Sixth Circuit: Data Breach Victims’ Heightened Risk Of Future Harm Establishes Article III Standing

Until now, a company’s exposure to direct liability type claims for potential harm as a result of a Cyber breach has been gauged as relatively low. A recent decision in the Sixth Circuit has changed all of that and we expect that the Supreme Court will at some point hear a case similar to the one outlined for you below. In a recent article summarized below, Kevin LaCroix author of the D & O Diaries blog discusses the court’s decision and the impact it could have on companies in the future.

One of a defendants most significant arguments in opposing data breach victims’ negligence and breach of privacy claims has been that the claimants that have not suffered actual fraud or identity theft can show no discernible injury and therefore lack Article III standing to assert their claims.

Appellate decisions in the Seventh and Ninth Circuit have previously taken a bite out of this defense, in rulings holding that the victims’ fear of future harm is sufficient to establish standing.

In a case involving alleged victims of a data breach at Nationwide Mutual Insurance Company, the Sixth Circuit has joined others, holding that the claimants’ heightened risk for fraud and mitigation costs were sufficient to establish Article III standing. The Sixth Circuit’s September 12, 2016 opinion, which can be found here, represents the latest in a series of developments evincing courts’ increasing willingness to recognize fear of potential future harm as sufficient to establish standing, which in turn may make it easier for the plaintiffs’ claims in these kinds of data breach cases to go forward

What the Court Decision Means for Companies Regarding Data Breaches

One particular aspect of the Sixth Circuit’s decision may be particularly troubling for companies that have experienced data breaches. In support of its conclusion that the plaintiffs had standing, the Sixth Circuit cited the fact that Nationwide had offered the data breach victims credit monitoring and identify-theft services.

The appellate court said that these moves showed that even Nationwide recognized that the risk of harm was great enough to support these kinds of protective measures. Many companies routinely offer these types of services following a data breach. The concern may now be that offering these kinds of remedial or ameliorative services may actually be held against companies and used as the basis for claimants to establish standing. Companies and their advisers may now need to rethink how to respond and what steps to take following a data breach.

Unless and until the Supreme Court weighs in and sorts out these issues, data breach victims will continue to try, with apparent likelihood of success, that their claims of potential future harm are sufficient to establish Article III standing, even if they cannot allege actual identify theft. The availability of these kinds of arguments not only will make it more difficult for defendants to secure dismissal on Article III standing grounds, but it may encourage more data breach victims to try to pursue negligence and privacy breach type claims.