New Jersey Insurance Company Not Liable to Members for Data Breach, Court Rules

QWERTY_keyboard.jpgA lawsuit against a New Jersey insurance company sought damages for a November 2013 data breach that reportedly resulted in the theft of personal information of hundreds of thousands of policyholders. The plaintiffs sought to certify the suit as a class action on behalf of other policyholders whose information was compromised. They asserted causes of action for breach of contract, negligence, and violations of the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., and the New Jersey Consumer Fraud Act (CFA), N.J. Rev. Stat. § 56:8-1 et seq. In March 2015, however, the district court dismissed the lawsuit, holding that the plaintiffs lacked standing to sue under the FCRA. In re Horizon Healthcare Services Inc. Data Breach Litigation, No. 2:13-cv-07418, opinion (D.N.J., Mar. 31, 2015).

The defendant is a New Jersey-based health insurance company that provides services to about 3.7 million individuals. At some point over the weekend of November 1-3, 2013, an unknown individual stole two laptop computers from the defendant’s office in Newark. The laptops, which were protected by passwords, contained the personal information of over 839,000 policyholders, including names, dates of birth, member numbers, and addresses. The computers also contained Social Security numbers and clinical information for some policyholders.

The defendant issued a press release several days after the theft describing the extent of the data breach. It stated that it was not clear if the thief or thieves would be able to break the password protection to access the information on the laptops. It individually notified the policyholders whose information was contained on the laptops, and it offered free identity theft protection and credit monitoring services to policyholders whose Social Security numbers might have been compromised.

Four policyholders filed suit in federal court in December 2013, asserting common-law claims for negligence and breach of contract, as well as claims under the FCRA and the CFA. Three of the plaintiffs claimed that the data breach harmed them by exposing them to the risk of identity theft and fraud, and by causing them to expend resources on mitigating the data breach’s “actual and potential impact…on their lives.” Horizon, opinion at 2. The fourth plaintiff claimed that the thief or thieves filed a fraudulent tax return under his and his wife’s name and attempted to use his credit card, and argued that the defendant was liable for the resulting damages.

The defendant moved to dismiss the lawsuit for lack of standing. The court agreed and granted the motion. It first found that, since the three plaintiffs did not allege that they had actually become victims of identity theft, they had not alleged economic injury that would give them standing under the FCRA. Their claims that the data breach violated their rights and placed them at imminent risk of future harm also did not confer standing, the court held.

With regard to the fourth plaintiff, the court held that he had not pleaded enough facts to connect his alleged identity theft to the data breach. Whoever filed the fraudulent tax return, the court noted, also had this plaintiff’s wife’s personal information, which no one alleged was on the stolen laptops. With the dismissal of the FCRA claim, the court lost supplemental jurisdiction over the state law and common law claims.

Business attorney Samuel C. Berger represents businesses and business owners in New York and New Jersey. We offer fixed-fee legal-service packages covering a wide range of legal matters. Contact us today online or at (212) 380-8117 to schedule a confidential consultation with a member of our team.

More Blog Posts:

Are Web-Based Businesses “Public Accommodations” Under the ADA? New York & New Jersey Business Lawyer Blog, April 2, 2015
Export Businesses Receive Compliance Assistance from U.S. Commerce Department Software, New York & New Jersey Business Lawyer Blog, January 1, 2015
New York Financial Regulators Propose Rules for Bitcoin and Other Virtual Currencies, New York & New Jersey Business Lawyer Blog, November 20, 2014
Photo credit: By MichaelMaggs (Own work) [CC BY-SA 3.0], via Wikimedia Commons.