Data breaches such as the one Yahoo recently revealed (500 million accounts!) get the big headlines. In response, large companies double down on their efforts to protect the security of their data.
But small to midsize businesses often fail to appreciate the risk of a data breach to their own business. They may believe that they are not targets because of their size or because they do not hold valuable information. Their “not in my business” assumption is wrong. Indeed, because security measures adopted by small and medium size businesses may not be as up-to-date as those used by national and multinational corporations, and because of the value of data held by every business, regardless of its size, these smaller entities may be just as likely to have their systems targeted as the big corporations. Businesses — regardless of their size — could incur high costs in responding to a breach with a forensic investigation, remediation, notification, and reputation damage control, as well as potential fines under breach notification statutes.
Still, businesses could take heart that there was a relatively low risk of tort litigation brought by those individuals whose data had been exposed. Some states, such as New York, do not recognize a common law right to privacy from which a tort claim could arise. It does, however, recognize statutory privacy claims, but only in strictly limited cases, such as for invasion of privacy in advertising or for a commercial purpose, or where a unique relationship between parties (such as doctor/patient or attorney/client) creates a duty. See, e.g., Messenger v. Gruner & Jahr Printing & Publishing, 94 N.Y.2d 436 (2000); Foster v. Svenson, 128 A.D.3d 150 (1st Dept. 2015); Farrow v. Allstate Ins., 53 A.D.3d 563 (2d Dept. 2008). See also, Civil Rights Law §§50 and 51. Federal privacy statutes also provide for recovery only in limited circumstances. As such, once the direct costs of responding to a breach had been borne, the risk of subsequent litigation was low.
Now, however, that may be changing.
That’s because the U.S. Court of Appeals for the Sixth Circuit, in Galaria v. Nationwide Mutual Ins., Nos. 15-3386/3387 (6th Cir. Sept. 12, 2016), recently adopted a broad view of “injury-in-fact” for purposes of standing under Article III of the U.S. Constitution to bring privacy claims under diverse theories of recovery. It remains to be seen whether the other circuits will agree, but plaintiffs’ lawyers are likely to argue that Galaria opened the door to standing, which could result in the courts being flooded with privacy claims. (For more on standing in data breach cases, see, “Standing to Assert Claims for Online Privacy Breaches,” in the January 2016 issue.) Moreover, the recognition of a cognizable injury, even in the absence of proof of access to the records, may extend to privacy claims under New York law, such as in connection with “negligence per se” or prima facie tort, or arising from federal statutes intended to impose a duty of security as to categories of private data.
Any business, no matter its size, is at risk of a data breach event so long as it uses interconnected computers, websites, the Internet, or mobile devices for any purpose or allows its employees, partners, contractors, or customers to do so.
Today, no matter a company’s industry or size, it electronically maintains customer information (including order history, payment records, addresses, and telephone numbers); employee information (such as personal health, salary, contact, and financial information, including Social Security numbers and bank accounts); legal, accounting, and finance information (including corporate governance documents, corporate tax documents, communications with legal counsel, and contracts, proposals, and bids); and information about its products, distribution, inventory, and supply chain.
It is within this context that the Galaria ruling should be considered.
After hackers breached the computer network of Nationwide Mutual Insurance Company and stole the personal information of 1.1 million individuals, Nationwide informed them of the breach and advised taking steps to prevent or mitigate misuse of the stolen data, including monitoring bank statements and credit reports for unusual activity. Nationwide also suggested that they set up fraud alerts and place a security freeze on their credit reports.
Nationwide was sued, with plaintiffs alleging claims for violation of the Fair Credit Reporting Act, negligence, invasion of privacy by public disclosure of private facts, and bailment. The plaintiffs alleged that there was an illicit international market for stolen data that was used to obtain identification, government benefits, employment, housing, medical services, financial services, and credit and debit cards. They alleged that identity thieves also might use a victim’s identity when arrested, resulting in warrants issued in the victim’s name. They asserted that the Nationwide data breach had created an “imminent, immediate and continuing increased risk” that they would be subject to identity fraud.
The plaintiffs also contended that they had suffered, and would continue to suffer, costs including “purchasing credit reporting services, purchasing credit monitoring and/or Internet monitoring services, frequently obtaining, purchasing and reviewing credit reports, bank statements, and other similar information, instituting and/or removing credit freezes and/or closing or modifying financial accounts.”
The district court dismissed the complaints, concluding, among other things, that the plaintiffs lacked Article III standing to bring the negligence and bailment claims against Nationwide because they had not alleged a cognizable injury. The plaintiffs appealed to the Sixth Circuit.
Sixth Circuit’s Decision
The Sixth Circuit reversed the district court on the standing issue.
In its decision, it explained that, for Article III standing, a plaintiff must have suffered an injury-in-fact. The circuit court then ruled that the plaintiffs’ allegations of a “substantial risk of harm, coupled with reasonably incurred mitigation costs,” were sufficient to establish a cognizable Article III injury at the pleading stage. It observed that the plaintiffs had alleged that the theft of their personal data had placed them at a “continuing, increased risk of fraud and identity theft” — and found that this was beyond any “speculative allegations” of “possible future injury” that were insufficient under Supreme Court precedent. See, Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (Feb. 26, 2013).
Here, the circuit court added, there was “no need for speculation” given that the plaintiffs had alleged that their data already had been stolen and was in the hands of “ill-intentioned criminals.” One of the plaintiffs, the circuit court noted, contended that he had discovered three unauthorized attempts to open credit cards in his name, and that applications had been made using his name, Social Security number, and date of birth. The circuit court added that Nationwide’s offer to provide credit monitoring and identity theft protection for a full year suggested that it seemed to recognize the severity of the risk.
The circuit court then declared that, where a data breach targeted personal information, a “reasonable inference” could be drawn that the hackers would use the victims’ data for the fraudulent purposes alleged in the plaintiffs’ complaints.
Interestingly, the circuit court said that although it might not be “literally certain” that the plaintiffs’ data would be misused, there was a “sufficiently substantial risk of harm” that incurring mitigation costs was a reasonable step for the plaintiffs to take. Moreover, it added, as the plaintiffs already knew that they had “lost control of their data,” it would be unreasonable to expect them to wait for “actual misuse” before taking steps to ensure their own personal and financial security — particularly because Nationwide had recommended taking these steps.
In the Sixth Circuit’s opinion, this was not a case where plaintiffs sought to “manufacture standing by incurring costs in anticipation of non-imminent harm.” Rather, the costs alleged by the plaintiffs were a “concrete injury suffered to mitigate an imminent harm,” and they satisfied the injury requirement for purposes of Article III standing.
The Seventh and Ninth Circuits, addressing standing in data breach cases, have reached the same conclusion. In Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015), the Seventh Circuit held that victims of a data breach at a department store had established injury-in-fact by alleging a “substantial risk of harm” from the theft of their data. See also, Lewert v. P.F. Chang’s China Bistro, 819 F.3d 963 (7th Cir. 2016). The Ninth Circuit similarly found Article III standing in Krottner v. Starbucks, 628 F.3d 1139 (9th Cir. 2010), where employees brought suit after a thief stole a company laptop containing their personal information.
By contrast, the Third Circuit reached a different conclusion in Reilly v. Ceridian, 664 F.3d 38 (3d Cir. 2011), although this case may be distinguishable on the ground that there was no evidence that the intrusion had been intentional or malicious.
What the Second Circuit will decide when it is faced with the issue of standing in a data breach action, and how New York and other state common and statutory law will affect the result, remains to be seen. As concerns about data breach become more acute, however, a litigation option for those who are affected is more likely to be recognized and could have a significant impact on all businesses.
Shari Claire Lewis, a partner in the Long Island office of Rivkin Radler, can be reached at firstname.lastname@example.org.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.