Last week, in Galaria v. Nationwide Mut. Ins. Co., 2016 U.S. App. LEXIS 16840 (6th Cir. Sept. 12, 2016), the United States Court of Appeals for the Sixth Circuit weighed in on the issue of Article III standing for data breach litigation and effectively lowered the threshold to establish standing. The decision echoes sentiments expressed by the Seventh Circuit in Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), and Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015). The facts are straightforward, and it is part of an ongoing trend by courts to make it easier to allege injury and bring data breach litigation. This will drive up litigation. Yet, here is a bigger problem: the Sixth Circuit based its determination that standing existed to sue a breach victim on actions undertaken by the breach victim to mitigate damage and help consumers prevent the very harm that plaintiffs later sued over. Is the message of “darned if you do” one that courts want to establish? Can decisions like Galaria create an adverse impact on response efforts undertaken by breach victims? These are issues that a breach victim will have to wrestle with early on and provide one more reason why cyber counsel should be retained.
The facts of Galaria are straightforward. In that case, the breach victim, Nationwide, maintained records containing personal information of customers and potential customers, including names, dates of birth, marital statuses, employers, Social Security numbers, and driver’s license numbers. On October 3, 2012, hackers breached Nationwide’s computer network and stole the personal information of 1.1 million people. Id. at *3. In the underlying data breach litigation that followed, putative class actions alleged violation of the Fair Credit Reporting Act (“FCRA”) through Nationwide’s failure to adopt required procedures to protect against wrongful dissemination of plaintiffs’ data. Plaintiffs also alleged claims for negligence, and invasion of privacy by public disclosure of private facts – all based on Nationwide’s failure to secure Plaintiffs’ data. Id. at *4.