Lexplug logoLexplug

Galaria v. Nationwide Mutual Insurance Co.

Court of Appeals for the Sixth Circuit
663 F. App'x 384 (2016)
ELI5:

Rule of Law:

Plaintiffs whose personal information is stolen by a third party in a data breach have Article III standing to sue the entity that failed to protect their data, based on a substantial risk of future identity theft and the reasonably incurred costs to mitigate that risk.


Facts:

  • Nationwide Mutual Insurance Company (Nationwide), an insurance and financial services company, collected and stored sensitive personal information of its customers and potential customers.
  • This information included names, dates of birth, Social Security numbers, and driver's license numbers.
  • On October 3, 2012, hackers breached Nationwide's computer network and stole the personal information of Mohammad Galaria, Anthony Hancox, and approximately 1.1 million other individuals.
  • Nationwide notified Galaria and Hancox of the breach and advised them to monitor their credit reports and bank statements for unusual activity.
  • Nationwide offered one year of free credit monitoring and identity-fraud protection through a third-party vendor.
  • Nationwide also suggested that the affected individuals place a security freeze on their credit reports, but did not offer to cover the associated fees, which could range from $5 to $20.
  • Galaria and Hancox incurred costs and spent time monitoring their finances and taking other steps to mitigate the risk of identity theft, such as instituting credit freezes.

Procedural Posture:

  • Plaintiff Hancox filed a putative class-action complaint against Nationwide in the U.S. District Court for the District of Kansas (a federal trial court).
  • Plaintiff Galaria filed a nearly identical putative class-action complaint against Nationwide in the U.S. District Court for the Southern District of Ohio (a federal trial court).
  • The Kansas district court transferred Hancox's case to the Southern District of Ohio, where the cases were consolidated.
  • Nationwide filed a motion to dismiss the complaints for lack of subject-matter jurisdiction and failure to state a claim.
  • The district court granted Nationwide's motion, dismissing the negligence and bailment claims for lack of Article III standing and the FCRA claims for lack of statutory standing.
  • Plaintiffs' motion for reconsideration and leave to amend the complaint was denied by the district court.
  • Plaintiffs (as appellants) appealed the dismissals of their negligence, bailment, and FCRA claims to the U.S. Court of Appeals for the Sixth Circuit.

Locked

Premium Content

Subscribe to Lexplug to view the complete brief

You're viewing a preview with Rule of Law, Facts, and Procedural Posture

Issue:

Does a plaintiff have Article III standing to sue a company for negligence and related claims when their personal data is stolen by hackers in a data breach, creating a substantial risk of future identity theft and causing them to incur mitigation costs, even before any actual identity theft has occurred?


Opinions:

Majority - White, J.

Yes. A plaintiff has Article III standing because the theft of personal data creates a cognizable injury-in-fact. The court reasoned that when sensitive personal data is stolen by malicious actors, there is a substantial and imminent risk of future harm, such as identity theft and fraud, which is not merely speculative. Plaintiffs reasonably incurred mitigation costs (both time and money) to protect themselves from this imminent threat, and these costs constitute a concrete injury. The court also found the injury was fairly traceable to Nationwide's conduct, because but for Nationwide's alleged failure to secure its network, the hackers would not have obtained the data. Finally, the injury is redressable by a favorable court decision awarding damages.


Dissenting - Batchelder, J.

No. A plaintiff does not have Article III standing because they have failed to adequately plead a causal connection between their alleged injury and the defendant's conduct. The dissent argued that the plaintiffs' injury—the increased risk of identity theft—was caused by the independent criminal actions of third-party hackers, not by Nationwide. The complaints offered only conclusory allegations that Nationwide failed to implement proper safeguards, without providing any specific facts about what Nationwide did or failed to do. Without factual allegations plausibly linking Nationwide's specific conduct to the data breach, the injury is not 'fairly traceable' to Nationwide, and standing cannot be established.



Analysis:

This decision aligns the Sixth Circuit with other circuits like the Seventh and Ninth, establishing that the increased risk of future harm following a data breach is a sufficiently concrete injury for Article III standing. By allowing suits based on risk and mitigation costs alone, the ruling lowers the barrier for data breach victims to access federal courts before actual identity theft occurs. This precedent increases the legal exposure for companies that fail to adequately protect consumer data, reinforcing their duty to implement robust security measures and making it easier for consumers to bring class-action lawsuits immediately following a breach.

G

Gunnerbot

AI-powered case assistant

Loaded: Galaria v. Nationwide Mutual Insurance Co. (2016)

Try: "What was the holding?" or "Explain the dissent"