Whether a litigant has “standing” to bring a lawsuit has been a threshold question in data breach cases for a number of years. The basic criteria addressing this is found in Article III of the Constitution which limits the jurisdiction of federal courts to “Cases” and “Controversies” “which are appropriately resolved through the judicial process.” Previously, a number of courts have dismissed data breach cases because they lacked standing, as plaintiffs were not able to show a concrete injury and the alleged future injuries were too speculative. The trend seems to be reversing as a number of courts have recently found plaintiffs have standing to file suit in federal court.

Insurers should monitor these “standing” cases for trends that may result in more of their policyholders being named in a data breach suits. Further, while these “standing” cases may not directly impact insurance coverage, insurers may want to monitor them to the extent that the level of safeguards used by policyholders is directly at issue.

On May 16, 2016, the U.S. Supreme Court issued its opinion in Spokeo v. Robins, a highly-contested circuit court split over the question of how to establish standing in federal courts under Article III. In ruling for the data-gathering company, Spokeo, the Court established that while federal standing requires “injury in fact,” such injury must be both “particular and concrete.” While the Spokeo decision did not address the standing issue in the context of data breach cases, it was not difficult to see the reasoning in this decision would ultimately be applied to data breach cases.

As expected, the Spokeo decision has now been used in a data breach case. On September 12, 2016, the 6th U.S. Circuit Court of Appeals entered the fray on the question of whether plaintiffs have standing to bring suit for data breaches. In Galaria v Nationwide Mut. Ins., the plaintiffs claimed that on October 3, 2012, hackers broke into Nationwide’s computer network and stole their personal information. Specifically, in their complaints, the plaintiffs alleged claims for invasion of privacy, negligence, bailment and violations of the Fair Credit Reporting Act (FCRA).

The U.S. District Court for the Southern District of Ohio dismissed the plaintiffs’ complaints concluding the plaintiffs failed to state a claim for invasion of privacy and lacked Article III standing to bring the negligence and bailment claims and lacked statutory standing to bring the FCRA claims.

6th Circuit Applies Reasoning from Supreme Court’s Spokeo Decision

The 6th Circuit, in reversing the District Court, held plaintiffs had Article III standing and, further that the District Court incorrectly dismissed the FCRA claims. The 6th Circuit found plaintiffs had Article III standing because their allegations were “sufficient to establish a cognizable Article III injury at the pleading stage of the litigation.”

In particular, the 6th Circuit found the plaintiffs met the standard recently addressed by the Supreme Court in Spokeo Inc. v. Robins, “[a] plaintiff ‘must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of a defendant, and (3) that is likely to be redressed by a favorable judicial decision.”

First Spokeo Element: Plaintiffs’ Allegations of Substantial Risk of Harm

In particular, the 6th Circuit found allegations that plaintiffs’ data had been stolen and ended up in the hands of “ill-intentioned criminals” were beyond speculation based on the following reasoning:

Thus, although it might not be “literally certain” that Plaintiffs’ data will be misused, id. at 1150 n.5, there is a sufficiently substantial risk of harm that incurring mitigation costs is reasonable. Where Plaintiffs already know that they have lost control of their data, it would be unreasonable to expect Plaintiffs to wait for actual misuse—a fraudulent charge on a credit card, for example—before taking steps to ensure their own personal and financial security, particularly when Nationwide recommended taking these steps. And here, the complaints allege that Plaintiffs and the other putative class members must expend time and money to monitor their credit, check their bank statements, and modify their financial accounts. Although Nationwide offered to provide some of these services for a limited time, Plaintiffs allege that the risk is continuing, and that they have also incurred costs to obtain protections—namely, credit freezes—that Nationwide recommended but did not cover. This is not a case where Plaintiffs seek to “manufacture standing by incurring costs in anticipation of non-imminent harm.” Id. at 1155. Rather, these costs are a concrete injury suffered to mitigate an imminent harm, and satisfy the injury requirement of Article III standing.

The 6th Circuit’s finding of substantial harm was based on the reasoning in two decisions by the 7th U.S. Circuit Court of Appeals related to standing in data breach cases: Remijas v. Neimen Marcus Group, LLC, where the plaintiffs established “substantial risk of harm” related to theft of data; and Lewert v. P.F. Chang’s China Bistro, Inc., where the plaintiffs established they had Article III standing when their credit card information was stolen from restaurant. The 6th Circuit also relied in the 9th U.S. Circuit Court of Appeals decision in Krottner v. Starbucks Corp., where  the plaintiffs had Article III standing when thief stole company laptop with their personal information.

The 6th Circuit distinguished the breach in the Galaria litigation from the data breach analyzed by the 3rd U.S. Circuit Court of Appeals in Reilly v. Ceridian Corp. The 6th Circuit stated the Reilly breach was not on point because it was based on speculation of “an increased risk of identity theft.” On the other hand, the 6th Circuit found the plaintiffs in Galaria “allege an ‘identifiable taking’—the intentional theft of their data.”

Second Spokeo Element: Plaintiffs’ Allegations That Injury Was “Fairly Traceable” to Conduct Being Challenged

In discussing exactly what “traceable” means, the 6th Circuit relied on its own decision in Am. Canoe Ass’n v. City of Louisa Water & Sewer Comm’n for the proposition that “the traceability requirement mainly serves ‘to eliminate those cases in which a third party and not a party before the court causes the injury.” Based on this standard, the 6th Circuit held in Galaria that the Plaintiffs’ allegations that Nationwide failed to take proper measures to protect the plaintiffs’ data met the threshold for Article III standing.

Third Spokeo Element: Plaintiffs’ Allegations of an Injury That “Will Likely Be ‘Redressed by a Favorable Decision’”

Simply, the 6th Circuit finds the plaintiffs’ “seek compensatory damages for their injuries, and a favorable verdict would provide redress.”

Why Does This Decision Matter to Insurers?

It is important for insurers to monitor these cases to the extent the development of this law indicates trends that directly impact the strength of the cases that may be brought against their insureds. These cases can also be useful to determine whether policyholders are taking steps to meet the requirements for cyber coverage to remain in place. For example, the Galaria court found plaintiffs alleged their injuries were “fairly traceable to Nationwide’s conduct.”

In support of its finding, the 6th Circuit referenced allegations that “Defendants failed ‘to establish and/or implement appropriate administrative, technical and/or physical safeguards to ensure the security and confidentiality of plaintiff’s…data to protect against anticipated threats to the security or integrity of such information.’” That is, there were questions as to whether Nationwide had keep the proper safeguards in place.

The issue of whether the proper safeguards were kept in place was a threshold issue in Columbia Cas. v. Cottage Health Sys., one of the most important decisions in the handful of cyber insurance coverage cases that have been litigated. In Cottage Health, the insurer argued coverage was barred by a “failure to follow minimum required practices” exclusion in a cyber insurance policy. This exclusion required the insured to “continuously implement” its cyber security controls identified in the insurance application submitted prior to the inception of the policy. Consequently, the question of whether proper safeguards were installed and properly maintained will undoubtedly be important in both insurance coverage litigation as well as the underlying litigation.