Legal Analysis of Data Breach Case: Galaria et al. v. Nationwide Mutual Insurance Co., Study notes of Federal Courts

Download Legal Analysis of Data Breach Case: Galaria et al. v. Nationwide Mutual Insurance Co. and more Study notes Federal Courts in PDF only on Docsity! NOT RECOMMENDED FOR PUBLICATION File Name: 16a0526n.06 Nos. 15-3386/3387 UNITED STATES COURT OF APPEALS FOR THE SIXTH CIRCUIT MOHAMMAD S. GALARIA (15-3386); ANTHONY HANCOX (15-3387), individually and on behalf of all others similarly situated, Plaintiffs-Appellants, v. NATIONWIDE MUTUAL INSURANCE COMPANY, Defendant-Appellee. ) ) ) ) ) ) ) ) ) ) ) ) ) ON APPEAL FROM THE UNITED STATES DISTRICT COURT FOR THE SOUTHERN DISTRICT OF OHIO BEFORE: BATCHELDER and WHITE, Circuit Judges; LIPMAN, District Judge. * HELENE N. WHITE, Circuit Judge. Plaintiffs Mohammad Galaria and Anthony Hancox brought these putative class actions after hackers breached the computer network of Defendant Nationwide Mutual Insurance Company and stole their personal information. In their complaints, Plaintiffs allege claims for invasion of privacy, negligence, bailment, and violations of the Fair Credit Reporting Act (FCRA). The district court dismissed the complaints, concluding that Plaintiffs failed to state a claim for invasion of privacy, lacked Article III standing to bring the negligence and bailment claims, and lacked statutory standing to bring the FCRA claims. In this consolidated appeal, Plaintiffs challenge the dismissal of the negligence, bailment, and FCRA claims. Because we conclude that Plaintiffs have Article III standing and * The Honorable Sheryl H. Lipman, United States District Judge for the Western District of Tennessee, sitting by designation. Nos. 15-3386/3387, Galaria et al. v. Nationwide Mutual Insurance Co. -2- that the district court erred in dismissing the FCRA claims for lack of subject-matter jurisdiction, we REVERSE and REMAND for further proceedings. I. Background As alleged in the complaints, Nationwide is an insurance and financial-services company that maintains records containing sensitive personal information about its customers, as well as potential customers who submit their information to obtain quotes for insurance products. The data include names, dates of birth, marital statuses, genders, occupations, employers, Social Security numbers, and driver’s license numbers. On October 3, 2012, hackers broke into Nationwide’s computer network and stole the personal information of Plaintiffs and 1.1 million others. Nationwide informed Plaintiffs of the breach in a letter that advised taking steps to prevent or mitigate misuse of the stolen data, including monitoring bank statements and credit reports for unusual activity. To that end, Nationwide offered a year of free credit monitoring and identity-fraud protection of up to $1 million through a third-party vendor. Nationwide also suggested that Plaintiffs set up a fraud alert and place a security freeze on their credit reports. However, Nationwide’s website explained that a security freeze could impede consumers’ ability to obtain credit, and could cost a fee between $5 and $20 to both place and remove. Nationwide did not offer to pay for expenses associated with a security freeze. Plaintiff Hancox filed a five-count putative class-action complaint against Nationwide in the United States District Court for the District of Kansas, and Plaintiff Galaria filed essentially the same complaint in the United States District Court for the Southern District of Ohio a month later. The Kansas district court transferred Hancox’s action to the Ohio district court, which designated the dockets as related. In Counts I and II of the complaints, Plaintiffs allege that Nationwide willfully and negligently violated the Fair Credit Reporting Act (FCRA), Pub. L. No. Nos. 15-3386/3387, Galaria et al. v. Nationwide Mutual Insurance Co. -5- II. Discussion A. Article III standing We review de novo the district court’s determination of Article III standing. McKay v. Federspiel, 823 F.3d 862, 866 (6th Cir. 2016). “Article III of the Constitution limits the jurisdiction of federal courts to ‘Cases’ and ‘Controversies,’” and “[t]he doctrine of standing gives meaning to these constitutional limits by ‘identify[ing] those disputes which are appropriately resolved through the judicial process.’” Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (2014) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992)). The Supreme Court has explained that “the ‘irreducible constitutional minimum’ of standing consists of three elements.” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016) (quoting Lujan, 504 U.S. at 560). A plaintiff “must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of a defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Id. The plaintiff “bears the burden of showing that he has standing,” Summers v. Earth Island Institute, 555 U.S. 488, 493 (2009), and “[e]ach element of standing ‘must be supported in the same way as any other matter on which the plaintiff bears the burden of proof, i.e., with the manner and degree of evidence required at the successive stages of the litigation.’” Fair Elections Ohio v. Husted, 770 F.3d 456, 459 (6th Cir. 2014) (quoting Lujan, 504 U.S. at 561). “Where, as here, a case is at the pleading stage, the plaintiff must ‘clearly . . . allege facts demonstrating’ each element.” Spokeo, 136 S. Ct. at 1547 (quoting Warth v. Seldin, 422 U.S. 490, 518 (1975)). The court “must accept as true all material allegations of the complaint, and must construe the complaint in favor of the complaining party.” Parsons v. U.S. Dep’t of Justice, 801 F.3d 701, 710 (6th Cir. 2015) (quoting Warth, 422 U.S. at 501). Nos. 15-3386/3387, Galaria et al. v. Nationwide Mutual Insurance Co. -6- Injury is “the ‘[f]irst and foremost’ of standing’s three elements.” Spokeo, 136 S. Ct. at 1547 (quoting Steel Co. v. Citizens for Better Env’t, 523 U.S. 83, 103 (1998)). “To establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” Id. at 1548 (quoting Lujan, 504 U.S. at 560). Where plaintiffs seek to establish standing based on an imminent injury, the Supreme Court has explained “that ‘threatened injury must be certainly impending to constitute injury in fact,’ and that ‘[a]llegations of possible future injury’ are not sufficient.” Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013) (emphasis in original) (quoting Whitmore v. Arkansas, 495 U.S. 149, 158 (1990)). However, the Supreme Court has also “found standing based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm,” even where it is not “literally certain the harms they identify will come about.” Id. at 1150 n.5 (citing cases). Here, Plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage of the litigation. Plaintiffs allege that the theft of their personal data places them at a continuing, increased risk of fraud and identity theft beyond the speculative allegations of “possible future injury” or “objectively reasonable likelihood” of injury that the Supreme Court has explained are insufficient. Clapper, 133 S. Ct. at 1147–48. There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill- intentioned criminals. Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year. Where a data Nos. 15-3386/3387, Galaria et al. v. Nationwide Mutual Insurance Co. -7- breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiffs’ complaints. Thus, although it might not be “literally certain” that Plaintiffs’ data will be misused, id. at 1150 n.5, there is a sufficiently substantial risk of harm that incurring mitigation costs is reasonable. Where Plaintiffs already know that they have lost control of their data, it would be unreasonable to expect Plaintiffs to wait for actual misuse—a fraudulent charge on a credit card, for example—before taking steps to ensure their own personal and financial security, particularly when Nationwide recommended taking these steps. And here, the complaints allege that Plaintiffs and the other putative class members must expend time and money to monitor their credit, check their bank statements, and modify their financial accounts. Although Nationwide offered to provide some of these services for a limited time, Plaintiffs allege that the risk is continuing, and that they have also incurred costs to obtain protections—namely, credit freezes—that Nationwide recommended but did not cover. This is not a case where Plaintiffs seek to “manufacture standing by incurring costs in anticipation of non-imminent harm.” Id. at 1155. Rather, these costs are a concrete injury suffered to mitigate an imminent harm, and satisfy the injury requirement of Article III standing. 1 This conclusion is in line with two recent decisions from the Seventh Circuit addressing standing in data-breach cases. In Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 1 The allegation in the proposed amended complaint that Plaintiff Galaria suffered three unauthorized attempts to open credit cards in his name further supports standing. However, Plaintiffs did not seek reconsideration of the district court’s dismissal of their negligence and bailment claims for lack of Article III standing, and did not seek leave to amend the complaint for the purpose of bolstering the allegations in support of standing. The district court could not have abused its discretion in denying reconsideration and leave to amend for reasons that Plaintiffs expressly disclaimed. See generally Leisure Caviar, LLC v. U.S. Fish & Wildlife Serv., 616 F.3d 612, 615–16 (6th Cir. 2010) (discussing the relevant standards). Regardless, we conclude that the allegations in the initial complaint are sufficient. Nos. 15-3386/3387, Galaria et al. v. Nationwide Mutual Insurance Co. -10- the direct cause of Plaintiffs’ injuries, the hackers were able to access Plaintiffs’ data only because Nationwide allegedly failed to secure the sensitive personal information entrusted to its custody. In other words, but for Nationwide’s allegedly lax security, the hackers would not have been able to steal Plaintiffs’ data. These allegations meet the threshold for Article III traceability, which requires “more than speculative but less than but-for” causation. Parsons, 801 F.3d at 714. This conclusion is consistent with the Eleventh Circuit’s decision in Resnick v. AvMed, Inc., 693 F.3d 1317, 1324 (11th Cir. 2012), which held that injuries from a data breach were fairly traceable to a defendant that failed to secure laptops that were then stolen. The Seventh and Ninth Circuit have also found the traceability requirement met in similar data-breach cases. Lewert, 819 F.3d at 969; Remijas, 794 F.3d at 696; Krottner, 628 F.3d at 1141. Further, in Lambert v. Harman, 517 F.3d 433, 438 (6th Cir. 2008), we held that identity theft was fairly traceable to a defendant that mishandled the plaintiff’s personal data by releasing it online. True, the plaintiff in Lambert alleged conduct more egregious than the general allegations of inadequate security presented in Plaintiffs’ complaints; but at the pleading stage, we “presume[] that general allegations embrace those specific facts that are necessary to support the claim.” Lujan v. Nat’l Wildlife Fed’n, 497 U.S. 871, 889 (1990). Lastly, Plaintiffs must show that their injury “will likely be ‘redressed’ by a favorable decision.” Wittman, 136 S. Ct. at 1736 (quoting Lujan, 504 U.S. at 560–61). Here, Plaintiffs seek compensatory damages for their injuries, and a favorable verdict would provide redress. Thus, we conclude that Plaintiffs’ complaints adequately allege Article III standing. Nationwide argues in the alternative that the dismissal of the negligence and bailment claims should nonetheless be affirmed on the basis that Plaintiffs failed to state claims for relief. Nos. 15-3386/3387, Galaria et al. v. Nationwide Mutual Insurance Co. -11- However, because the district court dismissed for lack of jurisdiction, we decline to grant a dismissal on the merits on appeal. B. Statutory standing under the FCRA We review de novo the district court’s dismissal of Plaintiffs’ FCRA claims for lack of subject-matter jurisdiction. Askins v. Ohio Dep’t of Agric., 809 F.3d 868, 872 (6th Cir. 2016). The district court concluded that the complaints allege a violation of the FCRA’s statement of purpose rather than a substantive provision of the statute, and dismissed the FCRA claims for lack of statutory standing. The Supreme Court has explained that the term “statutory standing” describes an inquiry into the question whether a plaintiff “falls within the class of plaintiffs whom Congress has authorized to sue” and therefore “has a cause of action under the statute.” Lexmark, 134 S. Ct. at 1387–88 & n.4. However, this label is “misleading, since ‘the absence of a valid (as opposed to arguable) cause of action does not implicate subject-matter jurisdiction, i.e., the court’s statutory or constitutional power to adjudicate the case.’” Id. (emphasis in original) (quoting Verizon Md. Inc. v. Pub. Serv. Comm’n of Md., 535 U.S. 635, 642–43 (2002)); see also Facione v. CHL Mortg. Trust 2006-J1, 628 F. App’x 919, 920 (6th Cir. 2015) (noting the “confusion” caused by the term “statutory standing”). The question whether Plaintiffs have a cause of action is a merits issue that is “analytically distinct from the question whether a federal court has subject-matter jurisdiction.” Roberts v. Hamer, 655 F.3d 578, 580 (6th Cir. 2011). If a plaintiff lacks statutory standing—in other words, does not have a cause of action—the proper course is to dismiss for failure to state a claim. Id. at 581. Nos. 15-3386/3387, Galaria et al. v. Nationwide Mutual Insurance Co. -12- Thus, the district court erred in concluding that it lacked subject-matter jurisdiction over the FCRA claims. As discussed, Plaintiffs have Article III standing to bring this action, 4 and we see no other jurisdictional defect; the district court’s contrary conclusion was based on an assessment of the merits. We go no further than reversing the district court’s judgment as to its jurisdiction, and decline to address the merits issue on appeal. Instead, we return this question to the district court, which may dismiss for failure to state a claim if it concludes that Plaintiffs do not have a cause of action under the FCRA. III. Conclusion For these reasons, we REVERSE the dismissal of Plaintiffs’ negligence, bailment, and FCRA claims for lack of subject-matter jurisdiction and REMAND for further proceedings. 4 The Supreme Court has explained that FCRA claims may present Article III standing questions where the alleged FCRA violation is procedural in nature and the plaintiff suffers no harm. Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016). However, the district court did not address that question, and Plaintiffs have alleged an Article III injury in any event. Nos. 15-3386/3387, Galaria et al. v. Nationwide Mutual Insurance Co. -15- negligence did not “motivate” the hacker’s criminal activity, see Parsons v. U.S. Dep’t of Justice, 801 F.3d 701, 714 (6th Cir. 2015), nor have the plaintiffs alleged any direct link between the hacker’s successful crime and an action of Nationwide, Lambert v. Hartman, 517 F.3d 433, 437–38 (6th Cir. 2008). Although a plaintiff need not prove that one particular actor out of many caused his harm, here the plaintiffs do not even allege wrongdoing by Nationwide that might have caused their harm. See Am. Canoe Ass’n, Inc. v. City of Louisa Water & Sewer Comm’n, 389 F.3d 536, 543 (6th Cir. 2004) (holding that a plaintiff could meet standing requirements at the pleading stage by alleging that the defendant was polluting and that the plaintiff was harmed by the pollution, even if other third-party actors were also polluting). Lambert is particularly notable. A county clerk of court published Cynthia Lambert’s personal information on the internet by making public a traffic citation Lambert had received. 517 F.3d at 435. A criminal used this information to obtain a false driver’s license and make multiple purchases in Lambert’s name. Id. at 435. Lambert sued the clerk and the county for the violation of her privacy rights, but the defendants attacked her standing “on the basis that her injuries [were] not fairly traceable to the Clerk’s website.” Id. at 437. The court rejected this argument; although the defendants were not “the direct cause of Lambert’s injuries,” the plaintiff specifically linked the act of identity theft to the Clerk’s website through two factual allegations: (1) the driver’s license number on the traffic citation was incorrect by one digit, the same incorrect number on false driver’s license used to steal Lambert’s identity; and (2) the identity thief—who was caught—admitted obtaining the information from the website. Id. at 437–38. Galaria and Hancox’s alleged injury is an increased risk of identity theft, not the theft itself as in Lambert. But they still need to allege facts establishing a causal link between that increased risk and something Nationwide did or did not do. Accusing Nationwide of “failing to Nos. 15-3386/3387, Galaria et al. v. Nationwide Mutual Insurance Co. -16- establish and/or implement appropriate . . . safeguards . . . to protect” customers’ personal information, without more, is insufficient to “allow[] the court to draw the reasonable inference” that the breach is fairly traceable to Nationwide. Iqbal, 556 U.S. at 678. It is just another way of saying that Nationwide didn’t prevent the data breach. But no one prevented the data breach; this hardly means that the plaintiffs have standing to sue the FBI or the Ohio Attorney General for not thwarting the hackers’ criminal activities. To establish standing, the plaintiffs must make some factual allegation of a causal connection. This they have failed to do. The majority manufactures this causal connection on the plaintiffs’ behalf, stating that “but for Nationwide’s allegedly lax security, the hackers would not have been able to steal Plaintiffs’ data.” Nowhere does either complaint allege but-for causation. And although the majority is correct that but-for causation is not required for Article III standing, the plaintiffs’ allegations here are nothing more than sheer speculation. See Parsons, 801 F.3d at 714. Other circuits’ contrary decisions in similar cases completely ignore the independent third party criminal action breaking the chain of causation. For example, the Eleventh Circuit held that plaintiffs satisfied the fairly traceable requirement by alleging only that the defendant “failed to secure [the plaintiffs’] information on company laptops, and that those laptops were subsequently stolen.” 2 Resnick v. AvMed, Inc., 693 F.3d 1317, 1324 (11th Cir. 2012). And in Remijas v. Neiman Marcus Group, LLC, the Seventh Circuit overlooked the absence of any allegation that Neiman Marcus had specifically done anything that made the data breach easier or had failed to do anything that could have prevented it. 794 F.3d 688, 696 (7th Cir. 2015). The court did not explain how the risk of identity theft could be fairly traceable to Neiman Marcus when that risk was in fact the result of third party criminal action. See also Lewert v. P.F. 2 Even this is more specific than what the plaintiffs have pled here. Nos. 15-3386/3387, Galaria et al. v. Nationwide Mutual Insurance Co. -17- Chang’s China Bistro, Inc., 819 F.3d 963, 969 (7th Cir. 2016) (ignoring the intervening third party action between the defendant hacked company and the plaintiffs’ injury). We should not make this same mistake. The majority sends the case back to the district court for analysis of Nationwide’s motion to dismiss for failure to state a claim. Even were I to conclude that we have jurisdiction over this case, I do not believe a remand is necessary. The plaintiffs have not stated a claim for relief under the FCRA, because the complaint does not allege facts establishing that Nationwide is a “consumer reporting agency” or that Nationwide “furnished” a “consumer report” within the statutory definitions. See, e.g., Dolmage v. Combined Ins. Co. of Am., No. 14 C 3809, 2015 WL 292947, at *3–4 (N.D. Ill. Jan. 21, 2015); Burton v. MAPCO Express, Inc., 47 F. Supp. 3d 1279, 1286–87 (N.D. Ala. 2014); see also Washington v. CSC Credit Servs. Inc., 199 F.3d 263, 265 (5th Cir. 2000) (“[T]he FCRA governs ‘consumer reporting agencies’ like Equifax and CSC [Credit Services] which maintain credit information on consumers and provide it to third parties.”). And the plaintiffs have certainly not alleged the level of causation necessary to plead a claim of negligence. See Whiting v. Ohio Dep’t of Mental Health, 750 N.E.2d 644, 647 (Ohio Ct. App. 2001) (quoting Strother v. Hutchinson, 423 N.E.2d 467, 470–71 (Ohio 1981)) (“‘[P]roximate cause’ is generally established ‘where [a negligent] act . . . in a natural and continuous sequence, produces a result that would not have taken place without the act.’”). I respectfully dissent.