Insurance companies are susceptible to the same sort of data breaches as suffered by many other businesses, such as the recently reported theft from Yahoo of the personal data in half a billion accounts. In a major decision that may have widespread consequences, the Sixth Circuit Court of Appeals in Hancox v. Nationwide Ins. Cos., 2016 WL 4728027 (6th Cir. Sep. 12, 2016) recently held that plaintiffs do not have to allege actual identity theft in order to meet Article III’s standing requirements of injury in fact.

In Hancox v. Nationwide, the Court of Appeals reversed the Southern District of Ohio’s dismissal of class claims of negligence, Fair Credit Reporting Act violations, and other torts. The district court had concluded that the increased risk of future harm did not constitute injury in fact. The court followed the majority view, as exemplified in the U.S. Supreme Court’s statement in Clapper v. Amnesty International, 133 S.Ct. 1138, 1146 (2013) that plaintiffs cannot “manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”

In reversing the district court, the Sixth Circuit found that plaintiffs sufficiently pled cognizable injury in the possible mitigation costs that the plaintiffs might incur in the future, such as purchasing credit report and monitoring services, instituting and/or removing credit freezes, and/or closing or modifying financial accounts. The Sixth Circuit concluded that the plaintiffs’ allegations were sufficient because it would be unreasonable to expect plaintiffs to sit around and wait for the information to be misused in the future, and not to take proactive steps to ensure that their personal information and financial security would be protected. The court explained, “There is no need for speculation where plaintiffs allege their data has already been stolen and is now in the hands of ill-intentioned criminals.” That alone provides a basis for drawing a “reasonable inference…that the hackers will use the victims’ data for fraudulent purposes alleged in plaintiffs’ complaints.” Even though it cannot be “literally certain” that the data will in fact be misused in the future, there is nonetheless a “sufficiently substantial risk of harm that incurring mitigation costs is reasonable.”

The claims arose from a 2012 data breach whereby 1.1 million Nationwide consumers’ names, marital statuses, gender, social security numbers, driver licenses numbers, and other personal information was compromised. In response to the incident, Nationwide informed its customers of the breach in a letter that advised them to take steps to prevent or mitigate misuse of the stolen data. Nationwide also provided one year of free credit monitoring and further recommended that its consumers sign up for fraud alerts and set holds on their credit reports. In an example of “no good deed goes unpunished,” the Sixth Court highlighted Nationwide’s mitigation efforts and recommendations as justifying its finding that plaintiffs had adequately shown injury in fact.

The Hancox decision comes just a few months after the Supreme Court’s decision in Spokeo, Inc. v. Robins (May 16, 2016), in which the Supreme Court found that the Ninth Circuit failed to consider the fact that an injury in fact must be concrete as well as particularized. The Sixth Circuit found that plaintiffs met Spokeo’s two-part test: they alleged an injury that likely would be redressed by a favorable decision and their alleged injury was “fairly traceable” to Nationwide’s conduct. We hope that the court will take up this case to further elucidate the standing requirements. In the meantime, be aware that the Sixth Circuit is not a favorable jurisdiction for companies in data breach class action cases.