Third Circuit Moves Toward a Broader View of Standing in FCRA Data-Breach Class Action
Recently, the Third Circuit widened the gates for certain data-breach plaintiffs, holding that alleged violations of the Fair Credit Reporting Act (“FCRA”) constitute injuries-in-fact sufficient for Article III standing. In its opinion in In re Horizon Healthcare Services Inc. Data Breach Litigation,  the Third Circuit clarified the standing requirements for plaintiffs asserting violations of certain federal statutes, and appears to shift the direction of the court’s previous trend. Before now, district courts in the Third Circuit often dismissed data-breach disputes on the basis of Article III standing—that is, many courts, relying on Reilly v. Ceridian Corp., found that plaintiffs did not plead a concrete injury sufficient to seek redress from federal courts absent allegations of harm arising from actual identity theft. 
The In re Horizon decision, however, suggests that the Third Circuit may be moving toward a view of finding standing for certain data-breach incidents that allege violations of certain federal statutes even if the plaintiff does not allege tangible personal harm arising from the data breach. Yet, despite this, and despite the Supreme Court’s ruling in Spokeo, Inc. v. Robins,  the contours of Article III standing in the data-breach context remain subject to debate and are not fully defined. 
Evolving Standing Requirements in the Third Circuit
The dispute in In re Horizon centered on the personal information of health care plan members of Horizon Healthcare Services, Inc.—including their names, address, dates of birth, and social security numbers.  The information was contained on two password-protected laptops that were chain-locked to the employees’ desks but were nevertheless stolen from Horizon’s headquarters.  Four plan members sued Horizon on behalf of 839,000 putative class members, alleging that “Horizon failed to take reasonable and appropriate measures to secure the stolen laptop computers and safeguard and protect Plaintiffs’ and Class Members’ [personal information].” 
The plaintiffs alleged that Horizon was a “consumer reporting agency” subject to FCRA’s privacy provisions, and that Horizon violated those provisions by (1) failing “to adopt reasonable procedures to keep sensitive information confidential,” and (2) furnishing “their information in an unauthorized fashion by allowing it to fall into the hands of thieves.”  In other words, “Horizon's failure to protect [the plaintiffs’] personal information violated the company's responsibility under FCRA to maintain the confidentiality of their personal information.”  Only one of the four representative plaintiffs alleged that he actually had suffered identity theft arising from the theft of the laptops. 
In the district court, Horizon filed a Rule 12(b)(1) motion to dismiss, arguing that the plaintiffs lacked standing because they had suffered no concrete injury.  The plaintiffs responded that “the violation of their statutory right to have their personal information secured against unauthorized disclosure constitutes, in and of itself, an injury in fact.”  The district court accepted Horizon’s reasoning and dismissed the case. 
On appeal, the Third Circuit reversed, ruling that the plaintiffs, by alleging an unauthorized transfer of personal identifying information in violation of FCRA, had established a sufficient de facto injury for standing.  The court reasoned that “the unlawful disclosure of legally protected information constitute[s] a clear de facto injury,” even if that information was not improperly used,  and that “Congress has long provided plaintiffs with the right to seek redress for unauthorized disclosures of information that, in Congress’s judgment, ought to remain private.” 
Anchoring its decision, the court emphasized that the injury the plaintiffs alleged was not “a mere technical or procedural violation of FCRA.”  Instead, the court found that the plaintiffs alleged the “unauthorized dissemination of their own private information—the very injury that FCRA is intended to prevent.”  Accordingly, “there is thus a de facto injury that satisfies the concreteness requirement for Article III standing.” 
The Third Circuit’s In re Horizon decision is notable in at least three respects.
First, the court’s decision makes clear that disclosure of personal information in violation of FCRA constitutes an injury-in-fact sufficient to create Article III standing even if plaintiffs did not suffer actual harm in the form of identity theft. The court’s decision also makes clear that disclosure of personal information may create standing under other federal statutes in which Congress has expressed an intent to make such an injury redressable. Though the court noted that the “particularization requirement” in the standing framework might work to limit disputes over more “technical breach[es]” of a statute,  it expressly declined to rule on when a data breach may be a mere “technical violation of a procedural requirement.” 
Second, the court interpreted the Supreme Court’s recent standing decision in Spokeo as a narrow one—working only to clarify and reinforce the Supreme Court’s “traditional notions of standing.”  The Supreme Court noted in Spokeo that “not all inaccuracies [in sharing people’s data] cause harm or present any material risk of harm.”  The Third Circuit reasoned that this language speaks only to the Article III “concreteness” requirement, and does not create any additional elements of an injury.  Thus, in the Third Circuit, Spokeo is simply another case in a long line of standing cases affirming the three traditional standing requirements.
Third, the court distinguished its prior guiding precedent, Reilly v. Ceridian Corp., in that the data-breach plaintiffs in that case had not asserted statutory causes of action under FCRA.  The Reilly plaintiffs’ common law claims did not grant them standing because “their risk of harm was too speculative.”  Contrast that with In re Horizon, in which the court relied heavily on the fact that “Congress has elevated the unauthorized disclosure of information into a tort[,] [a]nd so there is nothing speculative about the harm that Plaintiffs allege.”  This distinction, based on statutory versus common law causes of action, will likely be critical in data-breach cases in the Third Circuit.
In re Horizon appears to have shifted the Third Circuit’s prevailing analysis of injuries for standing, at least in the FCRA context and potentially in the context of other federal statutory violations.  This decision seems to narrow the lack-of-standing defense in that type of data-breach case, and potentially in others, when the claims involved arise from certain statutory rights, which may allow more lawsuits past the motion-to-dismiss stage. Still, the Third Circuit’s opinion leaves open what other federal statutes beyond FCRA may recognize data breaches as redressable injuries, and leaves open whether and under what circumstances a mere technical violation of a certain statute could constitute a concrete harm for standing. In any case, the Third Circuit’s statutory standing analysis will likely continue to evolve as the court irons out potential discrepancies between its jurisprudence on this issue and those of other circuits post-Spokeo. 
 See In re: Horizon Healthcare Services Inc. Data Breach Litigation, No. 15-2309, --- F.3d ---, 2017 WL 242554 (3d Cir. Jan. 20, 2017).
 664 F.3d 38 (3d Cir. 2011).
 See Nicholas Ranjan & Syed Ali, Federal Courts in the Third Circuit are Following the National Trend and Dismissing Data Breach Cases for Lack of Standing, K&L Gates (Apr. 24, 2015), http://www.klgates.com/federal-courts-in-the-third-circuit-are-following.... The court in Reilly held that “a security breach that compromised private information held by a payroll processing firm did not cause an injury in fact” when the plaintiffs�� claims were “based solely on the common law.” In re Horizon, 2017 WL 242554, at *11 n. 20.
 136 S. Ct. 1540 (2016). According to the Third Circuit, Spokeo simply reiterates “traditional notions of standing” and “reemphasizes that Congress has the power to define injuries that were previously inadequate in law.” In re Horizon, 2017 WL 242554, at *10.
 By way of background, Article III, section 2, clause 1 of the U.S. Constitution provides that the federal judiciary may hear only cases or controversies arising within its jurisdiction. That phrase—“cases or controversies”—has been interpreted by the Supreme Court to require three things from the plaintiff in order for a court to hear their case: first, the plaintiff must have suffered an “injury-in-fact” that is both “concrete and particularized” and “actual or imminent” (injury); second, there must be a “causal connection between the injury and the conduct complained of” (causality); and third, “it must be likely . . . that the injury will be redressed by a favorable decision” (redressability). See Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992). The standing disputes in data-breach cases center primarily around the injury requirement—particularly that the injury must be “concrete.”
 See In re Horizon, 2017 WL 242554, at *2.
 Id. at *3 n.6.
 Id. at *3. The court noted this about FCRA:
FCRA was enacted in 1970 to ensure fair and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy. With respect to consumer privacy, the statute imposes certain requirements on any “consumer reporting agency” that “regularly ... assembl[es] or evaluat[es] consumer credit information ... for the purpose of furnishing consumer reports to third parties.” 15 U.S.C. § 1681a(f). Any such agency that either willfully or negligently “fails to comply with any requirement imposed under [FCRA] with respect to any consumer is liable to that consumer.” Id.
Id. (some citations omitted).
 Id. at *4.
 Id. at *6.
 The district court had held that standing requires additional “specific harm,” more than “mere violations of statutory and common law rights.” Id. at *6.
 Id. at *1, *12.
 Id. at *8 (citation omitted).The court relied on In re Google Inc. Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015), and In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016), two privacy cases involving standing by way of violations of statutory rights.
 In re Horizon, 2017 WL 242554, at *8.
Id. at *11.
 Id. at *11 n.22.
 Id. at *10 (“In some future case, we may be required to consider the full reach of congressional power to elevate a procedural violation into an injury in fact, but this case does not strain that reach.”).
 See id. at *8-*9.
 136 S.Ct. at 1550.
 In re Horizon, 2017 WL 242554, at *10.
 Id. at *10 n.20.
 For this reason, the Third Circuit may consider granting en banc review and rehearing the case.
 See, e.g., Braitberg v.Charter Commc’ns, Inc., 836 F.3d 925, 930 (8th Cir. 2016) (reasoning that, after Spokeo, plaintiff needed to plead a “material risk of harm” to have standing); Gubala v. Time Warner Cable, Inc., No. 16-2613, --- F.3d ---, 2017 WL 243343 (7th Cir. Jan. 20, 2017).