The case concerns a data breach which resulted after hackers breached the computer network of Nationwide Mutual Insurance Company and stole the personal information of 1.1 million of Nationwideโs customers.ย The plaintiffs filed a class action lawsuit seeking to recover for their โimminent, immediate and continuing increased riskโ of identity fraud.
The Supreme Court has held that a plaintiff must demonstrate three elements to have โstandingโ โ that is, the right to sue – in federal court: the plaintiff must โ(1) have suffered an injury-in-fact, (2) that is fairly traceable to the challenged conduct of a defendant, and (3) that is likely to be redressed by a favorable judicial decision.โ
Injury-in-Fact
As to the first element, the plaintiff must have suffered concrete harm, so that a possible future injury is not sufficient.ย The Supreme Court in Clapper v. Amnesty Intโl USA explained that the threatened injury must be โcertainly impendingโ for there to be injury-in-fact, and found the injury element had been met where there was a โsubstantial riskโ that the harm will occur, which may prompt the plaintiffs to incur costs to mitigate the harm.ย Relying upon Clapper, the Court recognized that a reasonable inference can be drawn that in the case of a data breach the personal information that was stolen will be used by the hackers for illegal and fraudulent purposes. Thus, the Court found there to be a sufficiently substantial risk of harm that justified the plaintiffs incurring mitigating costs. Since Nationwide had only agreed to cover a year of identity theft insurance, but not costs to placing security freezes on credit reports, those expenses were necessary, and were a concrete injury. Additionally, the Court observed that Nationwide recognized the risk of future injury by providing credit-monitoring and identity theft protection insurance for an entire year.ย It recommended that the victims pursue the security freezes and fraud alerts on their credit reports as well.
Traceability
The Court also had no trouble finding that the injury was fairly traceable to the defendantโs conduct, the second element of the standing test.ย The plaintiffs had alleged Nationwideโs inadequate administrative, physical and technological safeguards as the direct cause of plaintiffsโ injuries, and such allegations were sufficient to meet the threshold for Article III traceability.
Redressability
Finally, the third element โ that the plaintiffsโ injury will likely be redressed by a favorable decision โ was also easily met.ย The plaintiffs sought compensatory damages for the injuries they incurred, namely the time and money required to monitor their credit and financial accounts, and a favorable verdict would provide redress.
What the Decision Means
The Sixth Circuitโs decision aligns the Court with several other federal circuits who have held that incurring expenses to monitor the increased risk of identity theft is sufficient to meet the injury requirement of Article III standing.ย A majority of courts have refused to find that the mere act of hacking or evidence of intrusion or penetration of an organization’s system was sufficient to create a substantial risk of harm.ย But the Sixth Circuit cited the Remijas v. Neiman Marcus Group, LLC opinion in which the Seventh Circuit explained: โWhy else would hackers break into a storeโs database and steal consumersโ private informationโ if not to use it for fraudulent purposes?
Indeed, as a result of the Galaria decision, the Sixth Circuit joins the Seventh, Ninth and Eleventh Circuits in applying the three-element standing test to defeat a motion to dismiss and permit a class action seeking damages for a data breach to move forward on its merits.ย While the plaintiffs in these cases still bear the burden of obtaining class certification and proving the defendantโs negligence and other common law claims, unless Nationwide decides to appeal the decision to the Supreme Court, the decision strengthens their efforts to pursue recovery for a data breach in the Sixth Circuit.
Additionally, it is as yet unclear what impact the Courtโs observations concerning Nationwideโs loss mitigation recommendations in its notification letter will have on future claims for recovery. Nevertheless, we still believe it is a prudent practice for organizations who find it necessary to notify of a data breach to include information on how to minimize the risk of fraud and identity theft, and to offer to cover the costs of such mitigation efforts.ย Subsequent remedial measures are inadmissible to prove negligence under the Federal Rules of Evidence, and should ultimately reduce the adverse consequences, including reputational harm, of a data breach.