Sixth Circuit Becomes Latest Court to Find Standing in a Data Breach Lawsuit


By: David Cole
The majority of lawsuits filed by consumers over data breaches in recent years have been successfully defended by arguments that the plaintiffs lacked standing to bring the lawsuit. To have standing, a plaintiff must be able to show that he or she has suffered injury that is “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.” Clapper v. Amnesty Intern. USA, ___ U.S. ___, 133 S. Ct. 1138, 1146 (2013). Based on this rule, businesses have successfully argued that the mere theft personal information does not result in any actual injury that is sufficient to confer standing, absent some evidence that the personal information has been misused. While this continues to be a strong argument in most jurisdictions, a few cases decided within the past year may indicate a shift in the way courts analyze this issue. Earlier this month, the Sixth Circuit became the latest court to join this trend.
In its decision in Galaria v. Nationwide Mut. Ins. Co., no. 15-3386 (6th Cir. Sept. 12, 2016), the U.S. Court of Appeals for the Sixth Circuit held that plaintiffs had standing to assert claims arising from hackers’ alleged theft of their personal information, even though there are no allegations that the information has been misused. The lawsuit is based on a 2012 data breach in which hackers stole data that Nationwide collected for underwriting life insurance policies. Plaintiffs received written notice of the data breach, which explained that hackers had stolen data including the names, dates of birth, marital status, genders, occupations, employers, Social Security numbers, and driver’s license numbers of individuals who applied for insurance. Nationwide provided all affected individuals one year of free credit monitoring and identity-theft protection insurance. Based on those protections and plaintiffs’ failure to allege any actual misuse of their stolen information, the district court granted Nationwide’s motion to dismiss for lack of standing.
On appeal, however, the plaintiffs successfully argued that the district court did not fully appreciate the injury they had suffered. Because hackers target personal information for the very purpose of misusing it, plaintiffs argued that the risk of injury was neither speculative nor remote. And, even absent actual misuse of data, plaintiffs argued that instituting credit monitoring and other protections against identity theft imposed a cost in time and money on affected individuals. The Sixth Circuit agreed, holding that the criminals’ intentional theft of plaintiffs’ personal information created an immediate, serious, and tangible risk that compelled plaintiffs to take protective action, resulting in concrete injury sufficient to give them standing.
The decision in Galaria may reflect an increasing willingness of courts to find standing where personal information has been stolen. The ruling follows two recent cases from the U.S. Court of Appeals for the Seventh Circuit which found standing in data breach lawsuits even without allegations that the plaintiffs’ stolen information had been misused. See Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016); Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015). In Remijas, for example, the Seventh Circuit concluded that “customers should not have to wait until hackers commit identity theft or credit card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” Similarly, in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), the Ninth Circuit found standing because the plaintiffs alleged a sufficiently “credible threat of real and immediate harm” as a result of the theft of a laptop containing their unencrypted personal data.
Businesses and insurance carriers should be mindful of these decisions and the shifting legal landscape they may represent. It is possible that if more cases survive early challenges to standing, more of them will be filed. While litigation arising from data breaches has, for the most part, been limited to large-scale breaches at big businesses, a change in judicial perspective about standing in the context of data breaches could give rise to more claims on a smaller scale. All of this underscores the importance of working with experienced legal counsel to properly respond to a data breach when it occurs and being proactive before a breach occurs to review your data security policies and practices, as well as your incident response procedure, to make sure you are well-positioned to protected against and respond to a data breach. In all of these areas, our attorneys in our Cyber Liability, Data Security & Privacy practice group are here to help.