US Court of Appeals Law Suit Challenging Data Breach Caused by Hackers

The U.S. Court of Appeals for the Sixth Circuit determined that allegations of damage after a data breach caused by hacking are sufficiently concrete to confer Article III making it more difficult for companies defending data breach suits.

In a lawsuit against Nationwide Mutual Insurance Co., the plaintiffs alleged the invasion of privacy, negligence and bailment, were violations of the Fair Credit Reporting Act or FCRA. The plaintiffs claimed that there is a present and growing international market for stolen personal information and that identity thieves use victims’ personal information for illicit purposes. According to the plaintiffs, the breach created an “imminent, immediate and continuing increased risk” and that the plaintiffs and class members would be subject to identity fraud.  The plaintiffs also alleged that victims of identity theft typically spend a great deal of time, effort and personal funds to reclaim their identity.  The plaintiffs sought damages for the pending risk of identity theft, as well as the costs incurred in mitigating the risk including the cost of postponing ones credit.

The court determined that the plaintiffs’ allegations of a substantial risk of harm, along with associated court costs, were sufficient to establish potential damages.  Due to the fact that the plaintiffs identities were now in the hands of criminals, it is likely to assume that the identities would be used for illicit gain and that the allegations were not frivolously presumptuous for future fraudulent activities.  One plaintiff had already experienced fraudulent attempts to obtain credit accounts under his name during the trial.  It has been determined that hackers stole about 350K credit card numbers and that in fact, over 9,000 cases of unauthorized usage was sited.

Despite the fact that Nationwide recognized the severity of the claims as it offered to provide free credit monitoring for up to one year, the court ultimately concluded that the plaintiffs’ allegations of  failure to properly deploy sufficient safeguards protecting the safety and confidentiality of personal information was sufficient and adequate.  The court determined that the hackers were able to access the data and records of its victims because of the negligent activities performed by Nationwide.