|
February 10, 2017 - Anyone who has ever tried to sue a company over a data breach knows that the most difficult obstacle they face is to have the court agree that they have "standing" to sue. Simply put, "standing" means that you can prove that you have suffered a tangible injury as a result of the actions of the party you are suing. In the case of data breaches, that normally means that you have suffered a financial loss and that you can prove the loss is as a direct result of the data breach. That's a huge hurdle to overcome and it is one of the primary reasons that many data breach lawsuits fail. But a ruling from the US Third Circuit Court of Appeals may give some consumers a lifeline.
The case against Horizon Healthcare Services concerns a data breach that impacted nearly 840,000 people. The breach occurred when two laptop computers owned by the company were stolen. The data was stored on those computers.
Once the company notified customers that were affected by the breach, some of them decided to sue. One of their claims was that Horizon was acting as a consumer reporting agency as defined in the Fair Credit Reporting Act (FCRA). And among other things, the FCRA requires consumer reporting agencies to protect stored data. It also gives consumers the right to sue for FCRA violations.
The district court in New Jersey, where the case was originally filed, dismissed the case because even though the plaintiffs in the case had undoubtedly had their information stolen, they couldn't prove that they had suffered any financial harm from the theft. In other words, the court said that they didn't have standing to sue.
But the appeals court disagreed and reversed the dismissal. The court agreed that Horizon was covered by the FCRA and that as such, the plaintiffs had the right to sue as a result of their information being disseminated without their permission.
The decision only applies to companies that are covered by the FCRA, so data breaches by retailers and many other companies won't be impacted by it. And at present, it only applies in states that are covered by the Third Circuit; New Jersey, Pennsylvania and Delaware. But it is an important finding for two reasons. First, the types of companies that are impacted by the ruling typically maintain large customer databases with highly confidential information in them. Because of this, they are often targeted by hackers and data thieves. This ruling means that these organizations are now on notice that it could be far more costly to experience a data breach than they had previously anticipated.
Secondly, it is likely that that the other federal court circuits will look at this ruling when evaluating similar cases. If those circuits adopt the same logic, the same rights to sue could eventually be available nationwide.
byJim Malmberg
Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.
Follow me on Twitter:
|
Identity Theft 
