Last month, in Galaria v. Nationwide Mutual Insurance Co., Nos. 15-3386/3387 (6th Cir. Sept. 12, 2016), the Sixth Circuit issued a decision finding standing for a class of plaintiffs in a data breach class action.
In the first post-Spokeo appellate court decision, the Sixth Circuit held that plaintiffs whose personal information has been hacked have standing to sue under Article III based upon the risk of future harm and the risk of identity theft. Key to the Court’s finding were the post-breach mitigation efforts undertaken by the defendant.
As Plaintiffs alleged in their complaints, defendant Nationwide is a financial services company that collects sensitive personal and financial information from its customers. On October 3, 2012, hackers broke into Nationwide’s computer network and stole the personal information of approximately 1.1 million Nationwide customers. Nationwide notified its customers of the breach and advised of steps to prevent or mitigate the misuse of the stolen data. As part of its mitigation efforts, Nationwide offered its customers a year of free credit monitoring and identity fraud protection through an outside vendor.
Plaintiffs filed suit against Nationwide alleging violations of the Fair Credit Reporting Act, negligence, invasion of privacy and bailment. To support their claim that the breach created an “imminent, immediate and continuing increased risk” of identity fraud, the Plaintiffs cited a study alleged to show that in 2011, recipients of data-breach notifications were 9.6 times more likely to experience identity fraud and had a fraud incidence rate of 19%. Plaintiffs sought damages from the increased risk of fraud; expenses incurred in mitigating risk; and the time spent on mitigation efforts.
The district court granted Nationwide’s motion to dismiss the complaints, concluding that Plaintiffs did not have statutory standing under the FCRA and that the Plaintiffs had not alleged a cognizable injury to support Article III standing. The district court found that the Plaintiffs had standing to bring their invasion of privacy claim but failed to state a claim for relief.
On appeal, the Sixth Circuit first addressed Article III standing, finding that Plaintiffs’ allegations of a “substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable injury at the pleading stage of the litigation.” Citing the Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), the Sixth Circuit stated that to establish injury in fact, a plaintiff must show that he suffered “an invasion of a legally protected interest” and that to establish standing for an imminent injury “that threatened injury must be certainly impending to constitute injury in fact and that allegations of possible future injury are not sufficient.” The Sixth Circuit found that the allegations in the Plaintiffs’ complaints were sufficient to meet this standard stating “where a data breach targets personal information, a reasonable inference can be drawn that hackers will use the victim’s’ data for the fraudulent purposes alleged in Plaintiffs’ complaints.” The Court also noted that defendant Nationwide also seemed to recognize the severity of the risk because it offered free credit monitoring and identity theft protection for one year. The Court stated that its decision was in line with two recent Seventh Circuit decisions addressing standing in data breach cases: Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) and Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016). Continuing with its standing analysis, the Court found that the Plaintiffs’ injuries were fairly traceable to Nationwide’s conduct in that it is alleged that Nationwide failed to secure Plaintiffs’ sensitive personal information. Finally, the Court found that the Plaintiffs’ injuries would be redressed by a favorable verdict.
In a dissent by Judge Alice Batchelder, she argued that Plaintiffs’ had failed to meet the causation element of the standing requirement. Judge Batchelder found that “the complaints simply allege that hackers were in fact able to access the Plaintiffs’ personal information” and that from that fact conclude that Nationwide failed to protect the information. Judge Batchelder found that, without any allegations regarding how the hackers were able to breach Nationwide’s systems or what Nationwide did or did not do to secure the data, the damages were not fairly traceable to Nationwide’s conduct.
This case raises interesting questions regarding how a company should respond once it discovers a data breach. Well-intentioned remedial efforts may be construed as a recognition of the seriousness of the breach. Both the Sixth and Seventh Circuits, in the above referenced cases, used the remedial efforts of the breached entities as evidence of a recognition by the breached entity of the serious risk of identity fraud. In light of these decisions, companies that have experienced a data breach should anticipate the possibility that their efforts to mitigate the impact of a breach may be used against them in the event of a lawsuit, and frame their actions accordingly.