Introduction

On September 12 2016 – in Galaria v Nationwide Mutual Insurance Co (15-3386/15-3387)(1) – the US Court of Appeals for the Sixth Circuit held that the plaintiffs in two related lawsuits properly alleged standing to pursue claims that had arisen from a 2012 attack on the defendant insurer's computer network.

The court's unpublished opinion addressed two questions that are frequently litigated in data breach cases:

  • whether the plaintiffs had alleged an injury-in-fact required for constitutional standing; and
  • whether any such alleged injury was fairly traceable to the acts of the defendant and thus sufficient to establish the requisite causation.

The court decided both questions in favour of the plaintiffs. It did so over a dissent that concluded that it was unnecessary for the panel to weigh in on the "existing circuit split regarding whether an increased risk of identity theft is an Article III injury" because the plaintiffs had alleged no facts indicating that the company was responsible for the acts of third-party criminal hackers.

Background

The plaintiffs' claims arose from a cyberattack on the insurer's computer network, in which criminal hackers allegedly accessed the plaintiffs' personal information. The company responded to the incident by offering "a year of free credit monitoring and identity-fraud protection of up to $1 million through a third-party vendor". The insurer also advised customers to set up fraud alerts and place security freezes on their credit reports, while noting that these steps could impede access to credit and/or cost a small fee. The plaintiffs alleged that they had taken these steps and thus had "expend[ed] time and money" as a result of the data breach.

Both plaintiffs filed putative class action complaints alleging negligence and other claims. The Southern District of Ohio dismissed the claims, concluding, among other things, that the plaintiffs lacked Article III standing. In reaching this decision, the district court relied on Supreme Court decisions such as Clapper v Amnesty International USA,(2) holding that a plaintiff lacks standing when he or she merely alleges a risk of future harm that is not certainly impending. The district court also recognised that other courts, including the Third Circuit, have previously held that alleged "time and money expenditures" to mitigate the risk of speculative future injuries are inadequate to establish standing.(3)

Decision

However, the Sixth Circuit reversed this decision. The majority held that the "[p]laintiffs' allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, [were] sufficient to establish a cognizable Article III injury at the pleading stage". It said that, because the plaintiffs' data had already been stolen, there was "no need for speculation" that they faced a substantial risk and were thus justified in taking action to mitigate it. The defendant's letter to the plaintiffs and its decision to offer free credit monitoring services were cited as indicative of the "severity of the risk". The court concluded that "[w]here a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims' data for the fraudulent purposes alleged in Plaintiffs' complaints". The court noted that

"[a]lthough [Defendant] offered to provide some [risk mitigation] services for a limited time, Plaintiffs allege that the risk is continuing, and that they have also incurred costs to obtain protections—namely, credit freezes—that [Defendant] recommended but did not cover".

The court thus viewed the case not as one in which the plaintiffs sought to "manufacture standing" through incurring unreasonable mitigation costs, but rather as one in which the costs were "a concrete injury suffered to mitigate an imminent harm".

The panel described this analysis of constitutional injury as consistent with that of the Seventh and Ninth Circuits in Lewert v PF Chang's China Bistro Inc;(4) Remijas v Neiman Marcus Group LLC;(5) and Krottner v Starbucks Corp.(6) The panel acknowledged that the "Third Circuit reached a different conclusion in Reilly v Ceridian Corp", but found it distinct because in that case the plaintiffs had not alleged "the intentional theft of their data".

The panel went on to hold that the plaintiffs had adequately pled the other two elements of Article III standing: causation and redressability. The court's decision was not recommended for publication, meaning that it will not bind future Sixth Circuit panels.

Judge Alice Batchelder dissented from the majority's finding that the plaintiffs had adequately pled a causal connection between the insurer's alleged conduct and their alleged injury. The dissent noted that the "plaintiffs make no factual allegations regarding how the hackers were able to breach [the company]'s system, nor do they indicate what [it] might have done to prevent that breach but failed to do". The dissent also concluded that the plaintiffs did not allege causation sufficient to satisfy the second element of Article III standing because "[i]n short, there is no allegation of fact in either complaint that makes plausible the notion that [Defendant] is at all responsible for the criminal acts that increased the plaintiffs' risk of identity theft". In other words, the alleged injury was a direct result of the criminal actions of a third party and not of the defendant insurer. Because the dissent found the causation element of standing not satisfied, it did not comment on "whether an increased risk of identity theft is an Article III injury", but concluded instead that it was not necessary for the court to "take sides in the existing circuit split" on that question.

Comment

As the Galaria dissent emphasises, judicial consensus remains elusive as courts analyse standing in data breach litigation. While the impact of this unpublished opinion remains to be seen, this decision confirms that litigation over Article III standing in data breach cases is likely to continue as judges evaluate how the concepts of injury-in-fact and causation apply in the wake of criminal attacks on company networks and systems.

For further information on this topic please contact Rajesh De, Stephen Lilley or Joshua Silverstein at Mayer Brown LLP by telephone (+1 202 263 3000) or email ([email protected], [email protected] or [email protected]). The Mayer Brown LLP website can be accessed at www.mayerbrown.com.

Endnotes

(1) 6th Cir Sept 12 2016.

(2) 133 S Ct 1138 2013.

(3) For example, Reilly v Ceridian Corp, 664 F 3d 38, 46 (3d Cir 2011).

(4) 819 F 3d 963 (7th Cir 2016).

(5) 794 F 3d 688 (7th Cir 2015).

(6) 628 F 3d 1139 (9th Cir 2010).

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.