The United States Court of Appeals for the Third Circuit recently ruled that a data breach class action may proceed on the basis of a Fair Credit Reporting Act (FCRA) violation alone, even where the putative class members do not allege that they were actually harmed by the breach. The ruling, which both relies on and distinguishes the Supreme Court’s recent analysis of FCRA standing in Spokeo v. Robins, suggests that at least in the Third Circuit, “injury” from a data breach may be presumed from the fact of the breach itself. This, in turn, could have the effect of expanding potential liability for any consumer-facing entity that suffers a breach.
The case, In re: Horizon Healthcare Services Inc. Data Breach Litigation (PDF: 486 KB), stems from a theft of two laptop computers in November 2013 from Horizon, a New Jersey health insurer with over 3.7 million members. Continue reading