Emory Corporate Governance and Accountability Review

Russian Hackers!: An Analysis of the Third Circuit’s In re Horizon Healthcare Services Inc. Data Breach Litigation Ruling
Adrian Szycowski Emory University School of Law, J.D. Candidate, 2018; Candidate for the Board, Emory Corporate Governance and Accountability Review; Member, Transactional Law Negotiation Travel Team; Transactional Law Certificate Program; Mentor, SBA Mentorship Program; B.A., summa cum laude, with Honors in Political Science and History, The George Washington University. I would like to thank my family and friends for their continued unwavering support and encouragement throughout my studies. I would also like to specifically thank Tayler Bolton, Sapna Jain, and Forrest Lind III for helping me throughout the drafting process.

“Technology is a useful servant but a dangerous master.”

-Christian Lous Lange 1Christian Lange, Nobel Lecture (Dec. 13, 1921), http://www.nobelprize.org/nobel_prizes/peace/laureates/1921/lange-lecture.html (last visited Feb. 12, 2017).

This Perspective examines the aftermath of the United States Court of Appeals for the Third Circuit’s In re Horizon Healthcare Services Inc. Data Breach Litigation ruling. 2846 F.3d 625 (3d. Cir. 2017). On January 20, 2017, the Third Circuit via Horizon expanded the ability of consumers to pursue class actions against business entities, despite a lack of showing of concrete tangible injury. 3Id. at 629. This raises legal concerns for businesses in the U.S., especially those in the healthcare sector. The aftermath of this ruling could trigger a wave of stricter cyber security as well as open the floodgates to courtrooms. This Perspective aims to briefly analyze the Third Circuit’s ruling, especially regarding the United States Supreme Court’s holding in Spokeo, Inc. v. Robins, 4136 S.Ct. 1540 (2016). in an effort to predict its effect on U.S. businesses and raise related issues.

The underlying case of the Third Circuit’s ruling involves a class action against Horizon Healthcare Services, Inc. (“Horizon”), a major health insurance provider, by several of its customers. 5Horizon, 846 F.3d at 629. The dispute arises from the theft of two unencrypted laptops in 2013 from Horizon’s headquarters. 6Id. at 630. The laptops contained sensitive personal information on more than 839,000 of Horizon’s customers. 7Id. The personal information contained on those two laptops included names, dates of birth, social security numbers, and addresses of Horizon members as well as their demographic information, medical histories, test and lab results, insurance information and other care-related data. 8Horizon, 846 F.3d at 629. Due to the sensitive nature of this stolen information, several customers brought suit under the Fair Credit Reporting Act (the “FCRA”). 9Id. The plaintiffs argued that Horizon violated and failed to comply with the FCRA’s requirements to protect consumer privacy, which makes Horizon liable to them as per the language of the statute. 10Id. Under the Federal Rule of Civil Procedure 12(b)(1), 11Fed. R. Civ. P. 12(b)(1). Horizon moved to dismiss the class action for lack of subject matter jurisdiction, i.e. standing. 12Horizon, 846 F.3d at 629. The United States District Court for the District of New Jersey granted Horizon’s motion to dismiss in March 2015, because the information stolen from Horizon had not yet been used to the detriment of Horizon’s customers. 13Id. However, one of the plaintiffs was a victim of identity theft, which occurred after the theft of the laptops, and he claims it was the result of the theft. 14Id. at 630. The Third Circuit vacated and remanded the case in January 2017. 15Id. at 641.

The Third Circuit based its reasoning on several court decisions. Most notably, the Third Circuit relied on the Supreme Court’s recent holding in Spokeo, which Horizon relied on in opposition to maintain the lower court’s dismissal by highlighting that the plaintiffs had not suffered an economic loss. 16Id. at 636–40. The Third Circuit intercepted Spokeo to stand that in order to prove an injury-in-fact, there must be concreteness and particularization. 17Id. at 637. Without getting too deep into the three elements for Article III standing, it is important to state that injury-in-fact is one of the three elements to prove standing to bring a claim to court and that the other two elements—a causal connection between the injury and the conduct complained of and that the injury will be redressed by a favorable decision 18Lujan v. Defenders of Wildlife, 504 U.S. 555, 560–61 (1992). —were not in dispute here. 19Horizon, 846 F.3d at 629. The Third Circuit cited the Supreme Court’s Spokeo decision in its rejection that an injury must be tangible to be concrete. 20Id. at 642. In Spokeo, the Supreme Court cited violations of the right to freedom of speech as examples of concrete intangible injury. 21Id. at 637. The Third Circuit reaffirmed its interception of Spokeo that provides Congress the power to designate what a legally cognizable injury to be. 22Id. The court also relied on its own decisions in In re Google Inc. Cookie Placement Consumer Privacy Litigation 23806 F.3d 125 (3d Cir. 2015). and In re Nickelodeon Consumer Privacy Litigation. 24827 F.3d 262 (3d Cir. 2016). In Nickelodeon, the court stated that Spokeo did not alter its holding in Google. 25Horizon, 846 F.3d at 638. In Google, the court held that “the actual or threatened injury required by Art[icle] III may exist solely by virtue of statutes creating legal rights, the invasion of which creates standing,” which established “a clear de facto injury” when “the unlawful disclosure of legally protected information” occurred. 26Id. at 636. Although the Third Circuit relied on its past holdings in support here, this ruling is noteworthy because the Third Circuit’s viewpoint was inconsistent up to this point 27Id. at 635. and the Third Circuit extended its view from the Stored Communications Act 28Id. and the Video Privacy Protection Act 29Nickelodeon, 827 F.3d at 267. to the consumer data breach class action context. In addition, this ruling is noteworthy for the fact that the plaintiffs were able to classify Horizon as a consumer reporting agency for the purposes of incorporating and tying in the FCRA, a federal statute, to provide them with a legal right and, ipso facto, a valid claim.

The Third Circuit’s Horizon ruling is problematic for businesses in the U.S. because it takes away one of their defenses against class actions resulting from third-party data breaches. The ruling is also problematic because it provides a liberal-esque application of “consumer reporting agency.” Moreover, the Third Circuit is home to many businesses as the judicial circuit encompasses the states of Pennsylvania, New Jersey, and Delaware. According to Delaware’s government website, “more than 50% of all publicly-traded companies in the United States including 64% of the Fortune 500 have chosen Delaware as their legal home.” 30State of Delaware, http://www.corp.delaware.gov/aboutagency.shtml (last visited Feb. 12, 2017). This ruling is magnified by the ever-increasing prevalence of data breaches. Last year alone, there were a rough total of 1,093 data breaches of U.S. companies and government agencies. 31Olga Kharif, 2016 Was a Record Year for Data Breaches, Bloomberg Tech (Jan. 19, 2017, 7:00 AM), https://www.bloomberg.com/news/articles/2017-01-19/data-breaches-hit-record-in-2016-as-dnc-wendy-s-co-hacked. However, as Eva Casey Velasquez, chief executive officer of the Identity Theft Resource Center, stated, “This isn’t the worst-cast scenario we are looking at; this is the best-case scenario,” since there are undiscovered breaches and ones that go unreported. 32Id. Most notably and recently, the Democratic National Committee suffered an embarrassing data breach during the 2016 U.S. presidential election. 33Eric Lipton et al., The Perfect Weapon: How Russian Cyberpower Invaded the U.S., N.Y. Times (Dec. 13, 2016), https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html. These events have not gone unnoticed as worldwide security-related hardware, software, and services spending rose from $68.2 billion in 2015 to $73.7 billion in 2016. 34Kharif, supra note 31.

Although the ruling may appear as a godsend to plaintiffs and their attorneys pursuing data breach class actions against businesses, there are several issues with the ruling that should be highlighted and that expose it to attack either by the court system or the legislative body of the U.S.

First, the Third Circuit cited to Spokeo for the idea that violations of rights are examples of concrete intangible injuries. 35Horizon, 846 F.3d at 637. Here, the Third Circuit opened itself to criticism for equating legal rights from federal statutes to constitutional rights. For obvious reasons, the latter carry greater protection and scrutiny than the former.

Second, since the Third Circuit explicitly empowered Congress to decide what a legal cognizable injury constitutes, 36Id. it is within reason that Congress may legislate and minimize the effect of this ruling. Congress would be incentivized to do so for several reasons. One of these reasons is that it is unjust to penalize someone for the wrongdoings of another. It might be the case that someone such as Horizon committed nonfeasance by not reaching the minimal standard of protecting a consumer’s sensitive information, which would make the Third Circuit’s ruling just. However, at the same time, it is possible that someone expends all their resources to protect their consumer’s information and still suffer a data breach, which would make it unjust for them to be the source of recovery. In addition, it is doubtful that U.S. businesses, especially those listed as Fortune 500 companies in Pennsylvania, New Jersey, and Delaware, will sit idly by as word spreads of a new way to bring a class action against them.

Third, related to the point above, Congress is more likely to respond in the near future as the Third Circuit’s ruling truly only benefits plaintiffs’ class action attorneys. Since Horizon’s customers did not suffer an economic loss per se, the plaintiffs’ remedies are limited to those listed in 15 U.S. Code § 1681n. 37Fair Credit Reporting Act, 15 U.S.C. § 1681n (2008); see Horizon, 846 F.3d at 631–32. The code limits damages to “any actual damages sustained by the consumer as a result of the failure or damages of not less than $100 and not more than $1,000,” “any amount of punitive damages as the court may allow,” court fees, and attorney’s fees. 38Fair Credit Reporting Act, 15 U.S.C. § 1681n (2008). Given how many individuals these data breaches affect and how difficult it is to draw a causal link between the breach and the identity theft or injury suffered, the plaintiffs’ class action attorneys stand to receive the largest cut of the metaphor pie.

Fourth, there is ambiguity in the ruling that leads to a moral dilemma questioning whether a data breach such as the one experienced by Horizon should even be actionable in its current state. As of the date of this Perspective, there has been no known direct and proven detrimental use of the stolen information. The concern is, what happens when the information is detrimentally used? If the plaintiffs have already brought their suit and hypothetically received a judgment, are they not precluded from bringing suit later when they actually receive a concrete tangible loss? This last point assumes that those committing the malfeasance are not readily identifiable or caught, which is often the case in these data breaches.

Looking forward, the response to the Third Circuit’s ruling will be interesting. For the reasons listed above, this noteworthy development will not be one that is long-lived. January 20, 2017 marked a victory for those data breach plaintiffs, who previously were not able to get passed the FRCP 12(b)(1) 39Fed. R. Civ. P. 12(b)(1). motion gatekeeper to gain access to courtrooms.

Footnotes

1Christian Lange, Nobel Lecture (Dec. 13, 1921), http://www.nobelprize.org/nobel_prizes/peace/laureates/1921/lange-lecture.html (last visited Feb. 12, 2017).

2846 F.3d 625 (3d. Cir. 2017).

3Id. at 629.

4136 S.Ct. 1540 (2016).

5Horizon, 846 F.3d at 629.

6Id. at 630.

7Id.

8Horizon, 846 F.3d at 629.

9Id.

10Id.

11Fed. R. Civ. P. 12(b)(1).

12Horizon, 846 F.3d at 629.

13Id.

14Id. at 630.

15Id. at 641.

16Id. at 636–40.

17Id. at 637.

18Lujan v. Defenders of Wildlife, 504 U.S. 555, 560–61 (1992).

19Horizon, 846 F.3d at 629.

20Id. at 642.

21Id. at 637.

22Id.

23806 F.3d 125 (3d Cir. 2015).

24827 F.3d 262 (3d Cir. 2016).

25Horizon, 846 F.3d at 638.

26Id. at 636.

27Id. at 635.

28Id.

29Nickelodeon, 827 F.3d at 267.

30State of Delaware, http://www.corp.delaware.gov/aboutagency.shtml (last visited Feb. 12, 2017).

31Olga Kharif, 2016 Was a Record Year for Data Breaches, Bloomberg Tech (Jan. 19, 2017, 7:00 AM), https://www.bloomberg.com/news/articles/2017-01-19/data-breaches-hit-record-in-2016-as-dnc-wendy-s-co-hacked.

32Id.

33Eric Lipton et al., The Perfect Weapon: How Russian Cyberpower Invaded the U.S., N.Y. Times (Dec. 13, 2016), https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html.

34Kharif, supra note 31.

35Horizon, 846 F.3d at 637.

36Id.

37Fair Credit Reporting Act, 15 U.S.C. § 1681n (2008); see Horizon, 846 F.3d at 631–32.

38Fair Credit Reporting Act, 15 U.S.C. § 1681n (2008).

39Fed. R. Civ. P. 12(b)(1).

Emory University School of Law, J.D. Candidate, 2018; Candidate for the Board, Emory Corporate Governance and Accountability Review; Member, Transactional Law Negotiation Travel Team; Transactional Law Certificate Program; Mentor, SBA Mentorship Program; B.A., summa cum laude, with Honors in Political Science and History, The George Washington University. I would like to thank my family and friends for their continued unwavering support and encouragement throughout my studies. I would also like to specifically thank Tayler Bolton, Sapna Jain, and Forrest Lind III for helping me throughout the drafting process.