The Sixth Circuit joined the growing trend of appellate courts holding that plaintiffs had demonstrated standing for data breach class actions in Galaria et al. v. Nationwide Mutual Insurance Company. In a recent order, the Sixth Circuit highlighted yet another fact that supports standing, that clients should consider in their post-breach response efforts: a recommendation that consumers set up fraud alerts and place security freezes on credit reports, without an accompanying offer to pay for the security freeze itself.
This past spring, the Supreme Court inked Spokeo v. Robbins, a highly influential decision requiring plaintiffs to allege an injury in fact that is not only “particularized,” but also “concrete.” Prior to Spokeo, the wind appeared to be shifting, most notably in the Seventh Circuit, which twice in the past 15 months held that consumer plaintiffs had established standing to pursue data breach class actions. First in Neiman Marcus, and then in P.F. Chang’s, the Seventh Circuit held that after a data breach had occurred, the increased risk of fraud and identity theft each constituted an injury in fact because the data breach had already occurred and there was no other reason why hackers would steal such data. Notably, in each instance the court used the company’s post-breach statements and actions as evidence to infer harm at the pleadings stage. In Neiman Marcus, the widespread offer of free credit monitoring was deemed a concession by Neiman that plaintiffs faced non-speculative and imminent risk of harm, warranting their mitigation expenses. In P.F. Chang’s, the company’s recommendation to consumers to monitor their credit reports and an early (and overbroad) notice indicating that all stores may have been affected likewise allowed the inference that mitigation expenses were reasonable.
The Sixth Circuit Side-Steps Spokeo
Although Nationwide is among the first appellate cases to apply Spokeo to a data breach class action, the opinion does not mark a sea change in the litigation landscape. The Sixth Circuit acknowledged that “[t]o establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” However, the Sixth Circuit’s reasoning relied more heavily on the Supreme Court’s earlier decision in Clapper v. Amnesty Int’l USA. That case establishes standing where there is a “‘substantial risk’ that harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.”
Like in Neiman Marcus and P.F. Chang’s, the Sixth Circuit concluded that there was a substantial risk of harm resulting from Nationwide’s reported breach of the names, Social Security numbers, and other personal data of roughly 1.1 million consumers. The court held that the theft of their personal data put them at an increased risk of fraud and identity theft. And, just as in Neiman and P.F. Chang’s, the court relied on Nationwide’s offer to provide credit monitoring as evidence of the reasonableness of mitigation expenses. But, the court further noted that Nationwide had recommended that consumers consider putting a freeze on credit reports, explaining that such freezes could impede the ability to obtain credit, and could cost a fee between $5 and $20 to place and remove such freezes. Notwithstanding that some states require companies to advise consumers about the availability of a credit freeze (e.g., Massachusetts requires substantial detail on the credit freeze process), the Sixth Circuit pointed to Nationwide’s credit freeze advice, those costs, and Nationwide’s failure to offer coverage for those costs in ruling for the plaintiffs. According to the court, there is a “reasonable inference” that hackers will use stolen data for fraudulent purposes and thus, “there is a sufficiently substantial risk of harm that incurring mitigation costs is reasonable.”
What Does it Mean?
- Credit monitoring should not be offered as a matter of due course, but rather in those situations where it truly may provide value to consumers (i.e., in a breach of Social Security information) or where it is required by state law (e.g., Connecticut). Companies should at least be aware of the collateral litigation consequences before signing up a vendor to cover an entire affected population with credit monitoring.
- Care should be taken in describing protective measures that consumers should take—even where mandated by statute—to avoid creating an inference that the security issue or problem is broader than it actually is.
- Early announcements are risky. Though many state statutes require notice within a certain number of days (for example, Vermont requires notice to the Attorney General no later than 14 days after discovery of the breach) companies should be patient in communicating with the public, and balance the desire to provide prompt notice against the danger of including overbroad (or even unhelpful) information in a consumer notice letter.
Second, Nationwide emphasizes the point that statutorily required notification elements can be tricky, and a company’s required statement in a notification letter can be used against it in data breach litigation. As we discussed previously, organizations should recognize the risk associated with a one-size-fits all notification approach that seeks to combine various statutory requirements for purposes of administrative ease. And, in certain situations, it may very well be worth it to issue tailored notices to individuals in certain states.
Third, although a somewhat standardized practice is evolving in terms of what organizations provide at no-charge to consumers after a breach (e.g., 2 years of free credit monitoring if a Social Security number is compromised), that practice warrants further consideration. Had Nationwide paid for more extensive credit monitoring or offered to compensate individuals for the fees incurred in putting a credit freeze on their reports, it may have been more difficult for the Sixth Circuit to conclude that the mitigation expenses were reasonable and sufficient to establish standing.