CINCINNATI (Legal Newsline) -- A panel of judges at the U.S. Court of Appeals for the Sixth Circuit has declared the victims of a data breach suffered by Nationwide Insurance no longer need to establish their standing to prove that they are in danger.
The victims of the 2012 data breach committed against the Nationwide Mutual Insurance Co. were declared to successfully establish the risks that could stem from the incident.
The Sixth Circuit decided the plaintiffs are eligible to claim their rights under the Fair Credit Reporting Act (FCRA) against the defendant. With the reversal of the trial court's ruling, the panel sided with the victims’ claims that they are exposed to “a substantial risk of harm” and have “incurred mitigation costs.”
In October 2012, Nationwide faced a data breach that compromised the confidential information of its clients. The data stolen included personally identifiable information such as their passport numbers, IP addresses, credit card numbers, Social Security numbers, employment information, home addresses and national identification numbers.
The hackers gained access to all these data using the computer network of Nationwide, which contained 1.1 million people.
Six weeks following the data breach, the insurance company reached out the affected clients by sending them a letter. According to the plaintiffs, Nationwide advised them to be more vigilant in checking their credit reports as well as their other financial documents. To compensate, the insurance company offered free credit monitoring and identity theft protection for an entire year.
The first cases linked to this data breach against Nationwide came in early 2013. These were filed by Mohammad Galaria of Minnesota and Anthony Hancox of Kansas in the District of Southern District of Ohio and the District of Kansas, respectively.
In their court documents, both victims accused Nationwide of breaching FCRA guidelines. They also alleged the company had been negligent as indicated by the data breach. In March 2013, the cases of Galaria and Hancox were consolidated in an Ohio federal court.
In February 2014, the case was dismissed by the trial court. Nationwide won the legal battle as the district court found the plaintiffs to be lacking in standing to be able to invoke their allegations related to the FCRA violations.
The lower court’s ruling also found the claims of risks of future identity thefts raised by the plaintiffs to be unsubstantiated, noting the possible damages could not be supported with facts. The district court further pointed out that Galaria and Hancox lacked standing to use Article III of the U.S. Constitution as their basis. Upon appeal, however, the Sixth Circuit declared otherwise.
“[P]laintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage of the litigation,” wrote Circuit Judge Helene N. White in the ruling.
The Sixth Circuit judge added, “There is no need for speculation where the plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals. Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide credit monitoring and identity theft protection for a full year. Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in the plaintiffs’ complaints.”
Galaria and Hancox are represented by The Coffman Law Firm in Beaumont, Texas. Meanwhile, the insurance company is represented by Carpenter, Lipps & Leland in Columbus as well as Ropes & Gray in Boston.