September 16, 2016
The U.S. Sixth Circuit Court of Appeals recently joined a minority of courts in holding that the compromise of personal information through a cyber-hack without actual identity theft is sufficient “injury” to support Article III standing. In Galaria v. Nationwide Mutual Insurance Company, Nos. 15-3386/3387 (6th Cir. Sept. 12, 2016), the defendants brought claims alleging invasion of privacy, negligence, bailment, and violations of the Fair Credit Reporting Act (FCRA). The District Court dismissed all of the claims, primarily on the basis that plaintiffs had not alleged facts sufficient to support the “injury in fact” element of Article III standing. In a 2-1 unpublished opinion, the Court of Appeals reversed.
Summary of the Breach
On October 3, 2012 hackers compromised Nationwide’s computer network and stole personal information of 1.1 million individuals. Nationwide notified the individuals affected by the compromise, provided them with free credit monitoring with identity-fraud protection of up to $1 million, and recommended placing security freezes on their credit reports. Nationwide did not cover the cost of placing or removing a credit freeze – between $5 and $20 per action.
The Sixth Circuit found that the plaintiffs’ harm was not speculative. First, the Court held that the plaintiffs’ data had been stolen and was controlled by criminals and thus the risk of fraud was not mere speculation. To support this point, the Court relied in part on Nationwide’s offer to provide identity-theft protection, finding the offer constituted an acknowledgment that the individuals were at a severe risk of having their identifies stolen. Second, because affected individuals would need to expend time and money to protect their financial security, including by placing credit freezes, and Nationwide did not pay the costs of the recommended credit freezes, the Court concluded these costs constituted a concrete injury and imminent harm.
Prior to Galaria, the Sixth Circuit had not addressed whether a data breach victim in such circumstances could establish standing. Although a few courts had earlier held that plaintiffs who had personal information compromised could claim standing (notably the Seventh and Ninth Circuits), most cases have concluded that there is no harm to consumers who were not victims of identity theft, and thus such individuals lacked standing.
Companies should revisit their incident response plans and consider how they intend to respond following a breach, including whether to provide identity fraud protection, whether to cover any other costs related to preventing fraud, and how to communicate with affected individuals about the compromise. The Galaria decision demonstrates that courts will dissect how companies perform incident response and may construe ameliorative actions as forming a basis to establish standing.