Horror stories of what victims of identity theft go through routinely make headlines as large-scale data breaches have gained more attention. Victims may find their financial accounts unexpectedly frozen. They may have credit lines, even mortgages, opened in their names. They may not discover the fraud until they are trying to get their own mortgage or are undergoing a credit check for a new job. The harm identity theft can cause can last years and take an enormous financial, physical, and emotional toll on its victims.
It is all too common for individuals to find out about identity theft only after their private data is misused. But it also happens, often in data breach cases, that individuals learn their personal information, information that could be used to steal their identities, has been before any further fraud has happened.
In those cases, can individuals successfully sue over the data breach in the interim between the theft of the data and its misuse? Can individuals whose information has been stolen sue for their increased risk of identity-based fraud?
At least one court, the Sixth Circuit Court of Appeals, said yes. In a recent appellate decision of class-action claims against Nationwide Mutual Insurance, the Sixth Circuit Court said individuals might have standing to bring their claims even before they have proof their stolen information has been misused.
Nationwide had notified the Plaintiffs that in October 2012, hackers accessed “Nationwide’s computer network and stole the personal information of Plaintiffs and 1.1 million others.” Mohammad S. Galaria 15-3386 v. Nationwide Mut. Ins. Co., No. 15-3386/3387, 2016 U.S. App. LEXIS 16840 (6th Cir. Sep. 12, 2016). The information could have included “names, dates of birth, marital statuses, genders, occupations, employers, Social Security numbers, and driver’s license numbers” of customers and of potential customers who had requested insurance quotes. Id.
The Plaintiffs brought several claims against Nationwide, including negligence, alleging Nationwide failed to properly safeguard their private information. They alleged they faced an increased risk of identity-based fraud and theft. The District Court in Ohio which heard the Plaintiffs claims dismissed all the claims. It dismissed the negligence claims finding the Plaintiffs lacked standing because they had not demonstrated they had suffered an “injury in fact.” The Plaintiffs appealed to the Sixth Circuit Court of Appeals.
As explained in the Plaintiffs’ appeal, to have standing to bring a claim, any plaintiff “must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of a defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Id. (citation omitted). The U.S. Supreme Court has recognized a threatened injury might count in limited circumstances. A “certainly impending” injury may count for standing. Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013). An actionable injury might also include the “substantial risk” of harm, even without certainty. Id. at 1150 n.5.
The Sixth Circuit Court of Appeals, in its majority opinion, acknowledged the Plaintiffs faced “a sufficiently substantial risk of harm” and that risk counts as an actionable injury. Galaria, 2016 U.S. App. LEXIS 16840 at *7. The Court noted: “Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes” the Plaintiffs described in their respective complaints. Id. at 6-7.
The Plaintiffs had alleged, for example, that “there is an illicit international market for stolen data, which is used to obtain identification, government benefits, employment, housing, medical services, financial services, and credit and debit cards. Identity thieves may also use a victim’s identity when arrested, resulting in warrants issued in the victim’s name.” Id. at 4-5. They cited research “purporting to show that in 2011 recipients of data-breach notifications were 9.6 times more likely to experience identity fraud, and had a fraud incidence rate of 19%.” Id. at *5. They also argued data breach victims must take measures to guard against and mitigate the increased risk of further harm and the mitigation steps cost time and money. Id.
In other words, the Plaintiffs successfully demonstrated that they faced the real and substantial risk their stolen data would be misused and that risk could and should be injury enough for a lawsuit.
The Court then reiterated what many data breach victims have already claimed: “Where Plaintiffs already know that they have lost control of their data, it would be unreasonable to expect Plaintiffs to wait for actual misuse—a fraudulent charge on a credit card, for example—before taking steps to ensure their own personal and financial security” especially where Nationwide had already recommended the Plaintiffs monitor their credit and accounts. Id. at 7.
The Sixth Circuit Court of Appeals reversed the dismissal of three claims, including the Plaintiffs’ negligence claim, and remanded the case back to the district court. The Plaintiffs won the right to continue to litigate some of their claims which is no small victory. The appellate decision also may be helpful for other data breach plaintiffs because it provides guidance on how to demonstrate a “substantial risk of harm” in cases where the full potential harm of a data breach is not yet realized. The ultimate outcome and impact of the ongoing case against Nationwide may still be a long way off but this is a case worth watching.
By Alexandra Tracy-Ramirez, HopkinsWay PLLC. | © HopkinsWay PLLC 2016. All rights reserved.