A September 12, 2016 decision out of the U.S. Court of Appeals for the Sixth Circuit adds new fuel to an ongoing legal debate: when a data breach places a business’s sensitive customer information into the hands of hackers, what must a plaintiff allege for a lawsuit against the business to go forward? The Sixth Circuit’s decision, rendered by a divided panel, joined two similar rulings in concluding that an allegation of an “increased risk of future harm” may rise to the level of “injury-in-fact” in such cases, while also shedding light on another question that will continue to drive data breach cases: what allegations are required for a plaintiff to show whether a company’s conduct was “fairly traceable” to—i.e., caused by—the data breach?
In the case, Galaria et.al. v. Nationwide Mutual Insurance Company, the majority of a Sixth Circuit panel held that a plaintiff’s allegations of increased risk of future harm from a data breach, combined with costs incurred in time and money to mitigate harm from a data breach, were a sufficient injury under Article III of the Constitution. The Court, however, was divided on whether the plaintiffs’ relatively bare allegations satisfied a second element of the Article III standing inquiry: causation. This split suggests that the question of causation will be a key factor in data breach cases going forward.
Background of the Data Breach Case
On October 3, 2012, hackers broke into the computer systems of Nationwide Mutual Insurance Company and stole personal information of over 1 million people. As an insurance and financial services company, Nationwide maintains records containing sensitive information about its customers. Nationwide notified affected customers, offered a year of free credit monitoring, and advised them to monitor their accounts carefully.
Shortly thereafter, two plaintiffs filed putative class actions against Nationwide. They alleged that Nationwide violated the Fair Credit Reporting Act and raised common law claims for negligence and invasion of privacy. The theory underlying each claim was that Nationwide had failed to secure their personal information against a breach.
Nationwide moved to dismiss, arguing that the plaintiffs lacked standing under Article III of the Constitution, because they had only alleged a possible “risk” of future identity theft, which was not sufficient to establish injury under the Constitution. The district court granted the motion and dismissed their claims for lack of jurisdiction.
What Constitutes 'Injury' in Data Breach Litigation?
On appeal, a divided panel of the Sixth Circuit reversed. The panel majority concluded that the allegations that plaintiffs’ faced a “substantial risk of future harm,” coupled with the costs they incurred to mitigate such harm, were sufficient to establish a constitutional injury. It reasoned that the plaintiffs’ injury was not speculative because, as they alleged, their personal information had “already been stolen” and was “in the hands of ill-intentioned criminals.” Likewise, the majority reasoned that “mitigation costs” to prevent misuse of their personal information—time and money spent monitoring their credit, checking bank statements, and modifying financial accounts—was sufficient injury under the Constitution, even if it was not “literally certain” that their data would be misused.
In reaching its conclusion, the panel majority joined the Seventh and Ninth Circuits in holding that a substantial risk of future harm—combined with other factors such as mitigation costs—may be sufficient to satisfy the Constitution’s “injury-in-fact” requirement. Although the Third Circuit has reached a contrary result, the Sixth Circuit distinguished the Third Circuit’s case on its facts and called it unpersuasive in any event.
What Constitutes 'Causation' in Data Breach Litigation?
Addressing a further element of the Article III standing inquiry, the Sixth Circuit concluded that plaintiffs’ injury could be fairly traced to the conduct at issue based on allegations that Nationwide failed “to establish and/or implement” appropriate safeguards to prevent the breach.
Strongly disagreeing with the panel majority, the dissenting judge would have affirmed because, in her view, the plaintiffs had not adequately established causation for purposes of Article III standing. As she read them, the plaintiffs’ allegations were insufficient because they only alleged that (i) there was a data breach; and (ii) because of the breach, Nationwide must have failed to adequately protect the information. Without any facts about how the hackers were able to breach Nationwide’s system, the plaintiffs could not show causation; plaintiffs’ allegations were, according to the dissenting judge, “sheer speculation.”
Significance for Future Data Breach Litigation
This decision is notable in two respects. First, it joins two recent decisions in suggesting that, in data breach cases, “increased risk of future harm” can be sufficiently “concrete” to be a cognizable injury under the Constitution, at least if there are reasonably incurred “mitigation costs.” Compare Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016) (increased risk of future harm sufficient); Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) (same), with Reilly v. Ceridian Corp., 664 F.3d 38, 45 (3d Cir. 2011) (increased risk of future harm not sufficient).
Second, the split decision on the causation issue foreshadows a front on which future cases may be fought—whether the plaintiff has adequately alleged that his injuries are fairly traceable to (i.e., caused by) the defendant’s conduct.
Download Opinion of the Court