[BreachExchange] Standing and Data Breach Suits in Sixth Circuit

[Audrey McNeil]

http://www.natlawreview.com/article/standing-and-data-
breach-suits-sixth-circuit

A divided panel of the Sixth Circuit recently overturned a district court’s
dismissal of claims against Nationwide Mutual Insurance Company involving
the theft of data, as hackers breached Nationwide’s computer network to
steal the plaintiffs’ personal information. The plaintiffs In Galaria et
al. v. Nationwide Mutual Insurance Co., asserted claims against Nationwide
under the Fair Credit Reporting Act (FCRA) in addition to a number of
common law claims (including negligence and bailment). The district court
dismissed the common law claims for lack of Article III standing, and
dismissed the FCRA claims for lack of “statutory standing,” and as an issue
of subject matter jurisdiction, because the plaintiffs alleged that
Nationwide violated the FCRA’s statement of purpose rather than any
substantive provision.  The panel reversed the district court on both
fronts.

With respect to the plaintiffs’ FCRA claims and “statutory standing,” the
panel explained that “statutory standing” is an inquiry that goes to
whether or not the plaintiff has a cause of action under the statute (i.e.,
whether the plaintiff falls within the class of plaintiffs authorized to
sue under the statute) and is analytically distinct from whether federal
courts have the power to adjudicate a dispute (compare with Article III
standing and the Constitution’s limitation that the federal judicial
“power” extends to “cases” and “controversies”).  Therefore, the proper
course for dismissing a claim where there is a lack of “statutory standing”
is to dismiss it for failure to state a claim rather than a lack of subject
matter jurisdiction, and the Court returned that question to the district
court for further consideration.  In a footnote, the Court mentioned the
Supreme Court’s recent decision in Spokeo, Inc. v. Robins and noted that
FCRA claims may present Article III standing issues where alleged
violations of the statute are procedural in nature but, in any event, the
plaintiffs here had satisfied the Article III injury requirement.
Specifically, the Court found that Article III injury was satisfied at the
pleading stage by “allegations of a substantial risk of harm, coupled with
reasonably incurred mitigation costs.”  Regarding mitigation costs, the
Court noted allegations that “[p]laintiffs and the other putative class
members must expend time and money to monitor their credit, check their
bank statements, and modify their financial accounts.”

The primary focus of the dissent was that it was unnecessary for the Court
to reach the issue of Article III “injury” because the plaintiffs had
failed to satisfy the separate traceability/causation requirement for
standing (i.e., that there is a sufficient connection between the
defendant’s actions, or inactions, and the plaintiff’s injury).  The
dissent reasoned that any injury suffered by the plaintiffs was “at the
hands of criminal third-party actors” and that the plaintiffs failed to
allege facts that fairly traced their injury to Nationwide.  In contrast,
the majority emphasized the low-threshold nature of the traceability
inquiry and found the requirement satisfied because “but for Nationwide’s
allegedly lax security, the hackers would not have been able to steal
[p]laintiffs’ data.”  The dissent argued that the plaintiffs’ allegations
about lax security were conclusory statements, not factual allegations
entitled to deference.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160916/8043c795/attachment.html>