Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, September 15, 2016

Article III standing recognized in data hacking case based on FCRA violations

By Howard Smukler, J.D.

Customers who were the victims of a data hacking intrusion on an insurer’s computers had standing to pursue Fair Credit Reporting Act claims against the insurer, the U.S. Court of Appeals for the Sixth Circuit has decided. The allegation of an intentional theft of data, combined with the substantial risk of misuse, and coupled with reasonably incurred mitigation costs was sufficient to establish Article III standing. Since Article III standing existed, the appellate court found it unnecessary to address the specific issue of whether the customers had stated an FCRA claim (Galaria v. Nationwide Mutual Insurance Co., September 12, 2016, White, H.).

On October 3, 2012, hackers broke into Nationwide Mutual Insurance Company’s computer network and stole the personal information of 1.1 million customers and potential customers, obtaining personal data which included names, dates of birth, marital statuses, genders, occupations, employers, Social Security numbers, and driver’s license numbers. By letter, the insurer notified the customers of the breach and advised them to take steps to prevent misuse of the stolen data including heightened monitoring of credit reports, setting up a fraud alert and placing a security freeze on credit reports. Some of these preventative measures would be paid by the insurer, but other costs would have to be borne by the customers.

The customers filed a lawsuit against the insurer claiming willful and negligent violation of the FCRA by failing to adopt required procedures to protect against wrongful dissemination of customer data. Other than the actual act of hacking, no specific harm had affected the customers at the time of the filing of the complaint. Instead the complaint alleged "an imminent, immediate and continuing increased risk," including substantial financial costs incurred as a result of the hacking. Subsequent to the initial filing, one of the customers sought to amend the complaint by including the discovery of three unauthorized attempts to open credit cards in the customer’s name.

Article III standing. In order to have standing to bring the lawsuit, the customers must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of a defendant, and (3) that is likely to be redressed by a favorable judicial decision. With regards to actual injury, the court found the allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, was sufficient to establish a cognizable Article III injury at the pleading stage of the litigation. It was a fact that data had been stolen and was in the hands of ill-intentioned criminals. The insurer’s letter and offer to pay for additional protection services validated that fact. Thus, not only were the risks of misuse real but there were actual costs that would be incurred to remedy the harm caused by the hacking.

The court also found that the customers sufficiently had alleged that their injuries were fairly traceable to the insurer’s conduct. Specifically, they alleged a failure to establish and implement appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of the data. But for the insurer’s alleged lax security, the hackers would not have been able to steal the data. Finally, the court recognized that by seeking compensatory damages for their injuries, the customers could receive adequate redress for their anticipated damages.

FCRA standing. The district court had concluded that customers did not have subject-matter jurisdiction under the FCRA because their complaint alleged a violation of the FCRA’s statement of purpose rather than a substantive provision of the statute, and dismissed the FCRA claims for lack of statutory standing. This conclusion, however, rendered a judgment on the validity of the subject matter of the cause of action and not on the issue of proper standing to bring the law suit. In effect the district court should have dismissed for failure to state a claim, rather than dismissal based on lack of statutory standing, the Sixth Circuit concluded. Thus, because Article III standing existed, the court found it unnecessary to address the specific issue of whether the customers stated an FCRA claim.

The case is Nos. 15-3386/3387

Attorneys: Ben Barnow (Barnow & Associates, P.C.) for Mohammad S. Galaria. Michael Hiram Carpenter (Carpenter, Lipps & Leland) and Mark P. Szpak (Ropes & Gray LLP) for Nationwide Mutual Insurance Co.

Companies: Nationwide Mutual Insurance Co.

MainStory: TopStory CyberPrivacyFeed FairCreditReporting KentuckyNews MichiganNews OhioNews TennesseeNews

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.

A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.