3d Cir Decision Holding Plaintiffs Have Standing due to FCRA Violation


This case involves a data breach that arose when two laptop computers containing unencrypted Personally Identifiable Information and Protected Health Information of some 839,000 individuals were stolen from Horizon Blue Cross Blue Shield of New Jersey in November 2013.

When one's personal data is compromised via a cybersecurity breach, does one have standing to sue before he can show identity theft or other adverse consequences? Up to now, some federal courts and the Supreme Court variously articulated a relatively high barrier to suits such as the present class action. Accordingly, the District Court dismissed the complaint. But plaintiffs persuaded the Third Circuit that the alleged Fair Credit Reporting Act (FCRA) violation provides sufficient standing to sue.

Said the court: "Although it is possible to read the Supreme Court’s decision in Spokeo, [Inc. v. Robins,] as creating a requirement that a plaintiff show a statutory violation has caused a “material risk of harm” before he can bring suit, we do not believe that the Court so intended to change the traditional standard for the establishment of standing." The court found a sufficiently "concrete" injury to have been alleged here.

"So the Plaintiffs here do not allege a mere technical or procedural violation of FCRA. They allege instead the unauthorized dissemination of their own private information – the very injury that FCRA is intended to prevent."

Concurring in the result, Judge Schwartz nevertheless articulated different reasoning. "My colleagues view In re Google Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015), and In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016), as providing a basis for Plaintiffs to assert that a violation of the FCRA, without any resulting harm, satisfies the injury-in-fact requirement. I do not rely on the possible existence of a statutory violation as the basis for standing, and am not persuaded that these cases support that particular point. I also conclude that Plaintiffs have sufficiently alleged that the injury was traceable, in part, to the failure to encrypt the data, and am satisfied that if proven, the injury could be redressable."

LOADING PDF: If there are any problems, click here to download the file.

Reference Info:Decision | Federal, 3rd Circuit, New Jersey | United States

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Gerry Elman | Attorney Advertising

Written by:


Gerry Elman on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.