A health insurer that had laptops with personal information stolen can be sued by participants, even if they have no evidence that the thieves later misused the data, a federal appeals court ruled.
The 3rd U.S. Circuit Court of Appeals’ ruling in the case In re Horizon Healthcare Servs., Inc., Data Breach Litigation, No. 15-2309 (Jan. 20, 2017), illustrates the potential liability exposure for employers and other plan sponsors that do not have strong safeguards in place, such as encryption for laptops with sensitive information.
Two unencrypted laptops were stolen from Horizon Healthcare Services, Inc., in 2013. They contained protected health information (PHI) subject to the Health Insurance Portability and Accountability Act (HIPAA), as well as other personal identifying information (PII) such as Social Security numbers.
Four Horizon members filed a class action on behalf of themselves and the more than 800,000 other customers whose personal information was stored on those laptops. They alleged willful and negligent violations of the Fair Credit Reporting Act (FCRA; 15 U.S.C. §1681 et seq.) as well as numerous violations of state law. Essentially, they claimed that Horizon inadequately protected their personal information.
The federal district court dismissed the lawsuit, finding that the plaintiffs lacked the requisite legal “standing” to sue. According to this court, they failed to allege a cognizable injury because, although their personal information had been stolen, none of them claimed that it had actually been used to their detriment.
Significance of FCRA
On appeal, however, the 3rd Circuit found that a FCRA violation itself constituted an injury sufficient to confer standing. “Even without evidence that the Plaintiffs’ information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury,” the court ruled.
FCRA requires “consumer reporting agencies” to have reasonable procedures for safeguarding the confidentiality of credit, personnel, and insurance information. “The Plaintiffs assert that Horizon is a consumer reporting agency and that it violated FCRA in several respects,” the court noted—both by lacking adequate safeguards and by violating the law’s restrictions on “furnishing” personal data.
To establish standing to sue, a plaintiff generally must show that the defendant’s conduct caused him or her an “injury in fact.” Most data breach lawsuits to date have been dismissed by courts on the basis that the mere loss or theft of personal data was not such an injury, unless it was later misused for identity theft or other fraudulent purposes.
In this case, however, the plaintiffs claimed that “the violation of their statutory right to have their personal information secured against unauthorized disclosure constitutes, in and of itself, an injury in fact.” And the appellate court agreed.
Circuit Court’s Opinion
The 3rd Circuit acknowledged that past cases have given mixed signals on whether an alleged statutory violation would suffice to confer standing. But two recent 3rd Circuit decisions have shifted the balance, according to the court. “Those cases have been decidedly in favor of allowing individuals to sue to remedy violations of their statutory rights, even without additional injury.”
These cases involved allegations that Google® and Viacom® illegally collected personal information on the Internet. The companies argued that the customers lacked standing to sue because they had not suffered economic loss. But the court ruled that if an injury “affects the plaintiff in a personal and individual way,” no specific showing of harm is required. In particular, “the unlawful disclosure of legally protected information” could constitute a harm in and of itself.
“In light of those two rulings, our path forward in this case is plain,” Judge Kent Jordan wrote for two of the three judges on the panel. “The Plaintiffs here have at least as strong a basis for claiming that they were injured.”
Effect of Spokeo Case
Horizon pointed to the U.S. Supreme Court’s recent decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016). A consumer had sued Spokeo under FCRA for publishing inaccurate information about him, and the 9th Circuit found that his personal interest in the handling of his information gave him standing. But the high court overturned this decision, explaining that the injury must be “concrete” as well as “particularized.”
Nonetheless, the 3rd Circuit observed, the Supreme Court stopped short of requiring that an injury be tangible in order to be “concrete.” Instead, the high court left the door open for intangible harms that either: (1) were traditionally regarded by courts as the basis for a lawsuit; or (2) had been elevated to that status by Congress.
“Although it is possible to read the Supreme Court’s decision in Spokeo as creating a requirement that a plaintiff show a statutory violation has caused a ‘material risk of harm’ before he can bring suit,” Jordan wrote, “we do not believe that the Court so intended to change the traditional standard for the establishment of standing.”
The 3rd Circuit thus read Spokeo to reaffirm traditional notions of standing rather than erecting any new barriers. This does not mean that any procedural violation constitutes an “injury in fact,” but the court found it unnecessary to consider these limitations because unauthorized disclosures of information have long been recognized as injurious.
And by enacting FCRA, “Congress established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself—whether or not the disclosure of that information increased the risk of identity theft or some other future harm,” Jordan wrote.
Since the plaintiffs alleged dissemination of their private information, the very injury that FCRA is intended to prevent, they have alleged an injury in fact sufficient to confer standing, the court concluded.
In a separate opinion, Judge Patty Shwartz reached the same result without relying on FCRA. A loss of privacy is itself an injury that courts have recognized independently of any statute, she explained.
“The intangible harm from the loss of privacy appears to have sufficient historical roots to satisfy the requirement that Plaintiffs have alleged a sufficiently concrete harm for standing purposes,” Shwartz wrote. “While Plaintiffs do not allege that the laptop thieves looked at or used their PII and PHI, Plaintiffs lost their privacy once it got into the hands of those not intended to have it.”
As data breach cases have proliferated, courts have struggled with how to square these situations with traditional notions of liability and harm. But the Horizon case is a sign that courts’ initial reluctance is being worn down by plaintiffs’ attorneys’ ingenuity and persistence.
Now, a finding of “standing” merely opens the courthouse door. The court did not resolve whether FCRA even applied to Horizon, or whether the plaintiffs would be entitled to damages under that or other laws. But the mere prospect of enhanced litigation should remind employers to take precautions such as those the court cited in a footnote:
“In addition to properly securing and monitoring the stolen laptop computers and encrypting Plaintiffs’ and Class Members’ [personal information] on the computers,” Horizon should have—according to the Complaint—conducted periodic risk assessments to identify vulnerabilities, developed information security performance metrics, and taken steps to monitor and secure the room and areas where the laptops were stored.
Group health plans are subject to the detailed data security requirements of HIPAA, which has seen a recent spike in federal enforcement despite the change of administration. Other benefit plans may be subject to the Employee Retirement Income Security Act fiduciary liability for inadequate safeguards. And employers, depending on the situation, could be liable under FCRA, the Americans with Disabilities Act, or a host of state laws.
David A. Slaughter, JD, is a Senior Legal Editor for BLR’s Thompson HR products, focusing on benefits compliance. Before coming to BLR, he served as editor of Thompson Information Services’ (TIS) HIPAA guides, along with other writing and editing duties related to TIS’ HR/benefits offerings. Mr. Slaughter received his law degree from the University of Virginia and his B.A. from Dartmouth College. He is an associate member of the Virginia State Bar.
Questions? Comments? Contact David at firstname.lastname@example.org for more information on this topic