Sixth Circuit Lowers the Bar for Standing in Data Breach Suits

Galaria v. Nationwide Mutual Ins. Co., U.S. Court of Appeals, 6th Cir. (September 12, 2016)

This case arises out of an October 3, 2012 hack into Nationwide Mutual Insurance Company’s computer network, which exposed the personal information of the putative class action Plaintiffs and 1.1 million others.  Nationwide informed the Plaintiffs of the breach by letter, advising that they should take steps to prevent or mitigate misuse of the stolen data, including monitoring bank statements and credit reports for unusual activity.  Nationwide offered a year of free credit monitoring and identity fraud protection of up to $1,000,000 through a third-party vendor.  Nationwide also suggested that victims set up a fraud alert and place a security freeze on their credit reports.  Nationwide acknowledged that such a security freeze could, however, impede consumers’ ability to obtain credit and could cost between $5.00 to $20.00 to place and/or remove.  Nationwide did not offer to pay for expenses associated with a security freeze.

Multiple putative class action complaints were filed, alleging willful and negligent violations of the Fair Credit Reporting Act (FCRA), negligence, invasion of privacy by public disclosure of private facts, and bailment.  Plaintiffs contended that the Nationwide data breach created an “imminent, immediate and continuing increased risk” that Plaintiffs and other class members would be subject to identity fraud.  As risk, Plaintiffs referenced the illicit international market for stolen data used to obtain identification, government benefits, employment, housing, medical services, financial services, and credit and debit cards.  Plaintiffs also pointed to the potential that a victim’s identify could be used by identity thieves when arrested, resulting in warrants issued in victim’s name.  Plaintiffs cited a study purporting to show that in 2011, recipients of data breach notifications were 9.6 times more likely to experience identity fraud, and had a fraud incident rate of 19%.

Plaintiffs further alleged victims of identity theft and fraud typically spend hundreds of hours in personal time and hundreds of dollars in personal funds, incurring an average of $354.00 in out- of- pocket expenses and $1,513.00 in total economic loss to mitigate the risk.  Plaintiffs alleged that they had suffered and would continue to suffer both financial and temporal costs to continue monitoring their credit information.

Nationwide filed a Motion to Dismiss, which was granted by the district court. The lower court agreed with Nationwide’s arguments that Plaintiffs did not have statutory standing under the FCRA and thus dismissed those claims for lack of subject matter jurisdiction.  The district court also dismissed the negligence and bailment claims, finding that Plaintiffs did not have Article III standing because they had not alleged a cognizable injury.  Lastly, the district court held that Plaintiffs had standing to bring their invasion of privacy claim but failed to state a claim for relief and dismissed that claim with prejudice.  Plaintiffs appealed the dismissal of all counts except for the invasion of privacy claim.

Article III of the U.S. constitution limits the jurisdiction of federal courts to Cases and Controversies.  The doctrine of standing gives meaning to these constitutional limits by identifying those disputes which are appropriately resolved through the judicial process.  Constitutional standing consists of three elements: (1) Plaintiff must have suffered an injury in fact; (2) that is fairly traceable to the challenged conduct of a Defendant; and (3) that is likely to be redressed by a favorable judicial decision.

To establish injury in fact, a Plaintiff must show he or she suffered “an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.  When standing is based on an imminent injury, the Supreme Court has explained that threatened injury must be certainly impending to constitute injury in fact and allegations of possible future injury are not sufficient.  However, standing can be based on a “substantial risk” that harm will occur, which may prompt Plaintiffs to reasonably incur cost to mitigate or avoid that harm, even where it is not “literally certain the harms they identify will come about.”

In this case, the Court of Appeals found that Plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, were sufficient to establish a cognizable Article III injury at the pleading stage of the litigation.  The Court held there was no need for speculation where Plaintiffs alleged their data had already been stolen and was now in the hands of ill-intentioned criminals.  Indeed, the Court pointed to the fact that Nationwide seemed to recognize the severity of the risk, given its offer to provide credit monitoring and identity theft protection.  Thus, although it might not be “literally certain” that Plaintiffs’ data will be misused, there was sufficiently substantial risk of harm that incurring mitigation cost was reasonable. The 6th Circuit held that all of the required elements were met, and thus, the Plaintiffs adequately alleged Article III standing.

In reaching its decision, the 6th Circuit pointed to two recent 7th Circuit cases with similar findings and a 9th Circuit case finding Article III standing as well.  However, the Court (and the dissent) noted the current split between these decisions and other Circuits.

The precedential effect of this opinion will be difficult to tell for some time.  As an unpublished, divided opinion, its citing authority may be limited.  However, its discussion and analysis of Article III standing may well signal that the bar has been lowered for future claims and defense of these claims will have to shift to other grounds.