Last week, the Sixth Circuit held that allegations that personal information was stolen following a data breach was sufficient to confer Article III standing to sue to the affected individuals, even in the absence of allegations the plaintiffs had experienced identity theft and fraud. Galaria, et. al. v. Nationwide Mut. Insur. Co., No. 15-3386/3387 (6th Cir. Sept. 12, 2016). Reversing the district court’s dismissal, the court held that plaintiffs’ allegations of an increased risk of fraudulent charges and identity theft and mitigation costs, such as credit monitoring, were sufficient to confer standing at the pleading stage.

Background

Nationwide Mutual Insurance Company (Nationwide) is an insurance and financial services company that maintained the personal information of its customers and potential customers, such as their names, dates of birth, social security numbers, driver’s license numbers and other information. On October 3, 2012, hackers broke into Nationwide’s computer network and stole the personal information of 11 million customers, including the plaintiffs, Mohammad Galaria and Alex Hancock.

As part of its mitigation efforts, Nationwide notified the effected individuals about the breach and advised them to take steps to guard against the misuse of their stolen personal information by monitoring their bank accounts and credit reports. Nationwide offered a year of free credit monitoring and identity fraud protection of up to $1 million. Nationwide also recommended that the effected individuals set up a fraud alert and a security freeze on their credit reports, but did not offer to pay for the expenses associated with a security freeze.

Galaria and Hancox filed separate but nearly identical class action complaints against Nationwide. The complaints which were designated as related alleged a violation of the Federal Credit Reporting Act (FCRA), negligence and other state claims based on Nationwide’s failure to adopt adequate procedures to protect plaintiffs’ personal information. The complaints alleged that the Nationwide data breach created an “imminent, immediate and continuing increased risk” that plaintiffs and the other class members would be the victims of identity theft and that they had suffered and would continue to suffer both “financial and temporal” costs, such as having to purchase credit reporting services, credit and/or internet monitoring, instituting and/or removing credit freezes and closing or modifying financial accounts.

The district court dismissed the complaints, concluding that plaintiffs had not alleged a cognizable injury sufficient to confer Article III standing.

Sixth Circuit Decision

The Sixth Circuit reversed the district court’s dismissal and remanded the case, concluding that plaintiffs’ allegations that the theft of their personal information subjected them to a heightened risk of identity theft and caused them to incur mitigation costs, such as credit monitoring, was sufficient to establish standing at the pleading stage. Citing Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147, 1150 n.5 (2013), the Sixth Circuit explained that “threatened injury must be certainly impending to constitute injury in fact,” and “standing [may be] based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid the harm, even where it is not “literally certain the harms they identify will come about.” Nationwide, Nos. 15-3386/3387, at 6. Turning to the allegations of the complaints, the Court found that “[w]here a data breach targets personal information can be drawn that the hacker will use the victims’ data for…fraudulent purposes[,]” and “although it might not be ‘literally certain’ that Plaintiffs’ data will be misused…, there is a sufficiently substantial risk of harm that incurring mitigation costs is reasonable.” Id. at 6, 7. The Sixth Circuit emphasized that Nationwide itself recognized the “severity of the risk” when it offered to provide credit monitoring and identity theft protection for a year to those customers victimized by the data breach. Id. at 6.

The Sixth Circuit noted its decision was consistent with two recent Seventh Circuit data breach decisions, Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) and Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016). Both Neiman Marcus and P.F. Chang’s found that allegations of the increased risk of fraudulent charges and identity theft that the victims of a data breach faced constituted a substantial risk of harm sufficient to establish standing at the pleading stage. See P.F. Chang’s, 819 F.3d at 965-97; Remijas, 794 F.3d at 693. The Court observed that the Third Circuit had reached a seemingly different conclusion in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), where the Third Circuit found that plaintiffs in that case did not have standing even though their personal information was also stolen by a hacker. The Sixth Circuit distinguished Reilly by observing that there was no indication that the hacker in Reilly had read, copied, or even understood the data that he stole in contrast to the present case which was “intentional theft” of data. Id. at 9.

In addition to finding that the plaintiffs had pled a sufficient injury in fact, the Court also found that the plaintiffs had properly alleged that their injury was “fairly traceable” to Nationwide’s allegedly lax network security (i.e., but for Nationwide’s purportedly deficient security, plaintiffs’ injuries would not have occurred) and plaintiffs’ injury will likely be redressed by a favorable decision which would award them compensatory damages if they were successful. Id. at 9, 10.

Takeaways

Although Nationwide is an unpublished decision, it has important implications in the data breach context. Nationwide joins with the Seventh Circuit’s decisions in Neiman Marcus and P.F. Chang’s to make it more difficult to dismiss a data breach complaint at the pleading stage. Potential plaintiffs in the Sixth and Seventh Circuit will now be able to plead a concrete and particularized injury and establish Article III standing simply by alleging that their personal information was stolen and they face an increased risk of fraudulent charges and identity theft and have incurred mitigation costs.

Nationwide also creates a dilemma for companies that suffer from a data breach. The Sixth Circuit found that Nationwide’s offer to provide credit monitoring and identity theft protection to its customers established that the company recognized that the risk of harm from the breach was substantial. Such a finding places companies in a difficult position. They must choose between taking steps to assist their customers in mitigating the effects of the data breach and possibly conceding an argument that plaintiffs have not suffered a cognizable injury and lack standing, or doing nothing in potential violation of certain state laws. Thus, while offers of credit monitoring services may help to maintain customer goodwill, they are likely to do little to nip potential litigation in the bud.