In a recent unpublished 2-1 split decision, Galaria v. Nationwide Mutual Insurance Co. (appeal of consolidated case nos. 15-3387 and 15-3386, Sept. 12, 2016), the Sixth Circuit Court of Appeals held that customers could pursue data breach claims without alleging actual identity theft. This decision further lowered the bar for breach victims to prove standing and overcome a legal hurdle that until recently did not allow breach cases without actual identity theft to proceed past the pleading stage.

In Galaria, the named plaintiffs brought two putative class actions against National Mutual Insurance Company ("National") after hackers breached the computer network of defendant Nationwide and stole plaintiffs' personal information such as names, dates of birth, marital statuses, genders, occupations, employers, Social Security numbers and driver's license numbers of plaintiffs and 1.1 million class members.

The actions alleged counts for violation of the Fair Credit Reporting Act, negligence, invasion of privacy by public disclosure of private facts, and bailment. In support of their claims, plaintiffs alleged that there is an illicit international market for stolen data, which is used to obtain identification, government benefits, employment, housing, medical services, financial services, and credit and debit cards, among others. According to the complaints, the data breach created an "imminent, immediate and continuing increased risk" that plaintiffs and other class members would be subject to this kind of fraud.

The district court dismissed plaintiffs' claims for bailment and negligence, concluding plaintiffs did not have Article III standing to bring these claims, because plaintiffs had not alleged a cognizable injury; the plaintiffs filed a joint appeal. (Plaintiffs did not appeal the district court's dismissal of their invasion of privacy claim).

The Sixth Circuit explained that to establish the foremost element of standing – injury in fact – a plaintiff must show that he or she suffered "an invasion of a legally protected interest that is 'concrete and particularized' and 'actual and imminent, not conjectural or hypothetical.' " (Citations omitted). In the case before it, the Sixth Circuit concluded that plaintiffs' allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, were sufficient to establish a cognizable Article III injury at the pleading stage of the litigation. The court went on to state that "[t]here is no need for speculation where plaintiffs allege that their data has already been stolen and is now in the hand of ill-intentioned criminals." Accordingly, the appellate court reversed the district court's ruling and held that plaintiffs established standing to allege bailment and negligence against Nationwide. The court supported its decision with two other recent decisions from the Seventh Circuit (Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) and Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016) and distinguished a recent Third Circuit decision that reached the opposite conclusion (Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011). (The appellate court also found that plaintiffs established the other two required elements for standing – the alleged injury was fairly traceable to the conduct being challenged and plaintiffs' injury would likely be redressed by a favorable decision).

This Sixth Circuit decision, by joining the Seventh Circuit Neiman Marcus decision cited above, represents a gradual shift among the courts that are becoming become more accepting of the argument that allegations of risk of harm alone are sufficient to survive a motion to dismiss in data breach cases. Until recently, a majority of the Circuit courts dismissed these cases at the pleading stage, holding that the plaintiffs could not establish an Article III standing by solely alleging risk of harm and without suffering an actual identify theft.