On October 12, 2016, the U.S. Court of Appeals for the Sixth Circuit denied a petition for an en banc rehearing of its September 12 decision in Galaria, et al. v. Nationwide Mutual Insurance Company (Nos. 15-3386/3387). In that decision, a divided Sixth Circuit panel revived a suit against Nationwide arising from the 2012 theft by hackers of personal information of approximately 1.1 million individuals.
In Galaria, the plaintiffs brought claims alleging invasion of privacy, negligence, bailment, and statutory violations of the Fair Credit Reporting Act (FCRA) following the breach. The complaint alleged that the defendant failed to secure the plaintiffs’ data against a breach. A federal district court dismissed those claims, holding in part that the plaintiffs lacked Article III standing because they failed to allege a cognizable injury in fact. To establish standing under Article III of the U.S. Constitution, a plaintiff must suffer an injury in fact, fairly traceable to the defendant’s challenged conduct, that is likely to be redressed by a favorable judicial decision.
The Sixth Circuit reversed, holding that allegations of a substantial risk of harm, along with reasonably incurred mitigation costs following the data breach, are sufficient to establish a cognizable injury and confer standing under Article III. In support of its holding, the Sixth Circuit cited various costs (in time and money) commonly incurred by victims of identity theft and fraud. The court found that in data breach cases targeting personal information, “a reasonable inference can be drawn that the hackers will use the victims’ data” for fraudulent purposes. The Sixth Circuit conceded that it may not be “literally certain” that the plaintiffs’ data will be misused but held that it would be unreasonable to expect plaintiffs to wait for actual misuse before taking steps to protect their personal and financial security (for example, by incurring costs for credit monitoring).
Interestingly, the court appeared to hold certain of the defendant’s own post-breach actions toward affected individuals against it, noting that the defendant had recommended but did not cover costs for obtaining a credit freeze. The court also noted, in defense of its conclusion that the risk of harm is sufficient to confer standing, that the defendant “seems to recognize the severity of the risk” because it offered to provide credit monitoring and identity theft protection for a year. This approach could inadvertently dis-incentivize companies from proactively working with affected individuals following a potential data breach and, in doing so, potentially conflict with the public policy favoring notice and cooperation that underpins breach notification laws nationwide (as well as with requirements set forth by such laws).
The Sixth Circuit thus joins the Seventh Circuit in recognizing standing for plaintiffs in data breach cases based on allegations of a substantial risk of harm. Although the decision is unpublished, the case nonetheless represents an important circuit-level review of standing doctrine in the aftermath of the Supreme Court’s May decision in Spokeo v. Thomas Robins (No. 13-1339). In Spokeo, the Supreme Court declined to address the necessary threshold for an injury in fact to confer standing (see previous analysis of Spokeo here). The Sixth and Seventh Circuit decisions may also signal a trend in data breach cases of distinguishing the Supreme Court’s 2013 decision in Clapper v. Amnesty International, 133 S. Ct. 1138 (2013), where the Supreme Court held in part that speculative allegations of “future injury” were insufficient to confer standing and that plaintiffs could not “manufacture standing by choosing to make expenditures based on hypothetical future harm that is not certainly impending.” Clapper has been relied upon heavily by defendants seeking dismissal of data breach cases. Here, the Sixth Circuit concluded that the plaintiffs’ allegations of a continuing increased risk of fraud and identity theft surpass the speculative allegations rejected in Clapper and, further, that this was not a case where the plaintiffs sought to manufacture standing by incurring costs.
[View source.]
