The Sixth Circuit has made it easier for victims of a data breach to proceed in court. In a case involving alleged victims of a data breach at Nationwide Mutual Insurance Company, the appellate court ruled that fear of future harm following a data breach is sufficient to establish Article III standing.
Nationwide Data Breach
Nationwide Mutual Insurance Company suffered a data breach on October 3, 2012. Hackers gained access to Nationwide’s computer network and stole personal information of 1.1 million customers. The stolen information included the following: name, date of birth, Social Security number, driver’s license number, gender, marital status, occupation, and employer.
Victims learned of the breach when they received a notification letter from Nationwide. Due to requirements in breach notification laws, Nationwide’s letter offered suggestions for victims to mitigate any potential harm. Suggestions included monitoring bank account statements and credit reports, along with placing a security freeze on credit reports. Nationwide also offered one year of free credit monitoring and identity theft protection services in the notification letter.
The data breach victims pulled together a lawsuit against Nationwide asserting claims for negligence, bailment, and violation of the Fair Credit Reporting Act. Victims claimed the data breach presented an “imminent, immediate, and continuing increased risk” of identity fraud. There is a widely recognized market for stolen data, and victims allege that creates a reasonable risk of identity theft as a result of the data breach. The data breach victims also claimed they incurred financial costs as they purchased mitigation services to protect against the risks of identity fraud.
District Court Decision
The district court granted Nationwide’s motion to dismiss concluding that the victims did not allege a cognizable injury and didn’t have Article III standing to proceed. Additionally, the court ruled that there was no statutory standing under FCRA and they lacked jurisdiction over the claim. Unsurprisingly, the breach victims appealed the ruling.
Just to recap, parties looking to sue under Article III standing must be able to show they have suffered actual or threatened injury, the injury can be fairly traced back to the action of the defendant, and that it’s likely to be redressed by a favorable court decision.
Sixth Circuit Decision
The Sixth Circuit reversed the district’s decision and remanded the case to the district court. The Sixth Circuit held that victims did suffer an injury in fact, the injury is fairly traceable to Nationwide’s actions, and it’s likely to be redressed by a favorable court decision.
According to the Sixth Circuit, the victims’ allegations of “a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury.” Basically, when a data breach targets personal information, it’s reasonable to infer the information will be used for fraudulent purposes. Further, the costs incurred to victims for mitigating the risk of harm represent a sufficient concrete injury itself.
This conclusion is consistent with two recent decisions from the Seventh Circuit in the cases against Neiman Marcus and P.F. Chang’s.
This decision by the Sixth Circuit is the latest in a series of key decisions concluding that data breach victims have Article III standing without having alleged actual fraud or identity theft.
This case is also interesting because of how the notification letter was used against Nationwide in the decision. The notification letter offered victims credit monitoring and identity theft services. The Sixth Circuit cited this as an action showing Nationwide’s recognition of the risk of harm presented by the data breach.
There’s growing concern that these types of mitigation services could be held and used against companies in future lawsuits. Many companies offer these types of services in the wake of a data breach. Some state breach notification laws actually require companies to offer victims mitigation services. This presents a tough situation because companies might be forced to rethink their steps in responding to a data breach.