ALERT: Sixth Circuit Finds Standing Despite Lack of Hacked Info Use
September 16, 2016
In an unreported decision, the Sixth Circuit Court of Appeals joined the Seventh and Ninth Circuits in granting putative plaintiffs standing to sue a company keeping their personal information on file pursuant to a breach of that company’s data security, where there had not been actual illicit use of their stolen personal information.
In Galaria et al. v. Nationwide Mutual Ins. Co., Nos. 15-3386/3387, 2016 WL 4728027 (6¬th Cir. Sept. 12, 2016), the Sixth Circuit overturned the district court’s dismissal of two putative class action Fair Credit Reporting Act (FCRA) claims for lack of standing. In finding standing, the court determined that even before actual identity theft occurs (i.e. the hackers using the stolen information to fraudulently open or access accounts, or to perpetrate other identity-related fraud), access of a consumer’s personal data is an injury-in-fact.
Galaria et al. v. Nationwide
In October of 2012, hackers penetrated Nationwide’s computer network and stole the data of 1.1 million customers, including that of the Plaintiffs. In alleging claims of negligence (as well as invasion of privacy, a claim that is not the focus of the opinion), the Plaintiffs averred that while they had not as of yet suffered losses from fraud or direct theft of funds, the theft of their data created an “imminent, immediate and continuing increased risk” of a harm. Additionally, the Plaintiffs claimed that in order to mitigate that risk, they “ha[d] suffered, and will continue to suffer” both temporal and financial costs, including purchasing financial monitoring services, purchasing and viewing credit reports, bank statements, and instituting and removing credit freezes.
The district court originally determined that these harms were not a cognizable injury; the Sixth Circuit disagreed, and reversed the lower court’s ruling. Citing Supreme Court precedent (Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013)) that standing can be found based on a “substantial risk” that harm will occur when that harm prompts plaintiffs to reasonably incur mitigation costs, the Sixth Circuit determined that the Plaintiffs’ claim met the necessary threshold—where the Plaintiffs allege that their information is now in the hands of ill-intentioned criminals, their increased risk of fraud is beyond the necessary “substantial risk” to find standing to sue.
Ripple Effect: In re: Horizon Healthcare
Two days after the opinion was made available (although, again, the opinion is unpublished, and so is not mandatorily binding precedent in any jurisdiction), a putative class of insurance policyholders affected by a similar data breach made mention of Galaria in their appeal to the Third Circuit to overturn the dismissal of their suit. While the Third Circuit has not yet ruled on the issue, and is not bound by the precedent, this argument has expanded beyond the first two circuits in which it appeared, being followed by a third, and getting a “foot in the door” in the Third Circuit. Accordingly, firms storing personal data should be aware of the increasing possibility of suits in response to security breaches, even without actual identity theft injury occurring.