IN RE HORIZON HEALTHCARE SERVICES INC. DATA BREACH LITIGATION, No. 2:2013cv07418 - Document 157 (D.N.J. 2021)
Court Description: OPINION. Signed by Judge Claire C. Cecchi on 12/21/2021. (ld, )
Download PDF
<![CDATA[
IN RE HORIZON HEALTHCARE SERVICES INC. DATA BREACH LITIGATION Doc. 157 Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 1 of 14 PageID: 2176 NOT FOR PUBLICATION UNITED STATES DISTRICT COURT DISTRICT OF NEW JERSEY IN RE HORIZON HEALTHCARE SERVICES INC. DATA BREACH LITIGATION Civil Action No.: 2:13-cv-07418 OPINION CECCHI, District Judge. This matter comes before the Court on the motion of Defendant Horizon Healthcare Services, Inc. (“Defendant”) to dismiss the amended putative class complaint (the “Amended Complaint”) of Plaintiffs Mark Meisel, Karen Pekelney, and Mitchell Rindner 1 (“Plaintiffs”). ECF No. 40. The Court held oral argument in this matter. ECF No. 100 (“Tr.”). For the reasons set forth below, Defendant’s motion to dismiss is granted. I. BACKGROUND Defendant is a New Jersey-based company that provides health insurance products and services to approximately 3.7 million members. ECF No. 36 (“Am. Compl.”) ¶¶ 11–12. In its normal course of business, Defendant maintains its members’ personal and medical information, including names, birth dates, Social Security numbers, addresses, medical histories, and insurance information. Id. ¶ 1. During the weekend of November 1–3, 2013, an unknown thief stole two password-protected laptop computers—containing information of more than 839,000 members— from Defendant’s headquarters in Newark, New Jersey. Id. ¶¶ 2, 32, 37. Defendant reported the incident to the Newark Police Department on November 4, 2013 and began an investigation into the amount and type of information stored on the stolen laptops. Id. ¶ 37. On December 6, 2013, Defendant notified potentially affected members of the theft via letter and press release. Id. The press release stated that “the laptops may have contained files with differing amounts of member 1 Plaintiff Courtney Diana voluntarily dismissed her individual claims in July 2017. ECF No. 94. Dockets.Justia.com Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 2 of 14 PageID: 2177 information, including name and demographic information (e.g., address, member identification number, date of birth), and in some instances, a Social Security number and/or limited clinical information.” Id. As a result of the breach, Defendant offered potentially affected members “one year of credit monitoring and identity theft protection services through Experian’s ProtectMyId Alert.” Id. ¶ 62. On December 11, 2013, Plaintiffs filed a putative class action complaint on behalf of themselves and all others similarly situated (ECF No. 1), which was later amended on June 27, 2014. Am. Compl. ¶ 4. In the Amended Complaint, Plaintiffs asserted federal causes of action under the Fair Credit Reporting Act (“FCRA”) and several state law causes of action. Id. ¶¶ 76– 170. Thereafter, Defendant moved to dismiss Plaintiffs’ Amended Complaint for lack of standing. ECF No. 40. On March 31, 2015, the Court granted Defendant’s motion to dismiss Plaintiffs’ Amended Complaint without prejudice, finding that Plaintiffs lacked Article III standing to bring their federal claims. ECF Nos. 47, 48. In lieu of filing an amended pleading, Plaintiffs asked the Court to enter a final judgement, and subsequently filed a notice of appeal on May 21, 2015. ECF No. 51. On January 20, 2017, the Third Circuit, reviewing this Court’s March 31, 2015 Opinion and Order, observed that “a pair of recent cases touching upon this question” were rendered after this Court’s March Opinion and that its “pronouncements in this area have not been entirely consistent.” ECF No. 55-1 at 19. Accordingly, the Third Circuit vacated this Court’s Opinion and Order, finding that standing existed, and remanded for further proceedings on the merits, which had not yet been addressed by the District Court. Id. at 32. On April 17, 2017, the Court entered a consent order establishing a briefing schedule for revised memoranda of law regarding Defendant’s motion to dismiss. ECF No. 68. The Court held oral argument. ECF No. 100. The parties thereafter filed several 2 Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 3 of 14 PageID: 2178 submissions (ECF Nos. 70, 75, 78), including Defendant’s Notice of Supplemental Authority, on January 31, 2019 (ECF No. 125) and Plaintiffs’ response, on February 20, 2019 (ECF No. 128). The Court has duly considered all submissions. All efforts at mediation have been unsuccessful. See, e.g., ECF No. 95. II. LEGAL STANDARD To survive dismissal pursuant to Federal Rule of Civil Procedure 12(b)(6), a complaint “must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). In evaluating the sufficiency of a complaint, the Court accepts all well-pleaded factual allegations in the complaint as true and draws all reasonable inferences in favor of the nonmoving party. See Phillips v. Cty. of Allegheny, 515 F.3d 224, 234 (3d Cir. 2008). “Factual allegations must be enough to raise a right to relief above the speculative level.” Twombly, 550 U.S. at 555. “A pleading that offers ‘labels and conclusions . . . will not do.’ Nor does a complaint suffice if it tenders ‘naked assertion[s]’ devoid of ‘further factual enhancement.’” Iqbal, 556 U.S. at 678 (citations omitted). Additionally, “the tenet that a court must accept as true all of the allegations contained in a complaint is inapplicable to legal conclusions. Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.” Id. III. DISCUSSION A. Fair Credit Reporting Act Preliminarily, the Court notes that the Third Circuit, in its opinion vacating this Court’s March 31, 2015 Opinion and Order, did not pass judgment on the merits of Plaintiffs’ FCRA 3 Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 4 of 14 PageID: 2179 claims as it assumed, only for the purposes of the standing inquiry, that FCRA was violated. 2 Accordingly, the question of whether Defendant is subject to liability under FCRA is properly before this Court. Plaintiffs allege that Defendant willfully (Count I) and negligently (Count II) violated FCRA by failing to adopt and maintain reasonable procedures to protect the confidentiality and proper utilization of Plaintiffs’ personal and insurance information. Am. Compl. ¶¶ 76–102. Defendant moves to dismiss Plaintiffs’ FCRA claims on the grounds that (1) Defendant is not subject to liability under FCRA because it not a consumer reporting agency and (2) even if it were, Defendant did not furnish or disclose information in violation of FCRA. ECF No. 70 (“Def. Br.”) at 7–18. The Court addresses each argument in turn. 1. Consumer Reporting Agency First, Defendant argues that it is “not a ‘consumer reporting agency’ subject to FCRA liability” because, as the Amended Complaint notes, it is a health insurance company. Id. at 9; Tr. at 10:8–11, 35:20–36:16. As this Court has previously stated: The purpose of FCRA [i]s to “require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information.” Crisafulli v. Amertias Life Ins. Corp., No. 13-5937, 2015 WL 1969176, at *6 (D.N.J. Apr. 30, 2015) (quoting 15 U.S.C. § 1681(b)). Plaintiffs are attempting to bring FCRA claims against 2 See ECF No. 55-1 at 13–14 n.9 (“In its 12(b)(6) motion, which is not before us, [Defendant] questions whether it is bound by FCRA. . . . Because we are faced solely with an attack on standing, we do not pass judgment on the merits of those questions. Our decision should not be read as expanding a claimant’s rights under FCRA. Rather, we assume for purposes of this appeal that FCRA was violated, as alleged, and analyze standing with that assumption in mind.”); see also id. at 22 n.16 (“Again, whether [Plaintiffs’] injur[ies are] actionable under FCRA is a different question, one which we are presently assuming (without deciding) has an affirmative answer.”)). 4 Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 5 of 14 PageID: 2180 Defendant on the basis that it is a consumer reporting agency. See id. (“FCRA imposes duties on two types of entities,” including “consumer reporting agencies[.]”). “Thus, to successfully state a claim for a willful or negligent violation of FCRA, Plaintiff[s] must first sufficiently plead that Defendant is a ‘consumer reporting agency.’” Dolmage v. Combined Ins. Co. of Am., No. 14-3809, 2015 WL 292947, at *3 (N.D. Ill. Jan. 21, 2015). 3 Plaintiffs have failed to do so. A consumer reporting agency is defined as “any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.” 15 U.S.C. § 1681a(f). 4 “Although ‘furnish’ is not defined in FCRA, courts generally use the term to describe the active transmission of information to a third-party rather than a failure to safeguard the data.” Dolmage, 2015 WL 292947, at *3. Plaintiffs argue that Defendant is a CRA because: On a cooperative nonprofit basis or for monetary fees, Defendant regularly assembles consumer information including, among other things, insurance policy information, such as names, dates of birth, and Social Security Numbers of those insured; claims information, such as the date of loss, type of loss, and amount paid for claims submitted by an insured; and a description of insured items. Defendant also regularly utilizes interstate commerce to furnish such information on consumers (consumer reports) to third parties. 3 Although FCRA contains provisions that create certain requirements and prohibitions applicable to persons or entities other than consumer reporting agencies (such as users of consumer reports and furnishers of information to consumer reporting agencies), the Complaint proceeds on the basis that Defendant is a consumer reporting agency. See Am. Compl. ¶ 80; ECF 41 at 29 (Plaintiffs argue that “FCRA applies to [Defendant] because [Defendant] is a consumer reporting agency under the statute.”) (citing 15 U.S.C. § 1681a(f)). 4 “Person” is broadly defined under FCRA as “any individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity.” 15 U.S.C. § 1681a(b). “Consumer” is defined simply as “an individual.” Id. at § 1681a(c). There is no question that Defendant is a “person” or that Plaintiffs qualify as “individual[s]” under FCRA. 5 Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 6 of 14 PageID: 2181 Am. Compl. ¶ 80. In Dolmage v. Combined Insurance Company of America, the Northern District of Illinois evaluated almost identical allegations 5 against an insurance provider and held that the defendant was not a consumer reporting agency because: (1) the plaintiff did not allege “that Defendant collects personal information on consumers for the purpose of furnishing consumer reports to third parties” and; (2) her other allegations “support[ed] Defendant’s contention that it is an ‘insurance provider’ that collects personal information on consumers for the purpose of providing them with insurance coverage.” 2015 WL 292947, at *3 (emphasis in original). Accordingly, the court held that the plaintiff failed to state a claim upon which relief may be granted under FCRA. Id. at *3-4. Similarly, here, Plaintiffs have failed to allege that Defendant assembles consumer information for the purpose of furnishing consumer reports, and their contentions actually substantiate Defendant’s averment that it is a health insurance company that collects its consumers’ information for the purpose of providing health insurance coverage and administering health benefits plans. See Am. Compl. ¶ 11 (“[Defendant] is a health insurance company with approximately 3.7 million members.”), ¶ 12 (“[Defendant] provides health insurance products and services to individuals and employers in New Jersey.”). Thus, as in Dolmage, the Court finds that Plaintiffs in this matter have failed to sufficiently allege that Defendant is a consumer reporting agency under FCRA. 5 The plaintiff in Dolmage alleged that “[d]efendant, on a cooperative nonprofit basis and/or for monetary fees, ‘regularly assembles consumer information including, among other things, insurance policy information, such as names, dates of birth, and Social Security numbers of those insured; claims information, such as the date of loss, type of loss, and amount paid for claims submitted by an insured; and a description of insured items.’ Plaintiff further allege[d] that [d]efendant ‘regularly utilizes interstate commerce to furnish such information[] on consumers (consumer reports) to third parties, including the Medical Information Bureau.’” 2015 WL 292947, at *3 (citations omitted). 6 Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 7 of 14 PageID: 2182 In addition, Plaintiffs have failed to sufficiently allege that Defendant actually furnishes consumer reports to third parties. While Plaintiffs make the conclusory allegation that Defendant “furnish[es] . . . consumer reports[] to third parties,” (Am. Compl. ¶ 80) they have not identified any such reports or alleged sufficient facts to allow the Court to infer that Defendant transmits consumer reports. See Iqbal, 556 U.S. at 678 (“Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice” to survive Rule 12(b)(6) dismissal). A consumer report is defined as any communication of information by a consumer reporting agency “which is used or expected to be used . . . for the purpose of serving as a factor in establishing the consumer’s eligibility for” credit, insurance, or employment purposes. 15 U.S.C. § 1681a(d)(1). That is, to qualify as a consumer report, the transmitted information must be used or expected to be used by a third party to make credit, insurance, or employment determinations. Adams v. LexisNexis Risk & Info. Analytics Grp., Inc., No. 08-4708, 2010 WL 1931135, at *7 (D.N.J. May 12, 2012) (when determining whether information qualifies as a consumer report, courts evaluate “both the ‘purpose’ for which the information contained in the report was ‘used or expected to be used or collected,’ as well as how a third party actually used the information”) (collecting cases) (emphasis added). Here, Plaintiffs assert that Defendant collected information, which was intended and expected to be used by Defendant to make internal insurance determinations about its customers. Am. Compl. ¶ 16. Plaintiffs do not contend that Defendant shared any information with third parties to help those third parties make credit, insurance, or employment determinations, but rather that Defendant assembled and shared information to inform its own insurance determinations. See Am. Compl. ¶¶ 15–19, 80–81; see also Tr. 30:3–7 (when Defendant was asked “[w]ho makes . . . eligibility determinations here,” 7 Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 8 of 14 PageID: 2183 Defendant responded, “Horizon solely”). These actions do not render Defendant a consumer reporting agency. See 15 U.S.C. § 1681a(d), (f); Adams, 2010 WL 1931135, at *7. In their supplemental briefing, Plaintiffs argue that Defendant, when answering a complaint in another data breach matter, “admitted to transmitting certain of its insureds’ [personal information] to other insurance companies for insurance purposes.” ECF No. 75 at 12 (citing ECF No. 75-6 at 28–30; see also Tr. 22:25-26:22. The answer cited in support of Plaintiffs’ allegation indicates that Defendant participates in a “BlueCard Program,” which “enables their members traveling away from home or living in another Blue Cross and Blue Shield (BCBS) Plan area to receive health care services through a claims processing network of BlueCard-participating, independent Blue Plans.” ECF No. 75-6 at 28–30; see also Tr. 26:8–27:17 (Defendant explains that, “when you’re a Horizon customer and you travel to some other place, another ‘Blue’ plan may process your payments for insurance for which you were eligible because Horizon made a determination that you were eligible for insurance. Another ‘Blue’ plan just acts as a processor . . .”). Plaintiffs argue that Defendant’s representation “firmly demonstrate[s] that [Defendant] collected consumer information with the intent of providing consumer reports to third parties.” ECF No. 75 at 12. First, the Court notes that it need not consider this assertion because Plaintiffs “raised the issue for the first time in their brief in opposition to [Defendant’s] motion [to dismiss.]” Aldinger v. Spectrum Control, Inc., 207 F. App’x 177, 181 n.1 (3d Cir. 2006); see D’Amelio v. Indep. Healthcom Strategies Grp., Inc., No. 16-3055, 2016 WL 6909102, at *2 (D.N.J. Nov. 22, 2016) (“[T]he Court cannot consider . . . allegations where they appear in Plaintiff’s briefing and not in [the] Complaint.”). Second, even if the Court were to consider it, this allegation does not indicate that Defendant sent consumer reports to third parties. Rather, the statements indicate that, after Defendant determines a consumer is eligible for insurance, a third- 8 Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 9 of 14 PageID: 2184 party sometimes processes the consumer’s claims through the BlueCard Program. Because Defendant has already determined that the individual is eligible for insurance, the information that it sends to a third party for claims processing is not a consumer report because it is not being sent “. . . for the purpose of serving as a factor in establishing the consumer’s eligibility for . . . insurance.” 15 U.S.C. § 1681a(d)(1); see Houghton v. NJ Manufacturers Ins. Co., 795 F.2d 1144, 1148 (3d Cir. 1986) (finding that, where defendant was requesting a report for claims processing purposes, the defendant was not requesting an investigative consumer report under FCRA). Moreover, Plaintiffs have failed to allege that Defendant receives compensation in exchange for assembling consumer information, which also precludes the Court from finding that Defendant is a consumer reporting agency. See 15 U.S.C. § 1681a(f) (defining a consumer reporting agency as “any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.”); Kidd v. Thomson Reuters Corp., 925 F.3d 99, 101 (2d Cir. 2019) (characterizing consumer reporting agencies as entities that “sell consumer reports to lenders, credit card companies, insurers, and employers for credit, insurance and employment decisions”). In Tierney v. Advocate Health & Hospitals Corporation, the Seventh Circuit found that the defendant hospital network was not a consumer reporting agency because, despite collecting and sharing personal consumer information with third party insurance companies and government agencies in order to get paid, the defendant was not “receiv[ing] fees in exchange for compiling and transmitting patient information.” 797 F.3d 449, 452 (7th Cir. 2015). Rather, the defendant hospital network was receiving compensation “for health care services that its physicians have rendered.” Id. As in Tierney, here, the allegations in the complaint do not demonstrate that 9 Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 10 of 14 PageID: 2185 Defendant receives compensation from third parties in exchange for compiling and transmitting its members’ information. Instead, Plaintiffs allege that Defendant receives premiums from its members for its provision of health insurance. Am. Compl. ¶ 128. Plaintiffs have failed to plead sufficient facts to show that Defendant Horizon receives any monetary compensation for furnishing consumer information, as required of consumer reporting agencies under FCRA. Based on the foregoing, the Court finds that Plaintiffs have not sufficiently pleaded that Defendant, an insurance company, is a consumer reporting agency under FCRA. See Tierney, 797 F.3d at 452; Dolmage, 2015 WL 292947, at *3; Strautins v. Trustwave Holdings, Inc., 27 F. Supp. 3d 871, 882 (N.D. Ill. Mar. 12, 2014) (holding that data security company was not a consumer reporting agency under FCRA where plaintiff did not allege that company assembled consumer credit information for purpose of furnishing consumer reports to third parties); Menefee v. City of Country Club Hills, No. 08-2948, 2008 WL 4696146, at *2–3 (N.D. Ill. Oct. 23, 2008) (finding that defendant was not a consumer reporting agency, despite collecting credit and criminal histories of potential employees, because it was not collecting this information for the purpose of furnishing consumer reports). Plaintiffs have not cited any authority, from this district or elsewhere, wherein a court held otherwise and found that an insurance provider qualifies as a consumer reporting agency under FCRA. See, e.g., Griffin v. Welch, 581 F. App’x 365, 368 (5th Cir. 2014) (finding that an insurance company and its adjuster “indisputably are not consumer reporting agencies” under FCRA). 6 Therefore, Plaintiffs have failed to state a claim under FCRA. 6 Plaintiffs’ cited case law is inapposite. See, e.g., Ori v. Fifth Third Bank, 674 F. Supp. 2d 1095, 1097–98 (E.D. Wis. Dec. 14, 2009) (analyzing definition of “reseller” under 15 U.S.C. § 1681a(u), a different provision than at issue here, to determine that defendant who resold consumer credit information about mortgage applications was a consumer reporting agency); Adams, 2010 WL 1931135, at *5 (finding that defendant who assisted debt collectors with collecting delinquent accounts, by selling reports with economic data about the consumer’s home, assets, and property, 10 Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 11 of 14 PageID: 2186 2. Furnishing or Disclosing Information Even if Defendant was a consumer reporting agency, Plaintiffs would still fail to state a claim under FCRA because the allegations in the complaint are insufficient to demonstrate any violation of FCRA. Def. Br. at 16–23. Plaintiffs assert claims under two FCRA provisions: 15 U.S.C. §§ 1681b(g) 7 and 1681e. Am. Compl. ¶¶ 89–91; ECF No. 41 at 23–26. An entity violates these provisions by either improperly disclosing (§ 1681b(g)) or furnishing (§ 1681e) consumer information. Defendant argues that it cannot be found to have disclosed or furnished consumer information because its information was stolen. Def. Br. at 22; ECF No. 60 at 16–23. First, the Court finds that Plaintiffs have not sufficiently pleaded a violation of § 1681b(g) because Defendant did not “disclose” information to the thieves. Section § 1681b(g) prohibits any person that receives medical information for a permissible purpose from “disclos[ing] such information to any other person, except as necessary to carry out the purpose for which the information was initially disclosed.” § 1681b(g)(4). Courts interpreting data privacy laws have held that defendants whose information was stolen did not “disclose” that stolen information. For example, in In re Anthem, Inc. Data Breach Litigation, the court held that a statute prohibiting unlawful disclosure of personal information did not apply to theft of that information because and any liens, judgments, or bankruptcy filings by the consumer, was a consumer reporting agency); Olwell v. Medical Info. Bureau, No. 01-1481, 2003 WL 79035, at *5 (D. Minn. Jan. 7, 2003) (the defendant insurance company was sued as a furnisher of information, not a consumer reporting agency, and other defendant conceded that it was a consumer reporting agency as its business involves collecting information from member insurance companies and providing that information to other life insurance companies for the purpose of preventing fraud). Furthermore, in Rowe v. UniCare Life & Health Ins. Co., although the Court found that the plaintiff stated a FCRA claim against the defendant insurance company, there was no discussion concerning whether the defendant was a consumer reporting agency. No. 09-2286, 2010 WL 86391, at *2–3 (N.D. Ill. Jan. 5, 2010). 7 Plaintiffs argue that Defendant failed to protect medical information in violation of 15 U.S.C. §§ 1681b(g)(4) and 1681b(g)(3)(A). 11 Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 12 of 14 PageID: 2187 “disclosure” requires “the information holder [to] commit some affirmative, voluntary act.” 162 F. Supp. 3d 953, 1004 (N.D. Cal. 2016) (finding that insurance company did not disclose data in violation of state data privacy laws when company was hacked by a third party). Similarly, in Fero v. Excellus Health Plan, Inc., the court interpreted two state information privacy statutes and found that theft of personal information did not constitute disclosure under either statute. 236 F. Supp. 3d 735, 783–84 (W.D.N.Y. Feb. 22, 2017). The courts in both cases found the defendants not liable because hackings do not qualify as disclosures of information in violation of the relevant statutes. Id.; In re Anthem, 162 F. Supp. 3d at 1003. Plaintiffs argue that Defendant’s failure to take protective measures, such as data encryption, is “tantamount to disclosure.” ECF No. 75 at 18. However, the only case that they cite in support of this proposition, Tabata v. Charleston Area Med. Ctr., Inc., is inapposite and makes no such finding. 759 S.E.2d 459, 466 (W.V. 2014). There, the defendant itself posted personal and medical information on a “website which was accessible to the public,” and thus, for the purposes of a class certification analysis, the Court described the events giving rise to the claims as a “disclosure.” Id. at 462–67. By contrast, here, Plaintiffs do not allege that Defendant voluntarily revealed data on a publicly available forum, rather, they allege that a third party stole the data. In both Fero and In re Anthem Data Breach Litigation, the plaintiffs similarly alleged that the defendants failed to take adequate protective measures, but the courts nevertheless found that such failures alone did not qualify as disclosures because, as here, there were no “affirmative acts of revealing personal information.” Fero, 236 F. Supp. 3d at 784; see In re Anthem Data Breach Litig., 162 F. Supp. 3d at 1004–07. Therefore, based on the purpose and language of § 1681b(g) and on case law analyzing disclosure in similar statutory schemes, the Court finds that Defendant did not disclose information in violation of FCRA. 12 Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 13 of 14 PageID: 2188 Likewise, the Court concludes that Plaintiffs have not alleged facts showing that Defendant “furnished” information to the thieves. Under § 1681e, a consumer reporting agency is liable when it furnishes information to third parties. Courts interpret “furnish” under FCRA to describe the “active transmission of information to a third-party rather than a failure to safeguard the data.” Dolmage, 2015 WL 292947, at * 3. Accordingly, courts have concluded that information stolen from a defendant is not furnished within the meaning of FCRA. Id.; see also In re Equifax, Inc., Customer Data Sec. Breach Litig., 362 F. Supp. 3d 1295, 1312–13 (N.D. Ga. 2019) (finding that defendant did not “furnish” plaintiffs’ consumer reports where it was hacked by a third party, even though plaintiff alleged that defendant’s protective conduct was “egregious”); In re Experian Data Breach Litig., No. 15-1592, 2016 WL 7973595, at *2 (C.D. Cal. Dec. 29, 2016) (dismissing FCRA claim because plaintiff could not allege that credit reports were “furnished” where information was stolen from defendant). Here, Plaintiffs allege that the data at issue was stolen from Defendant, without any voluntary act of furnishing by Defendant. Therefore, the Court finds that the Complaint does not properly allege that Defendant furnished Plaintiffs’ information within the meaning of FCRA. Accordingly, as Plaintiffs have failed to allege a violation of FCRA by Defendant, Defendant’s motion to dismiss Counts I and II of Plaintiffs’ Amended Complaint will be granted. 8 B. Remaining State Law Claims As to Plaintiffs’ remaining state law claims, the Court declines to exercise supplemental jurisdiction at this time. Federal courts have subject matter jurisdiction pursuant to either 28 U.S.C. § 1331 (federal question), or 28 U.S.C. § 1332 (diversity of citizenship). Arbaugh v. Y&H 8 As such, the Court need not consider the parties’ remaining arguments as to Counts I and II of Plaintiffs’ amended complaint. ECF Nos. 70 at 16–23; 75 at 16–19; 78 at 6–8. 13 Case 2:13-cv-07418-CCC-JSA Document 157 Filed 12/21/21 Page 14 of 14 PageID: 2189 Corp., 546 U.S. 500, 513 (2006). “A plaintiff properly invokes § 1331 jurisdiction when she pleads a colorable claim ‘arising under’ the Constitution or laws of the United States.” Id. Here, because Plaintiffs failed to state a cognizable federal claim under FCRA, the Court lacks federal question jurisdiction. To invoke § 1332, Plaintiffs must state “a claim between parties of diverse citizenship that exceeds the required jurisdictional amount, currently $75,000.” Id. According to the allegations, complete diversity does not exist. 9 The Court declines to exercise supplemental jurisdiction pursuant to 28 U.S.C. § 1367(c) over any remaining state-law claims arising in the Amended Complaint. Accordingly, the Court dismisses Plaintiffs’ Amended Complaint in its entirety. IV. CONCLUSION For the reasons set forth above, Defendant’s motion to dismiss (ECF No. 40) is granted and the Amended Complaint (ECF No. 36) is dismissed. To the extent that Plaintiffs are able to cure the pleading deficiencies discussed herein, they may file a second amended complaint within thirty (30) days of the date of this Opinion. An appropriate Order accompanies this Opinion. DATED: December 21, 2021 s/ Claire C. Cecchi CLAIRE C. CECCHI, U.S.D.J. 9 Plaintiffs concede that the amended complaint does not allege diversity jurisdiction but request “permission to replead” diversity jurisdiction. Tr. 64:15–25. The Court grants Plaintiffs’ request to replead facts to support diversity jurisdiction. 14
]]>
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You
should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
