Broken brick wall and blue sky with clouds.This week, with echoes of vintage John Mellencamp in the air, the U.S. Court of Appeals for the Sixth Circuit took a gavel to the wall that for years has blocked consumer class actions for data breach claims – Article III standing.  In Monday’s unpublished, 2-1 decision in consolidated cases against Nationwide Mutual Insurance Company, the court ruled that plaintiff consumers had standing to pursue negligence claims against Nationwide arising out of a 2012 security breach, in which hackers stole personal information of 1.1 million customers.

The Sixth Circuit is now aligned with the Seventh Circuit, which just last year in its Neiman Marcus decision similarly lowered the bar for Article III standing in consumer data breach litigation.

For years, Article III standing was a reliable barrier to consumer damage claims in the wake of data breaches.  Courts ruled with near uniformity that the plaintiffs’ allegations of damages for future identity theft were too speculative to confer standing to sue, and that out-of-pocket expenses for identity theft protection services were merely a voluntary expenditure, not cognizable injury.

In Monday’s ruling, the Sixth Circuit Court of Appeals applied the Supreme Court’s Spokeo test for Article III standing:  plaintiff “must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of a defendant, and (3) that is likely to be redressed by a favorable judicial decision.”  The “injury in fact” element requires a showing that the plaintiff has suffered “‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.'”  Imminent injuries must be “certainly impending,” with a “substantial risk” that harm will occur.

According to Sixth Circuit court, plaintiffs allegations that their personal data “has already been stolen and is now in the hands of ill-intentioned criminals” sufficed for standing, because it is reasonable to infer that the hackers will use the data for identity theft, and this substantial risk of harm makes the incurring of mitigation costs reasonable.  Also, Nationwide’s alleged security failings made plaintiffs’ claimed injuries “fairly traceable” to Nationwide’s conduct.

Will the Article III standing wall continue to crumble?  We’ll see.  The Sixth Circuit’s Nationwide decision can only go “nationwide” if other circuits, beyond the Sixth and Seventh, follow suit.  But in the meantime, here are two interesting repercussions to ponder:

  • The Sixth Circuit decision used Nationwide’s breach response efforts to bolster plaintiffs’ standing:  “Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year.”  This catch-22 should be carefully considered when victim companies craft the language of their breach notices.
  • This ruling, on the heels of the Seventh Circuit’s Neiman Marcus decision, will no doubt have an impact on cyber liability insurance premiums.