Quantcast

Sixth Circuit denies rehearing in Nationwide data breach class actions

LEGAL NEWSLINE

Sunday, December 22, 2024

Sixth Circuit denies rehearing in Nationwide data breach class actions

Databreach

CINCINNATI (Legal Newsline) - A federal appellate court has denied Nationwide Insurance’s request for a rehearing after deciding last month to side with plaintiffs in two consolidated class action lawsuits brought against the company over a 2012 data breach.

The U.S. Court of Appeals for the Sixth Circuit, in an Oct. 12 order, denied Nationwide’s motion for rehearing en banc, or a rehearing by the full court.

“The original panel has reviewed the petition for rehearing and concludes that the issues raised in the petition were fully considered upon the original submission and decision of the cases. The petition then was circulated to the full court,” the single-page order states.

“No judge has requested a vote on the suggestion for rehearing en banc. Therefore, the petition is denied.”

In last month’s opinion, designated as unpublished, a majority of the Sixth Circuit’s three-judge panel said it would be “unreasonable” to expect customers to wait for “actual misuse.”

“This is not a case where Plaintiffs seek to ‘manufacture standing by incurring costs in anticipation of non-imminent harm,’” Judge Helene White wrote for the panel majority. Judge Sheryl Lipman, for the U.S. District Court for the Western District of Tennessee, sitting by designation, joined her in the Sept. 12 decision.

“Rather, these costs are a concrete injury suffered to mitigate an imminent harm, and satisfy the injury requirement of Article III standing.”

The plaintiffs in the cases -- which were consolidated -- appealed to the Sixth Circuit from the U.S. District Court for the Southern District of Ohio.

Mohammad Galaria and Anthony Hancox brought their class actions, in the Southern District of Ohio and the U.S. District Court for the District of Kansas, respectively, after hackers breached Nationwide Mutual Insurance Company’s computer network in October 2012 and stole their personal information, along with more than 1 million others.

In their complaints, the plaintiffs allege claims for invasion of privacy, negligence, bailment and violations of the Fair Credit Reporting Act, or FCRA.

More specifically, they argue Nationwide failed to adopt required procedures to protect against the wrongful dissemination of their data.

The Ohio federal court dismissed the complaints, concluding the plaintiffs failed to state a claim for invasion of privacy, lacked Article III standing to bring the negligence and bailment claims, and lacked statutory standing to bring the FCRA claims.

The plaintiffs moved for reconsideration and leave to amend, asserting the district court erred in dismissing one of their FCRA claims. The proposed amended complaint included a new allegation that Galaria discovered three unauthorized attempts to open credit cards in his name.

The district court denied reconsideration and leave to amend, concluding the plaintiffs had not demonstrated a clear error of law, and that the proposed amendment would not cure any deficiencies in the FCRA claim in any event.

The majority of the Sixth Circuit panel, in its 12-page ruling, reversed the district court’s ruling, concluding the plaintiffs have Article III standing and the district court erred in dismissing the FCRA claims for lack of subject-matter jurisdiction. The appeals court sent the case back to the district court for further proceedings.

The majority, pointing to the U.S. Supreme Court’s decision in Spokeo v. Robins, said the “irreducible constitutional minimum” of standing consists of three elements: a plaintiff must have 1) suffered an injury in fact, 2) that is fairly traceable to the challenged conduct of a defendant and 3) that is likely to be redressed by a favorable judicial decision.

The nation’s high court explained in its May decision that for an injury to be particularized, it must affect the plaintiff in a “personal and individual way.” The injury-in-fact also must be “concrete,” which means “real” and “not abstract.” But “concrete” is not necessarily synonymous with “tangible.”

“Here, Plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage of the litigation,” White wrote for the Sixth Circuit majority. “Plaintiffs allege that the theft of their personal data places them at a continuing, increased risk of fraud and identity theft beyond the speculative allegations of ‘possible future injury’ or ‘objectively reasonable likelihood’ of injury that the Supreme Court has explained are insufficient.

“There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals. Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year.”

The majority said its conclusion is “in line” with two recent decisions from the U.S. Court of Appeals for the Seventh Circuit.

Circuit Judge Alice Batchelder took a different position, dissenting from the majority.

“We need not take sides in the existing circuit split regarding whether an increased risk of identity theft is an Article III injury because, even assuming that it is, the plaintiffs have failed to demonstrate the second prong of Article III standing -- causation,” she explained. “The causation element requires ‘a causal connection between the injury and the [defendant’s] conduct’ -- in other words, the injury must be ‘fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court.’”

Batchelder argues that if Galaria and Hancox suffered injury, it was at the hands of criminal third-party actors.

The judge, pointing to her dissent, would grant rehearing in the case, according to the Sixth Circuit’s most recent order.

Nationwide filed its petition for rehearing en banc on Sept. 26 -- just two weeks after the Sixth Circuit filed its opinion.

“The divided panel decision in this case conflicts with precedent of the Supreme Court, this Court, and at least one other court of appeals on two exceptionally important, frequently recurring issues of constitutional law: (1) whether an alleged increased risk of future identity theft resulting from a data breach satisfies the ‘injury-in-fact’ requirement for Article III standing, and even if so (2) whether that injury is ‘fairly traceable’ to the defendant’s conduct, where the injury results from the independent actions of third parties not before the Court -- i.e., the criminal hackers who perpetrated the data breach,” the company argued in its 14-page motion.

Nationwide contends the legal issues raised by the case have “serious practical implications” given the frequency with which data breaches occur in today’s increasingly electronic world.

“And although the panel designated its decision as unpublished, plaintiffs in other jurisdictions are already attempting to use the decision to water down Article III’s standing requirements elsewhere,” the company noted.

From Legal Newsline: Reach Jessica Karmasek by email at jessica@legalnewsline.com.

More News