Galaria/Hancox v. Nationwide – The Sixth Circuit Rules for Standing in Data Breach Case

• The Sixth Circuit recently joined the minority view that allegations of increased risk of future harm are sufficient to satisfy the issue of standing in data breach cases.
• The Sixth Circuit presently appears to be a more favorable jurisdiction for putative class action plaintiffs when filing data breach lawsuits.

The US Sixth Circuit Court of Appeals recently joined the minority view that allegations of increased risk of future harm are sufficient to satisfy the injury-in-fact element of Article III standing. In Galaria/Hancox v. Nationwide Mut. Ins. Co., Nos. 15-3386/3387, 2016 WL 4728027 (6th Cir. Sep. 12, 2016), the Sixth Circuit reversed the Southern District of Ohio’s ruling that the plaintiffs’ initial putative class action complaint failed to allege injury-in-fact because no actual harm, rather only the increased of future harm, was alleged. The district court had concluded, consistent with the majority of courts to address the issue in this context, that mitigation costs incurred to prevent alleged future harm are insufficient to satisfy the injury-in-fact element of standing, as a plaintiff “‘cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.’” Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 657 (S.D. Ohio 2014) (quoting Clapper v. Amnesty Intern. USA, ––– U.S. ––––, 133 S.Ct. 1138, 1146, 1151 (2013)). But the Sixth Circuit, purporting to follow precedent in the Seventh and Ninth Circuits, held that the Plaintiffs’ allegations of an increased risk of harm and mitigation costs incurred in an effort to prevent such future harm were sufficient to demonstrate standing – a decision contrary to the majority of courts that have ruled on motions to dismiss for lack of standing in the data breach context.
 
The data breach at issue in Galaria/Hancox occurred when, on October 3, 2012, hackers broke into Nationwide Mutual Insurance Company’s computer network and stole the personal information of the plaintiffs and 1.1 million others. The compromised data included names, dates of birth, marital statuses, genders, occupations, employers, Social Security numbers, and driver’s license numbers. Nationwide informed plaintiffs of the breach in a letter that advised them to take steps to prevent or mitigate misuse of the stolen data, including monitoring bank statements and credit reports for unusual activity. Nationwide also offered a year of free credit monitoring and identity-fraud protection of up to $1 million through a third-party vendor; suggested that plaintiffs set up a fraud alert and place a security freeze on their credit reports; but did not offer to pay for expenses associated with a security freeze.
 
The mitigation costs alleged in plaintiffs’ initial complaints included purchasing credit reporting services; purchasing credit monitoring and/or internet monitoring services; frequently obtaining, purchasing and reviewing credit reports, bank statements, and other similar information; instituting and/or removing credit freezes; and/or closing or modifying financial accounts. Plaintiffs sought damages for, among other things, the increased risk of fraud; expenses incurred in mitigating risk, including the cost of credit freezes, insurance, monitoring, and other mitigation products; and time spent on mitigation efforts.
 
Article III standing requires a plaintiff to prove “(1) an injury in fact; (2) that is fairly traceable to the challenged conduct of a defendant; and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 1547 (2016). Nationwide moved to dismiss, arguing that plaintiffs had failed to satisfy the injury-in-fact requirement because alleged injuries “are speculative because the Complaint does not allege Named Plaintiffs’ PII was misused or that Named Plaintiffs suffered actual identity theft [and that the plaintiffs had] not alleged [that] they actually incurred any out-of-pocket costs or have spent any time to mitigate the potential risk of identity theft, identity fraud, medical fraud, or phishing.” Galaria, 998 F. Supp. 2d at 653. The Sixth Circuit concluded that the plaintiffs’ allegations were sufficient because “[t]here is no need for speculation where Plaintiffs allege that there data has already been stolen and is now in the hands of ill-intentioned criminals.” Galaria/Hancox, 2016 WL 4728027, at *3. But this rationale appears to violate the well-settled standing rule that where alleged future injury is contingent on the decisions and actions of unknown third-parties, there is no injury-in-fact. See Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1150 (2013); see also Simon v. E. Ky. Welfare Rights Org., 426 U.S. 26 (1976).

Moreover, the Sixth Circuit’s reliance on the Seventh Circuit’s decisions in Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015), and Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), and the Ninth Circuit’s decision in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), is suspect. In Remijas, 9,200 of the 350,000 customers of Neiman Marcus whose personal identifiable information was stolen had experienced identity theft. In Lewert, a named plaintiff had experienced fraudulent charges on the credit card that he had used at P.F. Chang’s. Hence, the Seventh Circuit cases are distinguishable. And Krottner is a pre-Clapper decision, which pre-dates the Supreme Court’s strong emphasis and reiteration in 2013 that alleged future injury must be “certainly impending” to satisfy injury-in-fact.

The Sixth Circuit also noted that the plaintiffs had cited to a study showing that in 2011, recipients of data breach notifications were 9.6 times more likely to experience identity fraud, and had a fraud incidence rate of 19%. Galaria/Hancox, 2016 WL 4728027, at *2. The majority of courts have rejected these statistic arguments because “the degree by which the risk of harm has increased is irrelevant – instead, the question is whether the harm is certainly impending.” In re Science Applications Int’l Corp. Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 25 (D. D.C. 2014). Indeed, in Strautins v. Trustwave Holdings, Inc., 27 F. Supp. 3d 871 (N.D. Ill. 2014), the plaintiffs had cited to a similar 2012 study that showed that victims of a data breach were 9.5 times more likely to be victims of identity theft in the future. The court noted that the same study also stated that only 25% of data breach victims actually experience identity fraud which, if true, meant that 75% of data breach victims never experience identity fraud. The Strautins Court held that such a risk is not “certainly impending.” Strautins, 27 F. Supp. 3d at 877.
 
In any event, the Sixth Circuit now appears to be a more favorable jurisdiction for putative class action plaintiffs to file data breach lawsuits. The US Supreme Court has addressed the issue of standing a couple of times over the past few years. Hopefully, it will do so again in the context of data breach litigation to put to rest the split of authority that appears to be widening.
 
Feel free to contact James Westerlind or Andrew Dykens at Arent Fox LLP to discuss this decision or these issues further.