A federal Appeals Court has reinstated a class-action lawsuit against Nationwide Mutual Insurance Company after concluding that individuals whose whose personal data was exposed in a 2012 breach have sufficient standing to sue for damages.
The decision by the Sixth Circuit Court of Appeals in Cincinnati reverses an order of dismissal rendered by Ohio Southern District Court Judge Michael Watson, who previously ruled that the plaintiffs lacked Article III standing to sue in federal court, and that the court did not have subject-matter jurisdiction to hear arguments that Nationwide violated the Fair Credit Reporting Act.
The plaintiffs, Mohammad Galaria and Anthony Hancox, are suing Nationwide for negligence, bailment and FCRA violations on behalf of 1.1 million policy holders and non-policy holders whose information was exposed in an Oct. 3, 2012 data breach.
By a two-to-one decision, the three-judge panel agreed that the victims of this breach meet the three qualifications required to establish Article III standing (under the 2016 Supreme Court ruling Spokeo, Inc. v. Robins): they suffered or will likely imminently suffer an injury, they can directly or indirectly tie said injury to the defendant's conduct, and their grievances can be redressed via judicial decision.
"Thus far, the first prong of this test has proven to be a formidable hurdle for class action plaintiffs," said Mary Hildebrand, founder and chair of law firm Lowenstein Sandler's Privacy and Information Security Practice, and founder of its Tech Group, in an email interview with SCMagazine.com.
But in her majority opinion, Sixth Circuit Judge Helene White asserted that individuals compromised in the Nationwide breach can indeed make a case for injury because the crime placed them at higher risk of credit and identity fraud. Also, they have been forced to spend time and funds mitigating potential future damage caused by the incident – shopping for credit reporting and monitoring services, reviewing credit reports and bank statements and freezing credit lines. The appellant Galaria even alleged in documentation that he discovered three unauthorized attempts to fraudulently open credit cards in his name.
“…Although it might not be ‘literally certain' that Plaintiffs' data will be misused… there is a sufficiently substantial risk of harm that incurring mitigation costs is reasonable,” wrote White. “Where Plaintiffs already know that they have lost control of their data, it would be unreasonable to expect Plaintiffs to wait for actual misuse – a fraudulent charge on a credit card, for example – before taking steps to ensure their own personal and financial security, particularly when Nationwide recommended taking these steps.”
Although Nationwide did not commit the actual breach, the Court further ruled that the plaintiffs are within reason to attribute the incident to allegedly insufficient information security safeguards.
Judge White noted that the ruling was in step with several recent appellate court decisions regarding the standing of data breach lawsuits filed against Neiman Marcus (Seventh Circuit), P.F. Chang's (Seventh Circuit) and Starbucks (Ninth Circuit).
“Not all data breach claims are created equal. Some plaintiffs' claims are only speculative, while others do a better job of alleging a serious risk that their personal data will be used fraudulently. What the Sixth Circuit found key in Galaria was that the defendant definitely had been hacked and that the plaintiff's personal data definitely had been stolen,” said Jeffrey S. Jacobson, co-chair of the Class Action and Securities Litigation and Enforcement practice groups at New York-based law firm Kelley Drye & Warren LLP, in comments emailed to SCMagazine.com.
“That was enough, the appeals court found, to satisfy the pleading requirements of a ‘concrete and particularized injury' that is ‘fairly traceable' to the defendant's alleged negligence,” Jacobson continued. “The court acknowledged that it might have reached a different result… had it been less clear that the hackers who intruded into the defendant's network actually obtained and were able to decipher the plaintiff's personal data.”
The Sixth Circuit also ruled that the lower district court erred in concluding that it did not have subject-matter jurisdiction over the FCRA violation claims. In her opinion, Judge White wrote that the lower court appeared to be arguing the merits of the case itself rather than matters of jurisdictional eligibility.
In a dissenting opinion, Circuit Judge Alice Batchelder disputed that the plaintiffs established Article III standing, claiming that they never established a viable connection between the injuries they said they suffered and the perceived actions or lack thereof by Nationwide.
“The complaints simply allege that hackers were in fact able to access the plaintiffs' personal information. From that fact, the complaints conclude that Nationwide failed to protect that information. But plaintiffs make no factual allegations regarding how the hackers were able to breach Nationwide's system, nor do they indicate what Nationwide might have done to prevent that breach but failed to do,” wrote Batchelder, arguing that the true culprit was the cybercriminal who perpetrated the breach itself, not those who failed to stop the individual.