One of defendants’ most significant arguments in opposing data breach victims’ negligence and breach of privacy claims has been that the claimants that have not suffered actual fraud or identity theft can show no cognizable injury and therefore lack Article III standing to assert their claims. Appellate decisions in the Seventh and Ninth Circuit have previously taken a bite out of this defense, in rulings holding that the victims’ fear of future harm is sufficient to establish standing. Now the Sixth Circuit in a case involving alleged victims of a data breach at Nationwide Mutual Insurance Company has joined these other circuits, holding that the claimants’ heightened risk for fraud and mitigation costs were sufficient to establish Article III standing. The Sixth Circuit’s September 12, 2016 opinion, which can be found here, represents the latest in a series of developments evincing courts’ increasing willingness to recognize fear of potential future harm as sufficient to establish standing, which in turn may make it easier for the plaintiffs’ claims in these kinds of data breach cases to go forward.
On October 3, 2012, hackers broke into Nationwide’s computer network and stole the personal information of 1.1 million of the insurance company’s customers. The stolen data included names, dates of birth, marital statuses, genders, occupations, employers, Social Security numbers, and drivers’ license numbers. Nationwide send letters to its customers advising of the breach and offering free bank statement and credit monitoring services, as well as identify fraud protection.
Victims of the data breach initiated multiple lawsuits against Nationwide that were ultimately consolidated. In the consolidated action, the plaintiffs asserted claims for violation of the Fair Credit Reporting Act; negligence; invasion of privacy; and bailment, which arose out the Nationwide’s alleged failure to secure Plaintiffs’’ data against a breach. The plaintiffs alleged that the data breach created an “imminent, immediate and continuing increased risk” that the data breach victims would be the subject of identify fraud. The plaintiffs also alleged that they have suffered both financial and temporal costs including purchasing credit reporting and monitoring services.
The district court granted Nationwide’s motion to dismiss, concluding among other things that the plaintiffs lacked statutory standing under the FCRA and lacked Article III standing to bring their negligence and bailment claims, concluding that plaintiffs had not alleged a cognizable injury. The plaintiffs appealed the dismissal of their FCRA, negligence and bailment claims.
By way of background, in order to establish standing under Article III of the U.S., the party seeking to sue must personally have suffered some actual or threatened injury that can fairly be traced to the challenged action of defendant and that is likely to be redressed by a favorable decision. In the its 2013 decision in Clapper v. Amnesty International U.S.A. (here), the U.S. Supreme Court held that “allegations of future injury are not sufficient” to establish Article III standing.
The September 12, 2016 Sixth Circuit Decision
On September 12, 2016, in an unpublished opinion written by Judge Helene N. White for a 2-1 majority, the Sixth Circuit reversed the district court and remanded the case to the district court for further proceedings. Among other things, the appellate court held that the plaintiffs’ allegations of “a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury” at the pleading stage of the litigation.
In reaching this conclusion, the court said that the possibility of future injury was beyond mere speculation, noting that “there is no need for speculation where Plaintiffs allege that their data has already been stolen and is not in the hands of ill-intentioned criminals.” Where a data breach targets personal information, “a reasonable inference can be drawn that the hackers will use the victims’ data for … fraudulent purposes.” Although, the court noted, it might not be literally certain that plaintiffs’ data will be misused, it would be unreasonable to expect plaintiffs to wait for actual misuse before taking steps to ensure their own personal and financial security and by expending time and money to monitor their credit and bank statements. These kinds of costs, the court said, represent a sufficiently concrete injury to mitigate an imminent harm, and are sufficient to satisfy the Article III injury requirement.
The appellate court noted that its Article III standing conclusion was consistent with two recent decision from the Seventh Circuit, including the Neiman Marcus decision (about which refer here) and the P.F. Chang decision (refer here). The Sixth Circuit also drew support from the Ninth Circuit’s 2010 decision in Starbucks case (refer here). The Sixth Circuit did note that the Third Circuit reached a different conclusion in 2011 decision in the Ceridian Corp. case (refer here), although the Sixth Circuit also concluded that the Ceridian decision was not “on point” because the circumstances did not involve an “identifiable taking” in the form of the intentional theft of data.
The Sixth Circuit’s decision in the Nationwide case is the latest in a series of decisions in which appellate courts have concluded that data breach victims have adequately pled standing without having alleged actual fraud or identity theft. In each of these cases, the courts have held that the fear of substantial future harm is sufficient to establish standing; however, these various rulings arguably are inconsistent with the decisions of other appellate courts (for example, the Third Circuit) which have alleged that the data breach victims’ fear of future harm is insufficient to meet Article III’s standing requirements.
According to one commentator in a Law 360 article about the Sixth Circuit’s decision in the Nationwide case (here), while in the past defendants generally had been successful in obtaining dismissals on the grounds that data breach victims’ lacked Article III standing, the Sixth Circuit, following on the earlier decisions from the Seventh Circuit, has opened a crack that makes it harder for defendants to obtain dismissal and easier for data breach claimants to assert claims that can survive a motion to dismiss. Commentators cited in the article asserted that the Sixth Circuit’s ruling may be more troubling for defendants than the earlier Seventh Circuit decisions, as the majority found that the plaintiffs do not have to await actual misuse of their personal data in order to be able to pursue claims.
One particular aspect of the Sixth Circuit’s decision may be particularly troubling for companies that have experienced data breaches. In support of its conclusion that the plaintiffs had standing, the Sixth Circuit cited the fact that Nationwide had offered the data breach victims credit monitoring and identify-theft services. The appellate court said that these moves showed that even Nationwide recognized that the risk of harm was great enough to support these kinds of protective measures. Many companies routinely offer these types of services following a data breach. The concern may now be that offering these kinds of remedial or ameliorative services may actually be held against companies and used as the basis for claimants to establish standing. Companies and their advisers may now need to rethink how to respond and what steps to take following a data breach.
Though the Sixth Circuit’s decision could well prove to be valuable to claimants in these kinds of cases, it is certainly not the final word on the standing question. A split arguably exists on these issues between the Third Circuit, on the one hand, and the Seventh, Ninth and Sixth Circuits on the other issue. The potential circuit split may set up a U.S. Supreme Court review of these issues, particularly given the importance of the high court’s Clapper decision in the analysis.
Unless and until the Supreme Court weighs in and sorts out these issues, data breach victims will continue to try, with apparent likelihood of success, that their claims of potential future harm are sufficient to establish Article III standing, even if they cannot allege actual identify theft. The availability of these kinds of arguments not only will make it more difficult for defendants to secure dismissal on Article III standing grounds, but it may encourage more data breach victims to try to pursue negligence and privacy breach type claims.