On September 12, 2016, the US Court of Appeals for the Sixth Circuit held in Galaria v. Nationwide Mutual Insurance Co., Nos. 15-3386/15-3387 (6th Cir. Sept. 12, 2016) that the plaintiffs in two related lawsuits properly alleged standing to pursue claims arising from a 2012 attack on the defendant insurance company’s computer network. The court’s unpublished opinion addressed two questions that are frequently litigated in data breach cases: whether the plaintiffs had alleged an injury-in-fact required for constitutional standing; and whether any such alleged injury was fairly traceable to the acts of the defendants and thus sufficient to establish the requisite causation. The court decided both questions in favor of the plaintiffs. It did so over a dissent that concluded that it was unnecessary for the panel to weigh in on the “existing circuit split regarding whether an increased risk of identify theft is an Article III injury” because the plaintiffs had alleged no facts indicating that the company was responsible for the acts of third-party criminal hackers. Defendant has filed a petition asking the Sixth Circuit to review this decision en banc.
The plaintiffs’ claims arose from an cyberattack on the company’s computer network in which criminal hackers allegedly accessed the plaintiffs’ personal information. The company responded to the incident by offering “a year of free credit monitoring and identity-fraud protection of up to $1 million through a third-party vendor.” The company also advised customers to set up fraud alerts and place security freezes on their credit reports, while noting that these steps could impede access to credit and/or cost a small fee. The plaintiffs alleged that they took these steps and thus had “expend[ed] time and money” as a result of the data breach.
Both plaintiffs filed putative class action complaints alleging negligence and other claims. The Southern District of Ohio dismissed the claims, concluding, among other things, that the plaintiffs lacked Article III standing. In reaching this decision, the district court relied on Supreme Court decisions, such as Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013), holding that a plaintiff lacks standing when she merely alleges a risk of future harm that is not certainly impending. The district court also recognized that courts, including the Third Circuit, have held that alleged “time and money expenditures” to mitigate the risk of speculative future injuries are inadequate to establish standing. E.g., Reilly v. Ceridian Corp., 664 F.3d 38, 46 (3d Cir. 2011).
The Sixth Circuit reversed. The majority held that the “[p]laintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, [were] sufficient to establish a cognizable Article III injury at the pleading stage.” It said that, because the plaintiffs’ data had already been stolen, there was “no need for speculation” that the plaintiffs faced a substantial risk and were thus justified in taking action to mitigate it. Defendant’s letter to the plaintiffs and its decision to offer free credit monitoring services were cited as indicative of the “severity of the risk.” The court concluded that “[w]here a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiffs’ complaints.” The court noted that “[a]lthough [Defendant] offered to provide some [risk mitigation] services for a limited time, Plaintiffs allege that the risk is continuing, and that they have also incurred costs to obtain protections—namely, credit freezes—that [Defendant] recommended but did not cover.” The court thus viewed the case not as one in which plaintiffs sought to manufacture standing through incurring unreasonable mitigation costs but rather as one in which the costs were “a concrete injury suffered to mitigate an imminent harm.”
The panel described this analysis of constitutional injury as consistent with that of the Seventh and Ninth Circuits in Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015); and Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). The panel acknowledged that the “Third Circuit reached a different conclusion in Reilly v. Ceridian Corp.,” but found it distinct because the plaintiffs there had not alleged “the intentional theft of their data.”
The panel went on to hold that the plaintiffs had adequately pled the other two elements of Article III standing: causation and redressability. The court’s decision was not recommended for publication, meaning that it will not bind future Sixth Circuit panels.
Judge Alice Batchelder dissented from the majority’s finding that the plaintiffs had adequately pled a causal connection between the company’s alleged conduct and their alleged injury, noting that the “plaintiffs make no factual allegations regarding how the hackers were able to breach [the company]’s system, nor do they indicate what [it] might have done to prevent that breach but failed to do.” The dissent also concluded that the plaintiffs did not allege causation sufficient to satisfy the second element of Article III standing because, “[i]n short, there is no allegation of fact in either complaint that makes plausible the notion that [Defendant] is at all responsible for the criminal acts that increased the plaintiffs’ risk of identity theft.” In other words, the alleged injury was a direct result of the criminal actions of a third party and not of the Defendant insurance company. Because the dissent found the causation element of standing not satisfied, it did not comment on “whether an increased risk of identity theft is an Article III injury,” but concluded instead that it was not necessary for the court to “take sides in the existing circuit split” on that question.
* * * * *
As the Galaria dissent emphasizes, judicial consensus remains elusive as courts analyze standing in data breach litigation. While the impact of this unpublished opinion remains to be seen and the rehearing petition is pending, this decision confirms that litigation over Article III standing in data breach cases is likely to continue as judges evaluate how the concepts of injury-in-fact and causation apply in the wake of criminal attacks on company networks and systems.