In an unpublished ruling, the U.S. Court of Appeals for the Sixth Circuit recently reversed the dismissal of consolidated class actions arising from a data breach, holding that the plaintiffs had Article III standing to pursue certain tort claims and that the district court had erred in dismissing a federal Fair Credit Reporting Act claim for lack of subject matter jurisdiction.

A copy of the opinion is available at:  Link to Opinion.

The plaintiffs brought class actions against an insurance company alleging violations of the FCRA and common law tort claims for invasion of privacy, negligence and bailment after hackers breached the insurer’s computer network.  Finding a lack of Article III standing related to the negligence and bailment claims, a lack of statutory standing pursuant to the FCRA, and that plaintiffs failed to state a claim for invasion of privacy, the district court dismissed the action. The plaintiffs challenged the dismissal of their negligence, bailment and FCRA claims on appeal.

The consolidated class actions arose after hackers broke into Nationwide’s computer network and stole the personal information of the putative class members including names, dates of birth, marital statuses, genders, occupations, employers, Social Security numbers and driver’s license numbers. As a result, Nationwide contacted the class to inform of the breach, offered a year of free credit monitoring and identity fraud protection and suggested that the class set up a fraud alert and place a security freeze on their credit reports, although not offering to pay for these services which, pursuant to the Nationwide website, could cost between $5 and $20 and could affect the ability to obtain credit.

Pursuant to the Supreme Court of the United States’ holding in Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016), for Article III standing, a plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of a defendant, and (3) that such injury is likely to be redressed by a favorable judicial decision.

The Sixth Circuit held that plaintiffs had alleged sufficient facts reflective of an imminent injury to satisfy the first prong of standing. The Court noted that where a plaintiff seeks to establish standing based upon an “imminent injury,” the threatened injury must be “certainly impending” to constitute injury in fact, and allegations of possible future injury are insufficient. The Court found that the plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, relating to the data breach satisfied the injury prong of Article III standing.

The Court noted that where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use such data for fraudulent purposes, as alleged in the complaints at issue, such that there is a substantial risk of harm.

In addition, the Sixth Circuit held that although it might not be “literally certain” that the hacked data would be misused to the plaintiffs’ detriment, the plaintiffs allegedly incurred costs of time and money to monitor and manage their credit and other financials reflected reasonably incurred mitigation costs. The Court noted in this regard that although the insurer offered to provide some credit monitoring services for free, the offer was only for a limited time and did not include covering the costs of certain precautions, such as credit freezes, which the insurer recommended the putative class take in the wake of the data breach. The Court noted that such costs were reflective of “concrete injury” suffered to mitigate an “imminent harm.”

The Sixth Circuit next held that the plaintiffs had satisfied the second prong by alleging facts sufficient to demonstrate that the injury was “fairly traceable” to the conduct of the insurer where the complaints alleged that the insurer failed to have in place sufficient safeguards to protect the security and confidentiality of the plaintiffs’ data.

Noting that the traceability requirement serves to eliminate those cases in which a third party and not the named defendant caused the injury, the Court opined that, in interpreting the allegations of the complaints, “but for [the insurer’s] allegedly lax security, the hackers would not have been able to steal Plaintiffs’ data.”

The Sixth Circuit also held that the plaintiffs had also demonstrated that their injury would likely be redressed by a ruling in their favor, sufficient to satisfy the third prong of Article III standing, as the plaintiffs’ complaints sought compensatory damages for their injuries.

The Court then reversed the district court’s dismissal of the FCRA claims for lack of subject-matter jurisdiction. Noting that the district court concluded that the complaints alleged violations of the FCRA’s statement of purpose, rather than violations of any substantive provision of the statute, the Court concluded that dismissal for lack of jurisdiction was error. Instead, the Sixth Circuit held, if the plaintiffs failed to plead statutory standing pursuant to the FCRA, the appropriate resolution was to dismiss the complaints for failure to state a claim for relief.