your passport to all things web
Disclosure of Information Even Without Damages Creates Injury
This is a case we are following very closely. If it succeeds, it will change the security landscape significantly and may end up redefining what a security breach actually is.
Justia provides a summary of an opinion issued by the Court of Appeals for the Third Circuit that revives a potential class action lawsuit against a New Jersey health insurer.
Horizon Healthcare Inc. Data Breach Litigation, No. 15-2309 (3d Cir. 2017)
“Horizon Blue Cross Blue Shield provides health insurance products and services to approximately 3.7 million members. Two laptop computers, containing sensitive personal information about members, were stolen from Horizon. Four plaintiffs filed suit on behalf of themselves and other Horizon customers whose personal information was stored on those laptops, alleging willful and negligent violations of the Fair Credit Reporting Act (FCRA), 15 U.S.C. 1681, and numerous violations of state law. The district court dismissed the suit for lack of Article III standing. According to the court, none of the plaintiffs had claimed a cognizable injury because, although their personal information had been stolen, none of them had adequately alleged that the information was actually used to their detriment. The Third Circuit vacated. In light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes. Even without evidence that the plaintiffs’ information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury.”