[BreachExchange] Litigation Alert: The Sixth Circuit Recognizes Article III Standing in Data Breach Case Despite Absence of Identity Theft Allegations

[Audrey McNeil]

http://www.jdsupra.com/legalnews/litigation-alert-the-sixth-circuit-68057/

Last week, the Sixth Circuit held that allegations that personal
information was stolen following a data breach was sufficient to confer
Article III standing to sue to the affected individuals, even in the
absence of allegations the plaintiffs had experienced identity theft and
fraud. Galaria, et. al. v. Nationwide Mut. Insur. Co., No. 15-3386/3387
(6th Cir. Sept. 12, 2016). Reversing the district court’s dismissal, the
court held that plaintiffs’ allegations of an increased risk of fraudulent
charges and identity theft and mitigation costs, such as credit monitoring,
were sufficient to confer standing at the pleading stage.

Background

Nationwide Mutual Insurance Company (Nationwide) is an insurance and
financial services company that maintained the personal information of its
customers and potential customers, such as their names, dates of birth,
social security numbers, driver’s license numbers and other information. On
October 3, 2012, hackers broke into Nationwide’s computer network and stole
the personal information of 11 million customers, including the plaintiffs,
Mohammad Galaria and Alex Hancock.

As part of its mitigation efforts, Nationwide notified the effected
individuals about the breach and advised them to take steps to guard
against the misuse of their stolen personal information by monitoring their
bank accounts and credit reports. Nationwide offered a year of free credit
monitoring and identity fraud protection of up to $1 million. Nationwide
also recommended that the effected individuals set up a fraud alert and a
security freeze on their credit reports, but did not offer to pay for the
expenses associated with a security freeze.

Galaria and Hancox filed separate but nearly identical class action
complaints against Nationwide. The complaints which were designated as
related alleged a violation of the Federal Credit Reporting Act (FCRA),
negligence and other state claims based on Nationwide’s failure to adopt
adequate procedures to protect plaintiffs’ personal information. The
complaints alleged that the Nationwide data breach created an “imminent,
immediate and continuing increased risk” that plaintiffs and the other
class members would be the victims of identity theft and that they had
suffered and would continue to suffer both “financial and temporal” costs,
such as having to purchase credit reporting services, credit and/or
internet monitoring, instituting and/or removing credit freezes and closing
or modifying financial accounts.

The district court dismissed the complaints, concluding that plaintiffs had
not alleged a cognizable injury sufficient to confer Article III standing.

Sixth Circuit Decision

The Sixth Circuit reversed the district court’s dismissal and remanded the
case, concluding that plaintiffs’ allegations that the theft of their
personal information subjected them to a heightened risk of identity theft
and caused them to incur mitigation costs, such as credit monitoring, was
sufficient to establish standing at the pleading stage. Citing Clapper v.
Amnesty Int’l USA, 133 S. Ct. 1138, 1147, 1150 n.5 (2013), the Sixth
Circuit explained that “threatened injury must be certainly impending to
constitute injury in fact,” and “standing [may be] based on a ‘substantial
risk’ that the harm will occur, which may prompt plaintiffs to reasonably
incur costs to mitigate or avoid the harm, even where it is not “literally
certain the harms they identify will come about.” Nationwide, Nos.
15-3386/3387, at 6. Turning to the allegations of the complaints, the Court
found that “[w]here a data breach targets personal information can be drawn
that the hacker will use the victims’ data for…fraudulent purposes[,]” and
“although it might not be ‘literally certain’ that Plaintiffs’ data will be
misused…, there is a sufficiently substantial risk of harm that incurring
mitigation costs is reasonable.” Id. at 6, 7. The Sixth Circuit emphasized
that Nationwide itself recognized the “severity of the risk” when it
offered to provide credit monitoring and identity theft protection for a
year to those customers victimized by the data breach. Id. at 6.

The Sixth Circuit noted its decision was consistent with two recent Seventh
Circuit data breach decisions, Remijas v. Neiman Marcus Group, LLC, 794
F.3d 688 (7th Cir. 2015) and Lewert v. P.F. Chang’s China Bistro, Inc., 819
F.3d 963 (7th Cir. 2016). Both Neiman Marcus and P.F. Chang’s found that
allegations of the increased risk of fraudulent charges and identity theft
that the victims of a data breach faced constituted a substantial risk of
harm sufficient to establish standing at the pleading stage. See P.F.
Chang’s, 819 F.3d at 965-97; Remijas, 794 F.3d at 693. The Court observed
that the Third Circuit had reached a seemingly different conclusion in
Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), where the Third
Circuit found that plaintiffs in that case did not have standing even
though their personal information was also stolen by a hacker. The Sixth
Circuit distinguished Reillyby observing that there was no indication that
the hacker in Reilly had read, copied, or even understood the data that he
stole in contrast to the present case which was “intentional theft” of
data. Id. at 9.

In addition to finding that the plaintiffs had pled a sufficient injury in
fact, the Court also found that the plaintiffs had properly alleged that
their injury was “fairly traceable” to Nationwide’s allegedly lax network
security (i.e., but for Nationwide’s purportedly deficient security,
plaintiffs’ injuries would not have occurred) and plaintiffs’ injury will
likely be redressed by a favorable decision which would award them
compensatory damages if they were successful. Id. at 9, 10.

Takeaways

Although Nationwide is an unpublished decision, it has important
implications in the data breach context. Nationwide joins with the Seventh
Circuit’s decisions in Neiman Marcus and P.F. Chang’s to make it more
difficult to dismiss a data breach complaint at the pleading stage.
Potential plaintiffs in the Sixth and Seventh Circuit will now be able to
plead a concrete and particularized injury and establish Article III
standing simply by alleging that their personal information was stolen and
they face an increased risk of fraudulent charges and identity theft and
have incurred mitigation costs.

Nationwide also creates a dilemma for companies that suffer from a data
breach. The Sixth Circuit found that Nationwide’s offer to provide credit
monitoring and identity theft protection to its customers established that
the company recognized that the risk of harm from the breach was
substantial. Such a finding places companies in a difficult position. They
must choose between taking steps to assist their customers in mitigating
the effects of the data breach and possibly conceding an argument that
plaintiffs have not suffered a cognizable injury and lack standing, or
doing nothing in potential violation of certain state laws. Thus, while
offers of credit monitoring services may help to maintain customer
goodwill, they are likely to do little to nip potential litigation in the
bud.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160920/3fba6bda/attachment.html>