In Re Horizon Healthcare Services Inc. Data Breach Litigation

*629OPINION

The dispute at the bottom of this putative class action began when two laptops, containing sensitive personal information, were stolen from health insurer Horizon Healthcare Services, Inc. The four named Plaintiffs filed suit on behalf of themselves and other Horizon customers whose personal information was stored on those laptops. They allege willful and negligent violations of the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681, et seq., as well as numerous violations of state law. Essentially, they say that Horizon inadequately protected their personal information. The District Court dismissed the suit under Federal Rule of Civil Procedure 12(b)(1) for lack of Article III standing. According to the Court, none of the Plaintiffs had claimed a cognizable injury because, although their personal information had been stolen, none of them had adequately alleged that the information was actually used to their detriment.

We will vacate and remand. In light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes. Even without evidence that the Plaintiffs’ information was in fact used improperly, the alleged diselo-sure of their personal information created a de facto injury. Accordingly, all of the Plaintiffs suffered a cognizable injury, and the Complaint should not have been dismissed under Rule 12(b)(1).

I. Backgkound

A. Factual Background1

Horizon Healthcare Services, Inc., d/b/a Horizon Blue Cross Blue Shield of New Jersey (“Horizon”) is a New Jersey-based company that provides health insurance products and services to approximately 3.7 million members. In the regular course of its business, Horizon collects and maintains personally identifiable information (e.g., names, dates of birth, social security numbers, and addresses) and protected health information (e.g., demographic information, medical histories, test and lab results, insurance information, and other care-related data) on its customers and potential customers. The named Plaintiffs—Courtney Diana, Mark Meisel, Karen Pekelney, and Mitchell Rindner2—and other class members are or were participants in, or as Horizon puts it, members of Horizon insurance plans. They entrusted Horizon with their personal information.3

Horizon’s privacy policy states that the company “maintain[s] appropriate administrative, technical and physical safeguards *630to reasonably protect [members’] Private Information.” (App. at 29.) The policy also provides that, any time Horizon relies on a third party to perform a business service using personal information, it requires the third party to “safeguard [members’] Private Information” and “agree to use it only as required to perform its functions for [Horizon] and as otherwise permitted by ... contract and the law.” (App. at 29.) Through the policy, Horizon pledges to “notify [members of its insurance plans] without unreasonable delay” of any breach of privacy. (App. at 29.)

During the weekend of November 1st to 3rd, 2013, two laptop computers containing the unencrypted personal information of the named Plaintiffs and more than 839,-000 other Horizon members were stolen from Horizon’s headquarters in Newark, New Jersey. The Complaint alleges that “[t]he facts surrounding the Data Breach demonstrate that the stolen laptop computers were targeted due to the storage of Plaintiffs’ and Class Members’ highly sensitive and private [personal information] on them.” (App. at 32.) Horizon discovered the theft the following Monday, and notified the Newark Police Department that day. It alerted potentially affected members by letter and a press release a month later, on December 6. The press release concerning the incident noted that the computers “may have contained files with differing amounts of member information, including name and demographic information (e.g., address, member identification number, date of birth), and in some instances, a Social Security number and/or limited clinical information.” (App. at 33.)

Horizon offered one year of credit monitoring and identity theft protection services to those affected, which the Plaintiffs allege was inadequate to remedy the effects of the data breach. At a January 2014 New Jersey Senate hearing, “Horizon confirmed that it had not encrypted all of its computers that contained [personal information].” (App. at 35.) Thereafter, “Horizon allegedly established safeguards to prevent a similar incident in the future— including tougher policies and stronger encryption processes that could have been implemented prior to the Data Breach and prevented it.” (App. at 35.)

Some personal history about the named Plaintiffs is included in the Complaint. Diana, Meisel, and Pekelney are all citizens and residents of New Jersey who were Horizon members who received letters from Horizon indicating that their personal information was on the stolen laptops. The Complaint does not include any allegation that their identities were stolen as a result of the data breach. Plaintiff Rindner is a citizen and resident of New York. He was a Horizon member but was not initially notified of the data breach. After Rindner contacted Horizon in February 2014, the company confirmed that his personal information was on the stolen computers. The Plaintiffs allege that, “[a]s a result of the Data Breach, a thief or thieves submitted to the [IRS] a fraudulent Income Tax Return for 2013 in Rindner’s and his wife’s names and stole their 2013 income tax refund.” (App. at 27.) Rindner eventually did receive the refund, but “spent time working with the IRS and law enforcement ... to remedy the effects” of the fraud, “incurred other out-of-pocket expenses to remedy the identity theft[,]” and was “damaged financially by the related delay in receiving his tax refund.” (App. at 27, 41.) After that fraudulent tax return, someone also fraudulently attempted to use Rindner’s credit card number in an online transaction. Rindner was also “recently denied retail credit because his social security number has been associated with identity theft.” (App. at 27.)

*631B. Procedural Background

The Plaintiffs filed suit on June 27, 2014. Count I of the Complaint claims that Horizon committed a willful violation of FCRA; Count II alleges a negligent violation of FCRA; and the remaining counts allege various violations of state law.4 FCRA was enacted in 1970 “to ensure fair and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy.” Safeco Ins. Co. of Am. v. Burr, 551 U.S. 47, 52, 127 S.Ct. 2201, 167 L.Ed.2d 1045 (2007). With respect to consumer privacy, the statute imposes certain requirements on any “consumer reporting agency’ that “regularly ... assembles] or evaluates] consumer credit information ... for the purpose of furnishing consumer reports to third parties.” 15 U.S.C. § 1681a(f). Any such agency that either willfully or negligently “fails to comply with any requirement imposed under [FCRA] with respect to any consumer is liable to that consumer.” Id. §§ 1681n(a) (willful violations); 1681o(a) (negligent violations).

In their Complaint, the Plaintiffs assert that Horizon is a consumer reporting agency and that it violated FCRA in several respects. They say that Horizon “furnish[ed]” their information in an unauthorized fashion by allowing it to fall into the hands of thieves. (App. at 48.) They also allege that Horizon fell short of its FCRA responsibility to adopt reasonable procedures5 to keep sensitive information confidential.6 According to the Plaintiffs, Horizon’s failure to protect their personal information violated the company’s responsibility under FCRA to maintain the confidentiality of their personal information.7

*632The Plaintiffs seek statutory,8 actual, and punitive damages, an injunction to prevent Horizon from continuing to store personal information in an unencrypted manner, reimbursement for ascertainable losses, pre- and post-judgment interest, attorneys’ fees and costs, and “such other and further relief as this Court may deem just and proper.” (App. at 64.)

Horizon moved to dismiss the Complaint for lack of subject matter jurisdiction under Federal Rule of Civil Procedure 12(b)(1) and for failure to state a claim upon which relief can be granted under Rule 12(b)(6). The District Court granted dismissal under Rule 12(b)(1), ruling that the Plaintiffs lack Article III standing. The Court concluded that, even taking the Plaintiffs’ allegations as true, they did not have standing because they had not suffered a cognizable injury. Because the Court granted Horizon’s Rule 12(b)(1) motion, it did not address Horizon’s Rule 12(b)(6) arguments and declined to exercise supplemental jurisdiction over the remaining state law claims.

The Plaintiffs filed this timely appeal.

II. Discussion

A. Jurisdiction and Standard of Review

The District Court exercised jurisdiction over the Plaintiffs’ FCRA claims pursuant to 28 U.S.C. § 1331, though it ultimately concluded that it did not have jurisdiction due to the lack of standing. Having decided that the Plaintiffs did not have standing under FCRA, the District Court also concluded that it “lackfed] discretion to retain supplemental jurisdiction over the state law claims” under 28 U.S.C. § 1367. (App. at 23 (citation omitted).) See Storino v. Borough of Pleasant Beach, 322 F.3d 293, 299 (3d Cir. 2003) (holding that “because the [plaintiffs] lack standing, the District Court lacked original jurisdiction over the federal claim, and it therefore could not exercise supplemental jurisdiction”). We exercise appellate jurisdiction pursuant to 28 U.S.C. § 1291.

Our review of the District Court’s dismissal of a complaint pursuant to Federal Rule of Civil Procedure 12(b)(1) is de novo. United States ex rel. Atkinson v. Pa. Shipbuilding Co., 473 F.3d 506, 514 (3d Cir. 2007). Two types of challenges can be made under Rule 12(b)(1)—“either a facial or a factual attack.” Davis v. Wells Fargo, 824 F.3d 333, 346 (3d Cir. 2016). That distinction is significant because, among other things, it determines whether we accept as true the non-moving party’s facts as alleged in its pleadings. Id. (noting that with a factual challenge, “[n]o presumptive truthfulness attaches to [the] plaintiffs allegations.... ” (internal quotation marks omitted) (second alteration in original)). Here, the District Court concluded that Horizon’s motion was a facial challenge because it “attacked] the sufficiency of the consolidated complaint on the grounds that the pleaded facts d[id] not establish constitutional standing.” (App. at 10.) We agree. Because Horizon did not challenge the validity of any of the Plaintiffs’ factual claims as part of its motion, it brought only a facial challenge. It argues that the allegations of the Complaint, even *633accepted as true, are insufficient to establish the Plaintiffs’ Article III standing.

In reviewing facial challenges to standing, we apply the same standard as on review of a motion to dismiss under Rule 12(b)(6). See Petruska v. Gannon Univ., 462 F.3d 294, 299 n.1 (3d Cir. 2006) (noting “that the standard is the same when considering a facial attack under Rule 12(b)(1) or a motion to dismiss for failure to state a claim under Rule 12(b)(6)” (citation omitted)). Consequently, we accept the Plaintiffs’ well-pleaded factual allegations as true and draw all reasonable inferences from those allegations in the Plaintiffs’ favor.9 Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). Nevertheless, “[t]hreadbare recitals of the elements of [standing], supported by mere conclusory statements, do not suffice.” Id. We disregard such legal conclusions. Santiago v. Warminster Twp., 629 F.3d 121, 128 (3d Cir. 2010). Thus, “[t]o survive a motion to dismiss [for lack of standing], a complaint must contain sufficient factual matter” that would establish standing if accepted as true. Iqbal, 556 U.S. at 678, 129 S.Ct. 1937 (citing Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007)).

There are three well-recognized elements of Article III standing: First, an “injury in fact,” or an “invasion of a legally protected interest” that is “concrete and particularized.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992). Second, a “causal connection between the injury and the conduct complained of[.]” Id. And third, a likelihood “that the injury will be redressed by a favorable decision.” Id. at 561, 112 S.Ct. 2130 (citation and internal quotation marks omitted).

This appeal centers entirely on the injury-in-fact element of standing—more specifically, on the concreteness requirement of that element.10

“In the context of a motion to dismiss, we have held that the [i]njury-in-fact element is not Mount Everest. The contours of the injury-in-fact requirement, while not precisely defined, are very generous, requiring only that claimant allege[] some specific, identifiable trifle of injury.” Blunt v. Lower Merion Sch. Dist., 767 F.3d 247, 278 (3d Cir. 2014) (emphasis omitted) (citation and internal quotation marks omitted) (second alteration in original). “At the pleading stage, general factual allegations of injury resulting from the defendant’s conduct may suffice, for on a *634motion to dismiss we presum[e] that general allegations embrace those specific facts that are necessary to support the claim.” Lujan, 504 U.S, at 561, 112 S.Ct. 2130 (citation and internal quotation marks omitted) (alteration in original).

The requirements for standing do not change in the class action context. “[N]amed plaintiffs who represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.” Lewis v. Casey, 518 U.S. 343, 357, 116 S.Ct. 2174, 135 L.Ed.2d 606 (1996) (citation and internal quotation marks omitted). “[I]f none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class.” O’Shea v, Littleton, 414 U.S. 488, 494, 94 S.Ct. 669, 38 L,Ed.2d 674 (1974).11 Accordingly, at least one of the four named Plaintiffs must have Article III standing in order to maintain this class action.

B, Analysis of the Plaintiffs’ Standing

All four of the named Plaintiffs argue that the violation of their statutory rights under FCRA gave rise to a cognizable and concrete injury that satisfies the first element of Article III standing. They claim that the violation of their statutory right to have their personal information secured against unauthorized disclosure constitutes, in and of itself, an injury in fact. The District Court rejected that argument, concluding that standing requires some form of additional, “specific harm,” beyond “mere violations of statutory and common law rights[.]” (App. at 15-16.)

In the alternative, the Plaintiffs argue that Horizon’s violation of FCRA “placed [them] at an imminent, immediate, and continuing increased, risk of harm from identity theft, identity fraud, and medical fraud_” (App. at 40.) They say the increased risk constitutes a concrete injury for Article III standing purposes. In their Complaint, they assert that those whose personal information has been stolen are “approximately 9.5 times more likely than the general public to suffer identity fraud or identity theft.” (App. at 36.) They go on to note the various ways that identity thieves can inflict injury, such as draining a bank account, filing for a tax refund in another’s name, or getting medical treatment using stolen health insurance information. The District Court rejected that argument as well because it found that any future risk of harm necessarily depended on the “conjectural conduct of a third party bandit,” and was, therefore, too “attenuated” to sustain standing. (App. at 18.) (relying on Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011)).12

*635We resolve this appeal on the basis of Plaintiffs’ first argument and conclude that they have standing due to Horizon’s alleged violation of FCRA.

That the violation of a statute can cause an injury in fact and grant Article III standing is not a new doctrine. The Supreme Court has repeatedly affirmed the ability of Congress to “cast the standing net broadly” and to grant individuals the ability to sue to enforce their statutory rights. Fed. Election Comm’n v. Akins, 524 U.S. 11, 19, 118 S.Ct. 1777, 141 L.Ed.2d 10 (1998);13 see also Warth v. Seldin, 422 U.S. 490, 500, 95 S.Ct. 2197, 45 L.Ed.2d 343 (1975) (“The actual or threatened injury required by Article] III may exist solely by virtue of statutes creating legal rights, the invasion of which creates standing.” (citation, internal quotation marks, and ellipses omitted)); Linda R.S. v. Richard D., 410 U.S. 614, 617 n.3, 93 S.Ct. 1146, 35 L.Ed.2d 536 (1973) (“Congress may enact statutes creating legal rights, the invasion of which creates standing, even though no injury would exist without the statute.”); Havens Realty Corp. v. Coleman, 455 U.S. 363, 373-74, 102 S.Ct. 1114, 71 L.Ed.2d 214 (1982) (explaining that one “who has been the object of a misrepresentation made unlawful under [the statute] has suffered injury in precisely the form the statute was intended to guard against, and therefore has standing to maintain a claim for damages under the Act’s provisions”).

Despite those precedents, our pronouncements in this area have not been entirely consistent. In some cases, we have appeared to reject the idea that the violation of a statute can, by itself, cause an injury sufficient for purposes of Article III standing.14 But we have also accepted the argument, in some circumstances, that the breach of a statute is enough to cause a cognizable injury—even without economic or other tangible harm.15

*636Fortunately, a pair of recent cases touching upon this question, specifically in the context of statutes protecting data privacy, provide welcome clarity. Those cases have been decidedly in favor of allowing individuals to sue to remedy violations of their statutory rights, even without additional injury,

First, in In re Google Inc. Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015), certain internet users brought an action against internet advertising px-oviders alleging that them placement of so-called “cookies”—ie. small files with identifying information left by a web server on users’ browsers—violated a number of federal and state statutes, including the Stored Communications Act. Id. at 133. The defendants ai'gued that because the users had not suffered economic loss as a result of the violations of the SCA, they did not have standing. Id. at 134. We emphasized that, so long as an injury “affect[s] the plaintiff in a personal and individual way,” the plaintiff need not “suffer any particular type of harm to have standing.” Id. (citation and internal quotation marks and citation omitted). Instead, “the actual or threatened injury required by Article] III may exist solely by virtue of statutes creating legal rights, the invasion of which creates standing,” even absent evidence of actual monetary loss. Id. (citation and internal quotation marks omitted) (emphasis added).

We then reaffirmed Google’s holding in In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016). That case involved a class action in which the plaintiffs alleged that Viacom and Google had unlawfully collected personal information on the Internet, including what webpages the plaintiffs had visited and what videos they watched on Viacom websites. Id. at 267. We addressed the plaintiffs’ basis for standing, relying heavily upon our prior analysis in Google, id. at 271-272, saying that, “when it comes to laws that protect privacy, a focus on economic loss is misplaced.” Id. at 272-73 (citation and internal quotation marks omitted). Instead, “the unlawful disclosure of legally protected information” constituted “a clear de facto injury.” Id. at 274. We noted that “Congress has long provided plaintiffs with the right to seek redress for unauthorized disclosures of infoi’mation that, in Congress’s judgment, ought to remain private.” Id.

In light of those two rulings, our path forward in this case is plain. The Plaintiffs here have at least as strong a basis for claiming that they were injured as the plaintiffs had in Google and Nickelodeon,16 Horizon nevertheless argues that the Supreme Court’s recent decision in Spokeo, Inc. v. Robins, — U.S.-, 136 S.Ct. 1540, 194 L.Ed.2d 635 (2016), compels a different outcome. We disagree. In Spokeo, a consumer sued a website operator for an allegedly willful violation of FCRA for *637publishing inaccurate information about him. Id. at 1544. The complaint did not include any allegation that the false information was actually used to the plaintiffs detriment. Id.; Robins v. Spokeo, Inc., 742 F.3d 409, 411 (9th Cir. 2014). Nonetheless, the United States Court of Appeals for the Ninth Circuit held that the plaintiff had standing because his “personal interests in the handling of his credit information” meant that the harm he suffered was “individualized rather than collective.” Robins, 742 F.3d at 413.

The Supreme Court vacated and remanded. 136 S.Ct. at 1550. It highlighted that there are two elements that must be established to prove an injury in fact— concreteness and particularization. Id. at 1545. The Ninth Circuit had relied solely on the “particularization” aspect of the injury-in-fact inquiry and did not address the “concreteness” aspect. Id. The Supreme Court therefore provided guidance as to what constituted a “concrete” injury and remanded to the Ninth Circuit to determine in the first instance whether the harm was concrete. Id.

In laying out its reasoning, the Supreme Court rejected the argument that an injury must be “tangible” in order to be “concrete.” Id. at 1549. It noted that many intangible injuries have nevertheless long been understood as cognizable—for instance violations of the right to freedom of speech or the free exercise of religion. Id. It then explained that “both history and the judgment of Congress play important roles” in determining whether “an intangible injury constitutes injury in fact.” Id. There are thus two tests for whether an intangible injury can (despite the obvious linguistic contradiction) be “concrete.” The first test, the one of history, asks whether “an alleged intangible harm” is closely related “to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American Courts.” Id. If so, it is likely to be sufficient to satisfy the injury-in-fact element of standing. Id. But even if an injury was “ ‘previously inadequate in law,’ ” Congress may elevate it ‘“to the status of [a] legally cognizable injurfy].’ ” Id. (quoting Lujan, 504 U.S. at 578, 112 S.Ct. 2130). Because “Congress is well positioned to identify intangible harms that meet minimum Article III requirements, its judgment is ... instructive and important.” Id. The second test therefore asks whether Congress has expressed an intent to make an injury redressable.

The Supreme Court cautioned, however, that congressional power to elevate intangible harms into concrete injuries is not without limits. A “bare procedural violation, divorced from any concrete harm,” is not enough. Id. On the other hand, the Court said, “the violation of a procedural right granted by statute can be sufficient in some circumstances to constitute injury in fact. In other words, a plaintiff in such a case need not allege any additional harm beyond the one Congress has identified.” Id.

Although it is possible to read the Supreme Court’s decision in Spokeo as creating a requirement that a plaintiff show a statutory violation has caused a “material risk of harm” before he can bring suit,17 id. *638at 1550, we do not believe that the Court so intended to change the traditional standard for the establishment of standing. As we noted in Nickelodeon, “[t]he Supreme Court’s recent decision in Spokeo ... does not alter our prior analysis in Google.” Nickelodeon, 827 F.3d at 273 (citation omitted).

We reaffirm that conclusion today. Spok-eo itself does not state that it is redefining the injury-in-fact requirement. Instead, it reemphasizes that Congress “has the power to define injuries,” 136 S.Ct. at 1549 (citation and internal quotation marks omitted), “that were previously inadequate in law.” Id. (citation and internal quotation marks omitted). In the absence of any indication to the contrary, we understand that the Spokeo Court meant to reiterate traditional notions of standing,18 rather than erect any new barriers that might prevent Congress from identifying new causes of action though they may be based on intangible harms. In short, out of a respect for stare decisis, we assume that the law is stable unless there is clear precedent to the contrary. And that means that we do not assume that the Supreme Court has altered the law unless it says so. Cf. Rodriguez de Quijas v. Shearson/Am. Exp., Inc., 490 U.S. 477, 484, 109 S.Ct. 1917, 104 L.Ed.2d 526 (1989) (“If a precedent of this Court has direct application in a case, yet appears to rest on reasons rejected in some other line of decisions, the Court of Appeals should follow the case which directly controls, leaving to this Court the prerogative of overruling its own decisions.”).

It is nevertheless clear from Spokeo that there are some circumstances where the mere technical violation of a procedural requirement of a statute cannot, in and of itself, constitute an injury in fact. 136 S.Ct. at 1549 (“Congress’ role in identifying and elevating intangible harms does not mean that a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.”). Those limiting circumstances are not defined in Spok-eo and we have no occasion to consider them now. In some future case, we may be required to consider the full reach of congressional power to elevate a procedural violation into an injury in fact, but this case does not strain that reach.

As we noted in Nickelodeon, “unauthorized disclosures of information” have long been seen as injurious. 827 F.3d at 274 (emphasis added). The common law alone will sometimes protect a person’s right to prevent the dissemination of private information. See Restatement (Second) of Torts § 652A (2016) (“One who invades the right of privacy of another is subject to liability for the resulting harm to the interests of the other.”); see also Samuel D. Warren & Louis D. Brandéis, The Right to Privacy, 4 Harv. L. Rev. 193, 193 (1890) (advancing the argument for a “right to be let alone”). Indeed, it has been said that “the privacy torts have become well-ensconced in the fabric of American law.” David A. Elder, Privacy Torts § 1:1 (2016). And with privacy torts, improper dissemination of information can itself con-*639statute a cognizable injury. Because “[dfemages for a violation of an individual’s privacy are a quintessential example of damages that are uncertain and possibly unmeasurable,” such causes of action “provide[] privacy tort victims with a monetary award calculated without proving actual damages.” Pichler v. UNITE, 542 F.3d 380, 399 (3d Cir. 2008) (citation omitted).

We are not suggesting that Horizon’s actions would give rise to a cause of action under common law. No common law tort proscribes the release of truthful information that is not harmful to one’s reputation or otherwise offensive. But with the passage of FCRA, Congress established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself—whether or not the disclosure of that information increased the risk of identity theft or some other future harm.19 It created a private right of action to enforce the provisions of FCRA, and even allowed for statutory damages for willful violations—which clearly illustrates that Congress believed that the violation of FCRA causes a concrete harm to consumers.20 And since the “intangible harm” that FCRA seeks to remedy “has a close relationship to a harm [i.e. invasion of privacy] that has traditionally been regarded as providing a basis for *640a lawsuit in English or American courts,” Spokeo, 136 S.Ct. at 1549, we have no trouble concluding that Congress properly defined an injury that “give[s] rise to a case or controversy where none existed before.” Id. (citation and internal quotation marks omitted).

So the Plaintiffs here do not allege a mere technical or procedural violation of FCRA.21 They allege instead the unauthorized dissemination of their own private information22—the very injury that FCRA is intended to prevent.23 There is thus a de facto injury that satisfies the concreteness requirement for Article III standing.24 See In re Nickelodeon, 827 F.3d at 274 (concluding that the “unlawful disclosure of legally protected information” in and of *641itself constitutes a “de facto injury”). Accordingly, the District Court erred when it dismissed the Plaintiffs’ claims for lack of standing.25

III. Conclusion

Our precedent and congressional action lead us to conclude that the improper disclosure of one’s personal data in violation of FCRA is a cognizable injury for Article III standing purposes. We will therefore vacate the District Court’s order of dismissal and remand for further proceedings consistent with this opinion.