A divided panel of the Sixth Circuit recently overturned a district court’s dismissal of claims against Nationwide Mutual Insurance Company involving the theft of data, as hackers breached Nationwide’s computer network to steal the plaintiffs’ personal information. The plaintiffs In Galaria et al. v. Nationwide Mutual Insurance Co., asserted claims against Nationwide under the Fair Credit Reporting Act (FCRA) in addition to a number of common law claims (including negligence and bailment). The district court dismissed the common law claims for lack of Article III standing, and dismissed the FCRA claims for lack of “statutory standing,” and as an issue of subject matter jurisdiction, because the plaintiffs alleged that Nationwide violated the FCRA’s statement of purpose rather than any substantive provision. The panel reversed the district court on both fronts.

With respect to the plaintiffs’ FCRA claims and “statutory standing,” the panel explained that “statutory standing” is an inquiry that goes to whether or not the plaintiff has a cause of action under the statute (i.e., whether the plaintiff falls within the class of plaintiffs authorized to sue under the statute) and is analytically distinct from whether federal courts have the power to adjudicate a dispute (compare with Article III standing and the Constitution’s limitation that the federal judicial “power” extends to “cases” and “controversies”). Therefore, the proper course for dismissing a claim where there is a lack of “statutory standing” is to dismiss it for failure to state a claim rather than a lack of subject matter jurisdiction, and the Court returned that question to the district court for further consideration. In a footnote, the Court mentioned the Supreme Court’s recent decision in Spokeo, Inc. v. Robins and noted that FCRA claims may present Article III standing issues where alleged violations of the statute are procedural in nature but, in any event, the plaintiffs here had satisfied the Article III injury requirement. Specifically, the Court found that Article III injury was satisfied at the pleading stage by “allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs.” Regarding mitigation costs, the Court noted allegations that “[p]laintiffs and the other putative class members must expend time and money to monitor their credit, check their bank statements, and modify their financial accounts.”

The primary focus of the dissent was that it was unnecessary for the Court to reach the issue of Article III “injury” because the plaintiffs had failed to satisfy the separate traceability/causation requirement for standing (i.e., that there is a sufficient connection between the defendant’s actions, or inactions, and the plaintiff’s injury). The dissent reasoned that any injury suffered by the plaintiffs was “at the hands of criminal third-party actors” and that the plaintiffs failed to allege facts that fairly traced their injury to Nationwide. In contrast, the majority emphasized the low-threshold nature of the traceability inquiry and found the requirement satisfied because “but for Nationwide’s allegedly lax security, the hackers would not have been able to steal [p]laintiffs’ data.” The dissent argued that the plaintiffs’ allegations about lax security were conclusory statements, not factual allegations entitled to deference.