Civil Procedure 12(b)(1) and for failure to state a claim upon which relief can be granted under Rule 12(b)(6). The District Court granted dismissal under Rule 12(b)(1), ruling that the Plaintiffs lack Article III standing. The Court concluded that, even taking the Plaintiffs’ allegations as true, they did not have standing because they had not suffered a cognizable injury. Because the Court granted Horizon’s Rule 12(b)(1) motion, it did not address Horizon’s Rule 12(b)(6) arguments and declined to exercise supplemental jurisdiction over the remaining state law claims.
The Plaintiffs filed this timely appeal.
II. Discussion
A. Jurisdiction and Standard of Review
The District Court exercised jurisdiction over the Plaintiffs’ FCRA claims pursuant to 28 U.S.C. § 1331, though it ultimately concluded that it did not have jurisdiction due to the lack of standing. Having decided that the Plaintiffs did not have standing under FCRA, the District Court also concluded that it “lackfed] discretion to retain supplemental jurisdiction over the state law claims” under 28 U.S.C. § 1367. (App. at 23 (citation omitted).) See Storino v. Borough of Pleasant Beach,
Our review of the District Court’s dismissal of a complaint pursuant to Federal Rule of Civil Procedure 12(b)(1) is de novo. United States ex rel. Atkinson v. Pa. Shipbuilding Co.,
In reviewing facial challenges to standing, we apply the same standard as on review of a motion to dismiss under Rule 12(b)(6). See Petruska v. Gannon Univ.,
There are three well-recognized elements of Article III standing: First, an “injury in fact,” or an “invasion of a legally protected interest” that is “concrete and particularized.” Lujan v. Defs. of Wildlife,
This appeal centers entirely on the injury-in-fact element of standing—more specifically, on the concreteness requirement of that element.
“In the context of a motion to dismiss, we have held that the [i]njury-in-fact element is not Mount Everest. The contours of the injury-in-fact requirement, while not precisely defined, are very generous, requiring only that claimant allege[] some specific, identifiable trifle of injury.” Blunt v. Lower Merion Sch. Dist.,
The requirements for standing do not change in the class action context. “[N]amed plaintiffs who represent a class must allege and show that they personally have beеn injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.” Lewis v. Casey,
B, Analysis of the Plaintiffs’ Standing
All four of the named Plaintiffs argue that the violation of their statutory rights under FCRA gave rise to a cognizable and concrete injury that satisfies the first element of Article III standing. They claim that the violation of their statutory right to have their personal information secured against unauthorized disclosure constitutes, in and of itself, an injury in fact. The District Court rejected that argument, concluding that standing requires some form of additional, “specific harm,” beyond “mere violations of statutory and common law rights[.]” (App. at 15-16.)
In the alternative, the Plaintiffs argue that Horizon’s violation of FCRA “placed [them] at an imminent, immediate, and continuing increased, risk of harm from identity theft, identity fraud, and medical fraud_” (App. at 40.) They say the increased risk constitutes a concrete injury for Article III standing purposes. In their Complaint, they assert that those whose personal information has been stolen are “approximately 9.5 times more likely than the general public to suffer identity fraud or identity theft.” (App. at 36.) They go on to note the various ways that identity thieves can inflict injury, such as draining a bank account, filing for a tax refund in another’s name, or getting medical treatment using stolen health insurance information. The District Court rejected that argument as well because it found that any future risk of harm necessarily depended on the “conjectural conduct of a third party bandit,” and was, therefore, too “attenuated” to sustain standing. (App. at 18.) (relying on Reilly v. Ceridian Corp.,
That the violation of a statute can cause an injury in fact and grant Article III standing is not a new doctrine. The Supreme Cоurt has repeatedly affirmed the ability of Congress to “cast the standing net broadly” and to grant individuals the ability to sue to enforce their statutory rights. Fed. Election Comm’n v. Akins,
Despite those precedents, our pronouncements in this area have not been entirely consistent. In some cases, we have appeared to reject the idea that the violation of a statute can, by itself, cause an injury sufficient for purposes of Article III standing.
First, in In re Google Inc. Cookie Placement Consumer Privacy Litigation,
We then reaffirmed Google’s holding in In re Nickelodeon Consumer Privacy Litigation,
In light of those two rulings, our path forward in this case is plаin. The Plaintiffs here have at least as strong a basis for claiming that they were injured as the plaintiffs had in Google and Nickelodeon,
The Supreme Court vacated and remanded.
In laying out its reаsoning, the Supreme Court rejected the argument that an injury must be “tangible” in order to be “concrete.” Id. at 1549. It noted that many intangible injuries have nevertheless long been understood as cognizable—for instance violations of the right to freedom of speech or the free exercise of religion. Id. It then explained that “both history and the judgment of Congress play important roles” in determining whether “an intangible injury constitutes injury in fact.” Id. There are thus two tests for whether an intangible injury can (despite the obvious linguistic contradiction) be “concrete.” The first test, the one of history, asks whether “an alleged intangible harm” is closely related “to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American Courts.” Id. If so, it is likely to be sufficient to satisfy the injury-in-fact element of standing. Id. But even if an injury was “ ‘previously inadequate in law,’ ” Congress may elevate it ‘“to the status of [a] legally cognizable injurfy].’ ” Id. (quoting Lujan,
The Supreme Court cautioned, however, that congressional power to elevate intangible harms into concrete injuries is not without limits. A “bare procedural violation, divorced from any concrete harm,” is not enough. Id. On the other hand, the Court said, “the violation of a procedural right granted by statute can be sufficient in some circumstances to constitute injury in fact. In other words, a plaintiff in such a case need not allege any additional harm beyond the one Congress has identified.” Id.
Although it is possible to read the Supreme Court’s decision in Spokeo as creating a requirement that a plaintiff show a statutory violation has caused a “material risk of harm” before he can bring suit,
We reaffirm that conclusion today. Spok-eo itself does not state that it is redefining the injury-in-fact requirement. Instead, it reemphasizes that Congress “has the power to define injuries,”
It is nevertheless clear from Spokeo that there are some circumstances where the mere technical violation of a procedural requirement of a statute cannot, in and of itself, constitute an injury in fact.
As we noted in Nickelodeon, “unauthorized disclosures of information” have long been seen as injurious.
We are not suggesting that Horizon’s actions would give rise to a cause of action under common law. No common law tort proscribes the release of truthful information that is not harmful to one’s reputation or otherwise offensive. But with the passage of FCRA, Congress established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself—whether or not the disclosure of that information increased the risk of identity theft or some other future harm.
So the Plaintiffs here do not allege a mere technical or procedural violation of FCRA.
III. Conclusion
Our precedent and congressional action lead us to conclude that the improper disclosure of one’s personal data in violation of FCRA is a cognizable injury for Article III standing purposes. We will therefore vacate the District Court’s order of dismissal and remand for further proceedings consistent with this opinion.
Notes
. Because this is an appeal from the District Court's grant of a motion to dismiss, we recite the facts as alleged and malee all reasonable inferences in the Plaintiffs' favor. Oshiver v. Levin, Fishbein, Sedran & Berman,
. Only Diana was listed as a named Plaintiff in thе original complaint. Plaintiffs Pekelney and Meisel filed a separate putative class action complaint on January 28, 2014. Pekelney and Meisel then filed a motion to consolidate the cases on February 10, 2014. Horizon joined the motion. The cases were consolidated and Rindner was later added as a Plaintiff in the amended complaint. We will refer to the amended complaint as “the Complaint.”
.The Complaint identifies the class members as: "All persons whose personal identifying information (PII) or protected health information (PHI) were contained on the computers stolen from Horizon’s Newark, New Jersey office on or about November 1-3, 2013.” (App. at 44.) For ease of reference, we will refer to "personally identifiable information” and “protected health information”—a distinction made by the Complaint—together as "personal information.”
. In particular, Count III alleges negligence; Count IV alleges breach of contract; Count V alleges an invasion of privacy; Count VI alleges unjust enrichment; Count VII alleges a violation of the New Jеrsey Consumer Fraud Act; Count VIII alleges a failure to destroy certain records, in violation of N.J.S.A. § 56:8-162; Count IX alleges a failure to promptly notify customers following the security breach, in violation of the New Jersey Consumer Fraud Act; and Count X alleges a violation of the Truth-in-Consumer Contract, Warranty and Notice Act. In their response to Horizon’s motion to dismiss, the Plaintiffs consented to the dismissal of Count X without prejudice.
. 15 U.S.C. § 1681(b) states:
Reasonable procedures [-] It is the purpose of this subchapter to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information in accordance with the requirements of this subchapter.
. "In addition to properly securing and monitoring the stolen laptop computers and encrypting Plaintiffs' and Class Members’ [personal information] on the computеrs,” Horizon should have—according to the Complaint—conducted periodic risk assessments to identify vulnerabilities, developed information security performance metrics, and taken steps to monitor and secure the room and areas where the laptops were stored. (App. at 48-49.) Therefore, say the Plaintiffs, "Horizon failed to take reasonable and appropriate measures to secure the stolen laptop computers and safeguard and protect Plaintiffs' and Class Members’ [personal information].” (App. at 49.)
.Section 1681a(d)(3) of title 15 of the U.S. Code imposes a restriction, with certain exceptions, on the sharing of medical information with any persons not related by common ownership or affiliated by corporate control. Section 1681b(g)(l) states that "[a] consumer reporting agency shall not furnish for employment purposes, or in connection with a credit or insurance transaction, a consumer report that contains medical information ... about a consumer,” with certain limited exceptions. Section 1681 ¿(a)(6) states that a consumer reporting agency cannot, with limited exceptions, make a consumer report containing "[t]he name, address, and telephone number
. FCRA permits statutory damages, but only for willful violations. See IS U.S.C. § 1681n(a) ("Any person who willfully fails to comply with any requirement imposed under this subchapter with respect to any consumer is liable to that consumer in an amount equal to the sum of ... any actual damages sustained by the consumer as a result of the failure or damages of not less than $100 and not more than $ 1,000_”).
. In its 12(b)(6) motion, which is not before us, Horizon questions whether it is bound by FCRA. In particular, Horizon suggests that it is not a "consumer reporting agency” and therefore is not subject to the requirements of FCRA. At oral argument, Horizon also argued that FCRA does not apply when data is stolen rather than voluntarily "fumish[ed]," 15 U.S.C. § 1681a(f). Because we are faced solely with an attack on standing, we do not pass judgment on the merits of those questions. Our decision should not be read as expanding a claimant’s rights under FCRA. Rather, we assume for purposes оf this appeal that FCRA was violated, as alleged, and analyze standing with that assumption in mind. Likewise, our decision regarding Article III standing does not resolve whether Plaintiffs have suffered compensable damages. Some injuries may be "enough to open the courthouse door” even though they ultimately are not compensable, Doe v. Chao,
. There is no doubt that the Plaintiffs complain of a particularized injury—the disclosure of their own private information. Spokeo, Inc. v Robins, — U.S. —,
. Once Article III standing “is determined vis-á-vis the named parties .,. there remains no further separate class standing requirement in the constitutional sense.” In re Prudential Ins. Co. Am. Sales Practice Litig. Agent Actions,
. On appeal, Plaintiffs argue that Horizon’s offer of free credit monitoring can be taken as proof that Horizon "knows that its conduct has put Plaintiffs and Class Members at a
. Many cases focus on the question of whether Congress truly intended to create a private right of action and whether a particular individual was in the "zone of interests” of the statute. But traditionally, once it was clear that Congress intended to create an enforceable right and that an individual falls into the "zone of interests” that individual was found to have standing. See Akins,
, For instance, we have observed that "[t]he proper analysis of standing focuses on whether the plaintiff suffered an actual injury, not on whether a statute was violated. Although Congress can expand standing by enacting a law enabling someone to sue on what was already a de facto injury to that person, it cannot confer standing by statute alone.” Doe v. Nat’l Bd. of Med. Exam’rs,
.The Plaintiffs rely heavily upon Alston v. Countrywide Financial Corp.,
. Again, whether that injury is actionable under FCRA is a different question, one which we are presently assuming (without deciding) has an affirmative answer. See supra note 9.
. Some other courts have interpreted Spokeo in such a manner—most notably the Eighth Circuit. See Braitberg v. Charter Commc’ns, Inc.,
. Justice Thomas’s concurrence also illustrates that Spokeo was merely a restatement of traditional standing principles. In that concurrence, he reiterated that a plaintiff is not required to "assert an actual injury beyond the violation of his personal legal rights to satisfy the ‘injuiy-in-fact’ requirement." Spok-eo,
. Again, it is Congress’s decision to protect personal information from disclosure that "elevates to the status of legally cognizable injuries concrete, de facto injuries that were previously inadequate in law.” Lujan,
. Congress's decision to рrohibit unauthorized disclosure of data is something that distinguishes this case from a prior case in which we addressed Article III standing after a data breach. In Reilly v. Ceridian Corp,
. In this way, the failure to protect data рrivacy under FCRA is distinguishable from the Fifth Circuit’s recent treatment of a violation of the Employee Retirement Income Security Act (ERISA) as a result of improper "plan management.” Lee v. Verizon Commc’ns. Inc.,
. Horizon has expressed concern that a reporting agency could be inundated with lawsuits for a technical breach of FCRA (such as failing to post a required 1-800 number). But in addition to concreteness, a plaintiff must also allege a particularized injury. Here the Plaintiffs are suing on their own behalf with respect to the disclosure of their personal information. See Beaudry v. TeleCheck Servs., Inc.,
. Our conclusion that it was within Congress’s discretion to elevate the disclosure of private information into a concrete injury is strengthened by the difficulty that would follow from requiring proof of identity theft or some other tangible injury. "[Rjequiring Plaintiffs to wait for the threatened harm to materialize in order to sue would pose a standing problem of its own...." In re Adobe Sys., Inc. Privacy Litig.,
.The weight of precedent in our sister circuits is to the same effect. See Sterk v. Redbox Automated Retail, LLC,
. The Plaintiffs also argue that they were injured by systematically overpaying for their Horizon insurance because "Horizon either did not allocate a portion of their premiums to protect their [personal information] or allocated an inadequate portion of the premiums to protect [personal information].” (Opening Br. at 19-20.) Because they have standing under FCRA, we do not reach that purported basis for standing; nor do we address Rind-ner’s alternative argument for standing based on the fraudulent tax return or his denial of credit.
Concurrence Opinion
concurring in the judgment.
I agree with my colleagues that Plaintiffs have standing, but I reach this conclusion for different reasons. In short, Plaintiffs allege that the theft of the laptops caused a loss of privacy, which is itself an injury in fact. Thus, regardless of whether a violation of a statute itself constitutes an injury in fact, and mindful that under our precedent, a risk of identity theft or fraud is too speculative to constitute an injury in fact, see Reilly v. Ceridian Corp.,
I
As my colleagues have explained, Horizon Healthcare Services provides insurance to individuals in New Jersey. Horizon obtains personally identifiable information (“PH”), including names, dates of birth, and social security numbers, as well as protected health information (“PHI”), such as medical histories and test results, from its insureds. This information is viewed as private and those in possession of it are required to ensure that it is kept secure and used only for proper purposes.
PII and PHI were stored on laptop computers kept at Horizon’s Newark, New Jersey headquarters. In January, November, and December 2008, as well as April and November 2013, laptop computers were stolen. The laptop computers stolen in November 2013 were cable-locked to workstations and password-protected, but the contents, which included the PII/PHI of 839,000 people, were not encrypted.
II
As my colleagues accurately state, there are three elements of Article III standing: (1) injury in fact, or “an invasion of a legally protected interest” that is “concrete and particularized”; (2) traceability, that is a “causal connection between the injury and the conduct complained of’; and (3) redressability, meaning a likelihood “that the injury will be redressed by a favorable decision.” Lujan v. Defs. of Wildlife,
The injury-in-fact element most often determines standing. See Spokeo, Inc, v. Robins, — U.S. -,
As my colleagues eloquently explain, the Spokeo Court identified two approaches for determining whether an intangible injury is sufficient to constitute an injury in fact. Maj. Op. at 637 (citing Spokeo,
The common law has historically recognized torts based upon invasions of privacy and permitted such claims to proceed even in the absence of proof of actual damages. See, e.g., Pichler v. UNITE,
Our Court has embraced the view that an invasion of privacy provides a basis for
Ill
While I have concluded that Plaintiffs have alleged an injury in fact by asserting that they sustained a loss of privacy, the other grounds that Plaintiffs rely upon аre unavailing. Although this is not necessary for my analysis, I offer these observations to help explain the types of “injuries” that are not sufficient to provide standing in the context of data thefts. First, under our precedent, the increased risk of identity theft or fraud due to a data breach, without more, does not establish the kind of imminent or substantial risk required to establish standing. See Reilly,
IV
For these reasons, I concur in the judgment.
. My colleagues infer that these thefts were committed to obtain the PII/PHI. Maj. Op. at 639 n.19. I would not necessarily draw that inference. Plaintiffs do not allege that any of the 839,000 individuals whose information was stored on the laptop computers, or on the laptop computers taken in the earlier thefts, suffered any loss or that their identities were misused. Given the number of laptop computer thefts, and the absence of any allegation of a loss tied to their contents, it is at least equally reasonable to infer that the laptop computers were taken for their hardware, not their contents. I acknowledge, however, that we are to draw a reasonable inference in Plaintiffs’ favor in the context of a facial challenge pursuant to a Rule 12(b)(1) motion. See Petruska v. Gannon Univ.,
. The District Court declined to exercise supplemental jurisdiction over the state law claims.
, My colleagues view In re Google Cookie Placement Consumer Privacy Litigation,
. I also conclude that Plaintiffs have sufficiently alleged that the injury was traceable, in part, to the failure to encrypt the data, and am satisfied that if proven, the injury could be redressable.
.As noted earlier, my colleagues rely on the second approach, finding standing based upon a statutory violation. The alleged statutory violation here, however, creates only an increased risk of future harm. Although Spok-eo says that a violation of a statute can provide standing, Spokeo,
. Plaintiffs also assert in a conclusory fashion that, "as a result of the Data Breach,” plaintiff Mitchell Rindner was the victim of identity theft. While Plaintiffs allege that a false tax return was submitted to the Internal Revenue Service bearing Mr. Rindner’s and his wife’s names, and that someone used his credit card, the factual allegations do not show that these events were tied to theft. First, the Amended Complaint does not allege that any of Mrs. Rindner’s PII/PHI was included in the stolen data. Second, there is no allegation that the stolen data contained Mr. Rindner's credit card information. This leads to "[t]he inescapable conclusion ... that [Rindner] has been subjected to another ... data breach involving his financial ... records.” In re Sci, Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig.,
. Plaintiffs identify two cases to support their overpayment theory: Resnick v. AvMed, Inc.,