Sixth Circuit: Risk of Fraud Following Data Breach Establishes Standing
Data theft is on the rise in this country and around the world, as the sophistication of hackers and the illicit markets for stolen information grow. Unfortunately, some courts have stumbled over what should be a simple question when consumers take steps to protect themselves: if their data has been stolen but they have not actually been the victim of fraud, do they have standing to sue the company that was supposed to safeguard their data? The Sixth Circuit recently joined a number of other circuit courts in finding that, since the likelihood that fraud will follow the theft of names, birthdates, social security numbers, and credit card information is a virtual certainty, the answer to that question must be yes
As a prerequisite to proceeding with a federal lawsuit, Article III of the Constitution requires that every plaintiff establish an injury-in-fact, which the U.S. Supreme Court has defined as an invasion of a legally protected interest that is concrete, particularized, and actual or imminent. In Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013), the Supreme Court recently explained that, if plaintiffs want to establish standing based on an imminent future injury, it must be “certainly impending” and that allegations of “possible future injury” are not sufficient. Spending time and money to reduce or offset a “substantial risk” of future may also be sufficient to establish standing, if the mitigation expenses are reasonable, even where it is not “literally certain the harms they identify will come about.” As such, plaintiffs who allege a substantial risk of harm, coupled with reasonably incurred mitigation costs, have sufficiently alleged a cognizable Article III injury.
In Galaria v. Nationwide Mut. Ins. Co.
, No. 15-3386/3387, 2016 U.S. App. LEXIS 16840 (6th Cir. Sep. 12, 2016), the plaintiffs asserted a number of claims arising from the 2012 breach of Nationwide’s computer network, resulting theft of personally identifying information (PII) belonging to 1.1 million people, and Nationwide’s failure to properly secure their data. They alleged an illicit international market for stolen data and an “imminent, immediate and continuing increased risk” of identity fraud following and as a result of the Nationwide data breach. Plaintiffs cited a study showing that recipients of data-breach notifications were significantly more likely to experience identity fraud, and that victims of identity theft and fraud typically spend hundreds of hours in personal time and hundreds of dollars in personal funds. To mitigate such risks, plaintiffs alleged they had suffered, and would continue to suffer, costs in time and money associated with credit reporting and monitoring services, obtaining and reviewing credit reports, among other things.
Consistent with Clapper
and other Supreme Court precedent, the Sixth Circuit found that plaintiffs’ allegations were sufficient to establish Article III standing at the pleading stage of the litigation though allegations of actual fraud and identify theft were absent: “Plaintiffs allege that the theft of their personal data places them at a continuing, increased risk of fraud and identity theft beyond the speculative allegations of ‘possible future injury’ or ‘objectively reasonable likelihood’ of injury that the Supreme Court has explained are insufficient.” Id.
at *9 (quoting Clapper
, 133 S. Ct. at 1147-48).
Like recent rulings by the Seventh Circuit, the Sixth Circuit took into account the singular criminal purpose behind data theft:
There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals. Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year. Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiffs’ complaints.
at *9-10 (emphasis added); see also Remijas v. Neiman Marcus Group
, LLC, 794 F.3d 688, 693 (7th Cir. 2015) (“Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”); Lewert v. P.F. Chang’s China Bistro, Inc.
, 819 F.3d 963, 967 (7th Cir. 2016) (“[A] primary incentive for hackers is sooner or later to make fraudulent charges or assume those consumers’ identities.”).
Along the same lines, the Sixth Circuit found that, while it might not be “literally certain” that plaintiffs’ data will be misused, “it would be unreasonable to expect Plaintiffs to wait for actual misuse—a fraudulent charge on a credit card, for example—before taking steps to ensure their own personal and financial security[.]” Id.
at *10. Nationwide recommended that its customers take mitigation steps, and plaintiffs alleged that they spent time and money monitoring their credit, checking their bank statements, and modifying their financial accounts. The court found that those mitigation expenses were also sufficient to establish standing, because there was no reason to believe that plaintiffs were seeking to “manufacture standing by incurring costs in anticipation of non-imminent harm.” Id.
at *10-11 (quoting Clapper
, 133 S. Ct. at 1155). To the contrary, it found “these costs [were] a concrete injury suffered to mitigate an imminent harm, and satisfy the injury requirement of Article III standing.” Id.
This is the right result. Any holding to the contrary would ignore the criminal purpose behind data theft, force consumers to sit on the sidelines until they were actually victimized, and let companies off the hook for neglecting their duty to properly protect and manage consumers’ sensitive information.