A few weeks ago, the broad range of companies that may be classified as “consumer reporting agencies” (CRAs) learned that they now face significantly increased data security legal risk through two key developments: a legal decision and a published study.  The legal decision revealed that CRAs can be sued under the Fair Credit Reporting Act (“FCRA”) following data breach incidents by consumers whose data is stolen from the CRAs even if they do not incur any financial losses.  The study revealed that data breach incidents are continuing to increase in number even though financial losses have remained flat due to back-end protections.  Consequently, CRAs that fail to adequately protect consumer data are likely to see an increase in FCRA litigation even as new techniques are introduced to prevent those data breaches from materializing into financial damage to the consumer.

On January 20, the U.S. Court of Appeals for the 3rd Circuit handed down a decision in In re Horizon Healthcare Services Inc Data Breach Litigation establishing that individuals whose personal information is stolen from CRAs have standing to sue the CRAs for damages under FCRA even if none of the information is actually used to the individuals’ financial detriment. The plaintiffs in this case sued insurance-provider Horizon after “two laptop computers containing the unencrypted personal information of the named Plaintiffs and more than 839,000 other Horizon members were stolen from Horizon’s headquarters in Newark, New Jersey.” In re: Horizon Healthcare Inc. Data Breach Litigation, No. 15-2309, at 6 (3d Cir. Jan. 20, 2017).   Though the plaintiffs did not identify any financial loss from the breach, they argued that Horizon’s insufficient data security practices violated the FCRA.  Namely, the practices of storing consumer personal identifying and heath information (“PII/PHI”) on “unencrypted laptops, knowing that [Horizon’s] laptops were prone to theft and that laptops had been stolen from its headquarters in the past” and by “failing to implement and maintain reasonable, industry-standard security measures to ensure that Plaintiffs’ and Class Members’ PII/PHI was not accessed for an impermissible purpose.”  Plaintiffs’ Brief in Opposition to Motion to Dismiss, In re: Horizon Healthcare Inc. Data Breach Litigation, 2:13-cv-07418, at 23, 25 (D.N.J.  Sept. 22, 2014) (Opposition Brief).

On February 1, digital financial research based consulting firm Javelin published its 2017 Identity Fraud Study in which it reported that overall incidents of fraud rose 16% to affect 15.4 million (or 6.15%) U.S. consumers, from 13.1 million (or 5.30%) in 2015 — “the highest on record,” while the total losses remained stable from the two prior years at $16 billion and far short of the $22 billion in 2012.  The firm described opportunities for point-of-sale fraud as “closing” due to the use of chip cards, and explains that this trend has increasingly driven fraud online and into the “new-account” space.

In light of these developments, a variety of companies will need to reassess (1) whether they are engaging in activity that exposes them to potential FCRA liability and (2) if so whether they are doing enough to protect consumer data in compliance with the law.  The answers to these questions are not always obvious, but more insight on both may soon be provided by the District Court of New Jersey in the Horizon case.

Question 1: Is my company a “consumer reporting agency”?

A company is exposed to FCRA liability if it meets the definition a “consumer reporting agency,” which may include a number of companies that do not think of themselves as such.  The term is broadly defined to include “any person” that “by any means” furnishes “any written, oral, or other communication of any information . . . bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living” for a variety of enumerated purposes.  15 U.S.C. §1681a(d), (f).

According to the Horizon Healthcare Plaintiffs’ brief opposing motion to dismiss before the District Court of New Jersey, it “applies to many types of entities, including national credit bureaus, banks, data aggregators, systems used for law enforcement, check authorization services, and insurance providers.”  Opposition Brief at 20.  The Defendant disagreed with this assessment, but the District Court is yet to weigh in.  It had previously dismissed the case solely on the grounds that the plaintiffs lacked standing to sue, but now that the Third Circuit has reversed this decision, the issue may be visited on remand.

Question 2: What data security measures must consumer reporting agencies undertake to avoid or minimize liability?

The FCRA is intended to “require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information.” 15 U.S.C. § 1681(b).  A Federal Trade Commission Study proposed such procedures may include systems of “monitoring access to its database of consumer reports,” systems to “monitor anomalies and other suspicious activity to guard against unauthorized access and “installation and use of appropriate computer hardware and software” Fed. Trade Comm’n, 40 Years of Experience with the Fair Credit Reporting Act at 66 (July 2011).”

Assuming the New Jersey District Court agrees with the plaintiffs and finds Horizon to be a consumer reporting agency, it will then analyze the measures that Horizon undertook to protect the PII/PHI that it possessed and whether those measures complied with FCRA.  If the court finds that Horizon “negligently” failed to comply, Horizon’s liability will be limited to actual damages—which in this case may be zero—plus costs and reasonable attorney’s fees.  15 U.S.C. § 1681o.  However, if the court finds that Horizon “willfully” failed to comply, plaintiffs may find themselves entitled to punitive damages as allowed by the court.   15 U.S.C. § 1681n.  With the enhanced risk of data breach litigation under FCRA when there is no actual damages, these findings may play an important role in shaping the market for data security moving forward.