In its recent decision in Galaria v. Nationwide Mut. Ins. Co., no. 15-3386 (6th Cir. Sept. 12, 2016). Co., No. 15-3386 (6th Cir. Sept. 12, 2016), a divided Sixth Circuit panel held that plaintiffs had standing to assert claims arising from hackers’ alleged theft of data containing plaintiffs’ sensitive personal data, including dates of birth and Social Security numbers. In so ruling, the court became the latest to hold that hackers’ targeted theft of personal identifying information (“PII”), standing alone, creates a substantial risk of harm that is sufficient to satisfy the concrete injury requirement for standing under Article III of the United States Constitution.
The lawsuit concerned a 2012 data breach in which hackers stole data that Nationwide collected for purposes of underwriting life insurance policies. Plaintiffs were among those who received notice that hackers had stolen data containing the names, dates of birth, marital status, genders, occupations, employers, Social Security numbers and driver’s license numbers for individuals who had applied for insurance from Nationwide. Criminals are increasingly targeting PII like that stolen here because it can be used to engage in fraudulent borrowing or to file false tax returns to obtain illegal refunds, making such data valuable on the black market. However, as is true in many cases involving PII data breaches, plaintiffs did not allege that their PII had actually been misused. Also, Nationwide offered a year of free credit monitoring and identity-theft protection insurance to individuals whose information has been stolen. Based on those protections and plaintiffs’ failure to allege actual misuse of stolen data, the district court granted Nationwide’s motion to dismiss for lack of standing.
On appeal, plaintiffs argued that the district court had failed to appreciate the injury that plaintiffs had suffered. Because hackers target PII for the express purpose of misusing it, plaintiffs contended that the risk of injury was neither speculative nor remote. And, even absent actual misuse of data, plaintiffs argued that instituting credit monitoring and other protections against identity theft imposed a cost in time and money on affected individuals. The Sixth Circuit agreed, rejecting Nationwide’s argument that misuse of data must be “literally certain” to confer Article III standing. In the court’s view, criminals’ deliberate theft of plaintiffs’ PII created an immediate, serious and tangible risk that impelled plaintiffs to take protective action, thereby imposing a concrete and cognizable injury. Cf. Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147-48 (2013) (mere speculation that private information collected by the government in connection with anti-terrorism activities might be misused for other improper purposes did not result in a cognizable injury for purposes of Article III standing).
One member of the panel dissented, focusing not on whether there had been an injury, but instead on whether plaintiffs had alleged that their injuries were fairly traceable wrongdoing by Nationwide. Insofar as the cause of any injury was a criminal breach of Nationwide’s computer systems, the dissent argued that the injury was traceable to the hackers’ conduct, and not to Nationwide. The majority, however, took the view that proximate cause is distinct from standing. Even if criminal misconduct might be considered an intervening cause for purposes of substantive liability, the claimed injuries resulting from theft of data are reasonably related to Nationwide’s alleged misconduct – its purported failure to take reasonable steps to protect the data. That nexus, the majority concluded, was sufficient to confer standing.
The decision in Galaria may signal an increasing willingness of courts to find standing where PII has been stolen. Cases cited by the Sixth Circuit evidence an erosion in the viability of standing defenses even in payment card breach cases, where courts have found consumers have standing to assert card theft claims notwithstanding consumers not having to pay for fraudulent charges using stolen card numbers. See, e.g., Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016); Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015). The greater risk posed to consumers by targeted theft of their personal information provides stronger grounds for courts to conclude that sufficient injury has occurred to confer Article III standing, irrespective of whether a plaintiff’s PII has yet been misused.
Despite this victory on appeal, plaintiff will face challenges on remand. Because it dismissed based on lack of standing, the district court did not address Nationwide’s strong arguments why plaintiffs’ claims should be dismissed for failure to state a claim. In particular, plaintiffs’ argument that Nationwide’s purported failure to take reasonable steps to protect plaintiffs’ information violated the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq. Insofar as the FCRA only regulates credit reporting agencies, it should not apply to Nationwide’s conduct here. A decision on remand dismissing the FCRA claims would eliminate plaintiffs’ ability to recover statutory damages under the FCRA, leaving common claim claims for actual damages that would both be small and difficult to prove on a classwide basis.
Finally, this decision breaks no new ground in the application of the Supreme Court’s recent decision in Spokeo v. Robins, 136 S. Ct. 1540 (2016). In Spokeo, the Supreme Court held that mere violation of a federal statute did not confer Article III standing absent a concrete injury flowing from that violation. Although this case, like Spokeo, alleged a violation of the FCRA, plaintiffs here alleged injuries that were distinct from the alleged FCRA violation. Accordingly, the Sixth Circuit addressed the sufficiency, and not merely the existence, of a cognizable injury for purposes of evaluating Article III standing.