The Sixth Circuit has made it easier for victims of a data breach to proceed in court. In a case involving alleged victims of a data breach at Nationwide Mutual Insurance Company, the appellate court ruled that fear of future harm following a data breach is sufficient to establish Article III standing.

Nationwide Data Breach

Nationwide Mutual Insurance Company suffered a data breach on October 3, 2012. Hackers gained access to Nationwide’s computer network and stole the personal information of 1.1 million customers. The stolen information included: name, date of birth, Social Security number, driver’s license number, gender, marital status, occupation, and employer.

Victims learned of the breach when they received a notification letter from Nationwide. Due to requirements in breach notification laws, Nationwide’s letter offered suggestions for victims to mitigate any potential harm. Suggestions included monitoring bank account statements and credit reports, along with placing a security freeze on credit reports. Nationwide also offered one year of free credit monitoring and identity theft protection services in the notification letter.

Lawsuit

The data breach victims filed a lawsuit against Nationwide asserting claims for negligence, bailment, and violation of the Fair Credit Reporting Act. Victims claimed the data breach presented an “imminent, immediate, and continuing increased risk” of identity fraud. There is a widely recognized market for stolen data, and the victims allege that creates a reasonable risk of identity theft as a result of the data breach. The data breach victims also claimed they incurred financial costs as they purchased mitigation services to protect against the risks of identity fraud.

District Court Decision

The district court granted Nationwide’s motion to dismiss concluding that the victims did not allege a cognizable injury and didn’t have Article III standing to proceed. Additionally, the court ruled that there was no statutory standing under FCRA and they lacked jurisdiction over the claim. Unsurprisingly, the breach victims appealed the ruling.

As a point of reference, parties looking to sue under Article III standing must be able to show that they have suffered actual or threatened injury, that the injury can be fairly traced back to the action of the defendant, and that it’s likely to be redressed by a favorable court decision.

Sixth Circuit Decision

The Sixth Circuit reversed the district’s decision and remanded the case to the district court. The Sixth Circuit held that victims did in fact suffer an injury that, that the injury is fairly traceable to Nationwide’s actions, and that it’s likely to be redressed by a favorable court decision.

According to the Sixth Circuit, the victims’ allegations of “a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury.” Basically, when a data breach targets personal information, it’s reasonable to infer the information will be used for fraudulent purposes. Further, the costs incurred to victims for mitigating the risk of harm represent a sufficient concrete injury itself.

This conclusion is consistent with two recent decisions from the Seventh Circuit in the cases against Neiman Marcus and P.F. Chang’s.

Key Takeaway

This decision by the Sixth Circuit is the latest in a series of key decisions concluding that data breach victims have Article III standing without having alleged actual fraud or identity theft.

This case is also interesting because of how the notification letter was used against Nationwide in the decision. The notification letter offered victims credit monitoring and identity theft services. The Sixth Circuit cited this as an action showing Nationwide’s recognition of the risk of harm presented by the data breach.

There’s growing concern that these types of mitigation services could be held and used against companies in future lawsuits. Many companies offer these types of services in the wake of a data breach. Some state breach notification laws actually require companies to offer victims mitigation services. This presents a tough situation because companies might be forced to rethink their steps in responding to a data breach.

ePlace Solutions, Inc.

Founded in 1999, ePlace Solutions, Inc. (ePlace) is an industry-leading risk management consulting firm focused on mitigating employment/human resources, cyber and director and officer risks.  ePlace’s cyber risk management services deliver resources, best practices and practical guidance to help organizations effectively mitigate the costs and damages of security incidents. ePlace currently provides pre-breach cyber risk management services to over 20,000 organizations throughout the United States and serves as the risk management provider for leading cyber insurance carriers.

ePlace is a risk management information and consulting service, not a law office. Neither ePlace nor the attorneys on staff at ePlace are providing legal advice. The materials and advice available through ePlace are provided “as is” and without any warranties or conditions of any kind either express or implied.

Lara K. Forde

ePlace Solutions, Inc.

Lara Forde is a licensed attorney and Certified Information Privacy Professional (CIPP/US). During her legal practice, Lara managed a high profile, multimillion dollar litigation for an international law firm. Prior to joining ePlace, Ms. Forde helped Fortune 500 organizations, governmental entities, healthcare providers and educational institutions develop and implement response plans designed to lessen the damaging effects from a data breach for a leading response provider which handled many of the largest data breaches publicized to date.

Ms. Forder received her Bachelor of Business Administration and Juris Doctor from Baylor University and her Masters in Law from the University of Houston Law Center.

Elise M. Krause

ePlace Solutions, Inc.

Elise Krause is a co-founder of ePlace Solutions and an attorney licensed in California. Ms. Krause has engaged in a national law practice in Michigan and California with an emphasis on health care, privacy and employment-related matters. In her work as general (outside) counsel to one of California’s largest mental health care providers and long-term nursing home facilities, she regularly navigated complex areas of privacy and HIPAA compliance including representing her clients in HIPAA compliance audits. 

Ms. Krause graduated from the University of California, Hastings College of the Law in 1987. She is an active member of the California State Bar. Additionally, Ms. Krause holds an AV Preeminent rating from Martindale-Hubbell.

0 Comments