The U.S. Court of Appeals for the Sixth Circuit concluded that certain allegations of harm after a data breach caused by hacking are sufficiently concrete to confer Article III standing. This case may make it more difficult for companies defending data breach suits to quickly obtain dismissal of plaintiffs’ claims.
The Data Breach & Notification Letter
In Galaria v. Nationwide Mutual Insurance Co., the plaintiffs in a putative class action alleged that hackers breached Nationwide’s computer network and stole their personal information, along with that of 1.1 million other individuals. The plaintiffs learned of the incident when Nationwide sent them a breach notification letter. The letter suggested that plaintiffs monitor their bank account statements and credit report to mitigate misuse of stolen data, offered one year of free credit monitoring and identity-fraud protection, and also suggested that the plaintiffs set up a fraud alert and place a security freeze on their credit reports. Although the credit freezes may cost money to place and remove, the plaintiffs alleged that Nationwide did not offer to pay for the associated expenses.
The plaintiffs sued Nationwide, alleging invasion of privacy, negligence, bailment, and violations of the Fair Credit Reporting Act (FCRA). The plaintiffs alleged that there is an illicit international market for stolen data and that identity thieves may fraudulently use victims’ personal information for a variety of purposes. According to the plaintiffs, the breach created an “imminent, immediate and continuing increased risk” that the plaintiffs and class members would be subject to identity fraud. Further, the plaintiffs alleged that victims of identity theft typically spend hundreds of hours of personal time and hundreds of dollars of personal funds. The plaintiffs sought damages for the increased risk of fraud, expenses incurred in mitigating the risk (including the cost of credit freezes), and time spent on mitigation efforts.
The Trial Court’s Dismissal
The trial court dismissed the plaintiffs’ claims, concluding that the plaintiffs lacked Article III standing to sue in federal court because they had not alleged a cognizable injury. In addition, the trial court concluded that the plaintiffs did not have “statutory standing” under FCRA so that the court lacked subject-matter jurisdiction over the federal claim. The plaintiffs appealed.
On appeal, the Sixth Circuit reversed and concluded that the plaintiffs had Article III standing to sue. The court explained that the plaintiffs sufficiently demonstrated that they (1) suffered an injury in fact, (2) that is fairly traceable to Nationwide’s conduct, and (3) that is likely to be redressed by a favorable judicial decision. Regarding Article III standing, the appellate court concluded –
Injury in Fact
The court concluded that the plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish injury at the pleading stage. Because the plaintiffs’ “data has already been stolen and is now in the hands of ill-intentioned criminals,” the court could reasonably infer that hackers would use the victim’ data for the fraudulent purposes that the plaintiffs’ alleged. Thus, the plaintiffs’ allegations were not improper speculative allegations of possible future injury. Notably, the plaintiffs’ complaints in Galaria did not allege that any fraud actually occurred. (Although one plaintiff sought to amend the complaint after the trial court had dismissed the action claiming that he had discovered fraudulent attempts to open credit accounts in his name, the appellate court’s conclusion that standing exists is not premised upon the plaintiff’s later factual allegations.)
The Sixth Circuit’s decision followed the outcome in two recent data breach cases where the Seventh Circuit found standing based on allegations that fraud occurred after the breach. For example, in Remijas v. Neiman Marcus Group, LLC, hackers stole approximately 350,000 credit card numbers from a luxury retailer, and fraud was discovered on approximately 9,200 of those cards. 794 F.3d 688, 689 (7th Cir. 2015). In Lewert v. P.F. Chang’s China Bistro, Inc., one class representative experienced fraudulent charges on his credit card. In addition, Although the Sixth Circuit cited the Supreme Court’s recent Spokeo v. Robins decision in its Article III standing analysis, it did so only nominally, relying primarily on older standing decisions.
Interestingly, the appellate court referred to Nationwide’s breach notification letter to support its conclusion that the plaintiffs suffered an injury. According to the court, “Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year.” In addition, the court said that it would be unreasonable to expect the plaintiffs to wait for actual misuse of their information “before taking steps to ensure their own personal and financial security, particularly when Nationwide recommended taking those steps.” (emphasis added). Yet, state breach notification laws often require companies to inform individuals of mitigation steps that they can take, such as by providing instructions on how to place a fraud alert or security freeze with a credit bureau, and by advising individuals to monitor their free credit reports.
The court also noted that Nationwide recommended but did not cover the cost of credit freezes. Thus, the costs constitute a “concrete injury suffered to mitigate an imminent harm” and satisfy the injury requirement of Article III standing.”
The court concluded that the plaintiffs’ allegations that Nationwide failed to implement appropriate safeguards to ensure the security and confidentiality of data was sufficient to allege traceability. The court added that, although hackers were the direct cause of the plaintiffs’ injuries, they were able to access the plaintiffs’ data “only because Nationwide allegedly failed to secure” the data.
The court concluded that the plaintiffs sought compensatory damages for their injuries, and that a favorable verdict would provide redress.
The Galaria decision may make it more difficult for companies defending against data breach cases to eliminate cases at the pleading stage based on a lack Article III standing. However, the case may not affect all types of data breach cases, particularly those where the facts do not demonstrate that criminals actually targeted personal information (e.g., in cases of lost or stolen computers or storage devices). Nonetheless, this appears to be one of the first appellate decisions decided since the Supreme Court’s 2013 Clapper decision that found standing despite the plaintiff’s failure to allege experiencing any fraud or identity theft (aside from the post-dismissal attempt to amend the complaint). It will be interesting to see whether Nationwide will appeal to the Supreme Court on grounds that the case is inconsistent with Clapper and Spokeo. Companies that suffer a data breach may also wish to consider the inferences that the court drew regarding Nationwide’s letter when deciding how to draft their own breach notification letters.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.