CINCINNATI (Legal Newsline) - A divided panel of a federal appellate court this month sided with plaintiffs in two consolidated class action lawsuits filed against Nationwide Insurance over a 2012 data breach, saying it would be “unreasonable” to expect customers to wait for “actual misuse.”
“This is not a case where Plaintiffs seek to ‘manufacture standing by incurring costs in anticipation of non-imminent harm,’” Judge Helene White wrote for the majority of a three-judge panel of the U.S. Court of Appeals for the Sixth Circuit. Judge Sheryl Lipman, for the U.S. District Court for the Western District of Tennessee, sitting by designation, joined her in the Sept. 12 decision.
“Rather, these costs are a concrete injury suffered to mitigate an imminent harm, and satisfy the injury requirement of Article III standing.”
The plaintiffs in the cases -- which were consolidated -- appealed to the Sixth Circuit from the U.S. District Court for the Southern District of Ohio.
Mohammad Galaria and Anthony Hancox brought their class actions, in the Southern District of Ohio and the U.S. District Court for the District of Kansas, respectively, after hackers breached Nationwide Mutual Insurance Company’s computer network in October 2012 and stole their personal information, along with more than 1 million others.
In their complaints, the plaintiffs allege claims for invasion of privacy, negligence, bailment and violations of the Fair Credit Reporting Act, or FCRA.
More specifically, they argue Nationwide failed to adopt required procedures to protect against the wrongful dissemination of their data.
The Ohio federal court dismissed the complaints, concluding the plaintiffs failed to state a claim for invasion of privacy, lacked Article III standing to bring the negligence and bailment claims, and lacked statutory standing to bring the FCRA claims.
The plaintiffs moved for reconsideration and leave to amend, asserting the district court erred in dismissing one of their FCRA claims. The proposed amended complaint included a new allegation that Galaria discovered three unauthorized attempts to open credit cards in his name.
The district court denied reconsideration and leave to amend, concluding the plaintiffs had not demonstrated a clear error of law, and that the proposed amendment would not cure any deficiencies in the FCRA claim in any event.
The majority of the Sixth Circuit panel, in its 12-page ruling, reversed the district court’s ruling, concluding the plaintiffs have Article III standing and the district court erred in dismissing the FCRA claims for lack of subject-matter jurisdiction. The appeals court sent the case back to the district court for further proceedings.
The majority, pointing to the U.S. Supreme Court’s decision in Spokeo v. Robins, said the “irreducible constitutional minimum” of standing consists of three elements: a plaintiff must have 1) suffered an injury in fact, 2) that is fairly traceable to the challenged conduct of a defendant and 3) that is likely to be redressed by a favorable judicial decision.
The nation’s high court explained in its May decision that for an injury to be particularized, it must affect the plaintiff in a “personal and individual way.” The injury-in-fact also must be “concrete,” which means “real” and “not abstract.” But “concrete” is not necessarily synonymous with “tangible.”
“Here, Plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage of the litigation,” White wrote. “Plaintiffs allege that the theft of their personal data places them at a continuing, increased risk of fraud and identity theft beyond the speculative allegations of ‘possible future injury’ or ‘objectively reasonable likelihood’ of injury that the Supreme Court has explained are insufficient.
“There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals. Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year.”
In the wake of the data breach, Nationwide advised customers to take steps to prevent or mitigate misuse of the stolen data, including monitoring bank statements and credit reports for unusual activity. To help, the company offered a year of free credit monitoring and identity-fraud protection of up to $1 million through a third-party vendor.
Nationwide also suggested that customers set up a fraud alert and place a security freeze on their credit reports. However, it did not offer to pay for expenses associated with a security freeze.
White said a “reasonable inference” can be drawn that the hackers in this case will use the victims’ data for the fraudulent purposes alleged in the plaintiffs’ complaints.
“Thus, although it might not be ‘literally certain’ that Plaintiffs’ data will be misused, there is a sufficiently substantial risk of harm that incurring mitigation costs is reasonable,” the judge wrote. “Where Plaintiffs already know that they have lost control of their data, it would be unreasonable to expect Plaintiffs to wait for actual misuse -- a fraudulent charge on a credit card, for example -- before taking steps to ensure their own personal and financial security, particularly when Nationwide recommended taking these steps.”
The Sixth Circuit majority said their conclusion is “in line” with two recent decisions from the U.S. Court of Appeals for the Seventh Circuit.
In Remijas v. Neiman Marcus Group LLC, the court held that victims of a data breach at the department store had established injury-in-fact by alleging a “substantial risk of harm” from the theft of their data.
“Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make a fraudulent charge or assume those consumers’ identities,” the Seventh Circuit explained in its decision.
The court reached a similar conclusion in Lewert v. P.F. Chang’s China Bistro Inc., where restaurant customers’ credit-card data was stolen in a data breach, saying a “primary incentive” for a breach is to commit fraud.
“Here, Plaintiffs sufficiently allege that their injuries are fairly traceable to Nationwide’s conduct,” the Sixth Circuit wrote. “Although hackers are the direct cause of Plaintiffs’ injuries, the hackers were able to access Plaintiffs’ data only because Nationwide allegedly failed to secure the sensitive personal information entrusted to its custody.
“In other words, but for Nationwide’s allegedly lax security, the hackers would not have been able to steal Plaintiffs’ data.”
Circuit Judge Alice Batchelder took a different position, dissenting from the majority.
“We need not take sides in the existing circuit split regarding whether an increased risk of identity theft is an Article III injury because, even assuming that it is, the plaintiffs have failed to demonstrate the second prong of Article III standing -- causation,” she explained. “The causation element requires ‘a causal connection between the injury and the [defendant’s] conduct’ -- in other words, the injury must be ‘fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court.’”
Batchelder argues if Galaria and Hancox suffered injury, it was at the hands of criminal third-party actors.
Their complaints do not make the factual allegations necessary to fairly trace that injury to Nationwide, the judge said.
“The complaints simply allege that hackers were in fact able to access the plaintiffs’ personal information,” Batchelder wrote. “From that fact, the complaints conclude that Nationwide failed to protect that information. But plaintiffs make no factual allegations regarding how the hackers were able to breach Nationwide’s system, nor do they indicate what Nationwide might have done to prevent that breach but failed to do.
“Galaria and Hancox’s alleged injury is an increased risk of identity theft, not the theft itself.”
Batchelder said the plaintiffs’ allegations are nothing more than “sheer speculation.”
The judge also took issue with the majority’s reference to the Neiman Marcus decision, arguing the Seventh Circuit overlooked the absence of any allegation that Neiman Marcus had specifically done anything that made the data breach easier or had failed to do anything that could have prevented it.
“The court did not explain how the risk of identity theft could be fairly traceable to Neiman Marcus when that risk was in fact the result of third party criminal action,” she said of the Seventh Circuit’s ruling and its ruling in P.F. Chang’s.
“We should not make this same mistake.”
From Legal Newsline: Reach Jessica Karmasek by email at jessica@legalnewsline.com.