On September 26, 2016, Nationwide Mutual Insurance Co. (“Nationwide”) petitioned the Sixth Circuit Court of Appeals to reconsider its September 12, 2016 ruling that revived a class action arising out of Nationwide’s 2012 data breach. Citing a notice of supplemental authority filed in another class action pending before the Third Circuit, Nationwide argued that rehearing en banc is necessary to resolve conflicts among the Circuits regarding the injury-in-fact and traceability requirements of Article III standing.
In Galaria et al. v. Nationwide Mutual Insurance Company, the Sixth Circuit reversed the district court’s dismissal of the plaintiffs’ class action lawsuit alleging, in part, negligence and violations of the Fair Credit Reporting Act for Nationwide’s alleged failure to institute protocols protecting against an illegal third-party hack of its computer network. The central issue on appeal was whether, after a data breach has occurred, an increased risk of future identity theft is sufficient to satisfy the injury-in-fact requirement of Article III standing. The plaintiffs argued that they satisfied the injury-in-fact requirement because they were likely to imminently suffer injury and faced a substantial risk of harm due to the data breach. Nationwide argued that such “possible future injury,” without more, is insufficient to confer standing under Article III.
The Sixth Circuit agreed with the plaintiffs, holding that the plaintiffs’ allegations of “a substantial risk of harm, coupled with reasonably incurred mitigation costs,” were sufficient to establish an Article III injury at the pleading stages. The Sixth Circuit held that the plaintiffs’ allegations of “the theft of their personal data places them at a continuing, increased risk of fraud and identity theft beyond the speculative allegations” of a possible future injury. In so holding, the Sixth Circuit acknowledged that although it was not “literally certain” that the plaintiffs’ data would be misused, it would be “unreasonable” for the plaintiffs to wait for actual misuse.
In its Petition for Rehearing En Banc, Nationwide stresses that the Sixth Circuit’s September 12, 2016 holding aligns itself with the Seventh and Ninth Circuits, but is in direct conflict with the Third Circuit and the Supreme Court’s decision in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013). Specifically, Nationwide contends that potential future harm caused by unknown, independent actors—those who unlawfully hacked Nationwide’s network—is too speculative to satisfy the requirement in Clapper that threatened harm must be “certainly impending.” Nationwide also argues that the Sixth Circuit should follow the Third Circuit and its decision in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011). There, the Third Circuit held that allegations of standing based on an increased risk of identity theft following a data breach were too speculative because there was no allegation that the hacker “read, copied, and understood the hacked information” or used the information “successfully.”
The Sixth Circuit’s holding has already been relied upon and submitted by parties before the Third, Fourth, and Eighth Circuit Courts of Appeal. As data breaches continue to occur, the issue of whether a plaintiff can satisfy Article III’s injury-in-fact requirement based on potential future harm will present unique issues in standing jurisprudence. Although the Supreme Court decided Spokeo v. Robbins earlier this year, it seems the issues in Nationwide more closely implicate the Supreme Court’s prior decision in Clapper, and may present an issue ripe for review by the Supreme Court in an upcoming term.
 See, e.g., September 14, 2016 Fed. R. App. P. 28(j) Letter submitted in In Re: Horizon Healthcare Services, Inc. Data Breach Litigation, Case No. 15-2309 (3rd Cir.); Response and Reply Brief of Plaintiffs-Appellants Melissa Alleruzzo, et al., Nos. 16-2378, 16-2528 (8th Cir. Sept. 14, 2016); Appellants’ Citation of Supplemental Authorities, Nos. 15-1395, 15-1715 (4th Cir. Sept. 15, 2016).