chevron-down Created with Sketch Beta.
October 12, 2016 Practice Points

Sixth Circuit Reverses District Court, Finds Standing for FCRA Claims in the Wake of Spokeo

Another case attempting to interpret the parameters of Article III standing in statutory class actions

by Ashley Bruce Trehan

The U.S. Supreme Court’s less-than-climactic decision earlier this year in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), has led to cases attempting to interpret the parameters of Article III standing in statutory class actions.

But the Sixth Circuit in Galaria v. Nationwide Mutual Insurance Co., --- F. App'x ----, 2016 WL 4728027 (6th Cir. Sept. 12, 2016), saw no need to wade into Spokeo’s analysis of what “bare procedural violations” or other “circumstances” that might meet Article III’s injury-in-fact requirement. In a 2–1 decision, the panel found the plaintiff had established Article III standing and allowed the plaintiffs’ Federal Credit Reporting Act (FCRA) claims to proceed, reversing the trial court.

The case arose from a data breach at Nationwide, in which hackers stole personal information from 1.1 million Nationwide customers, including the plaintiffs. In response, Nationwide offered its customers one year of free credit monitoring and identity-fraud protection of up to $1 million and also “suggested” its customers set up a fraud alert and place a security freeze on their credit reports. Unlike the monitoring and protection, Nationwide did not offer to pay the $5 to $20 to set up the alert and implement the freeze. (In addition, the security freeze could also impede consumers’ ability to obtain credit.) Plaintiffs sued for violation of the FCRA, which the district court dismissed, reasoning that the plaintiffs lacked Article III standing and “statutory standing.”

On appeal, to test for Article III standing, the Sixth Circuit considered whether plaintiffs established an injury-in-fact, traceability from that injury to the defendant’s alleged conduct, and redressability through a favorable judicial decision.

1. As to injury-in-fact, to the majority, it was enough that the plaintiffs were placed “at a continuing, increased risk of fraud and identity theft” and a “sufficiently substantial risk of harm” beyond just a “possible future injury.” The court’s conclusion was based in part on the assumption that “hackers will use the victims’ data for the fraudulent purposes” alleged by the plaintiffs: The court reasoned that a plaintiff whose information has been stolen need not wait for an actual fraud to occur before taking steps to ensure their security, particularly where, as in Galaria, the defendant had already recommended taking those steps (but did not offer to pay for them, and certainly not into perpetuity). The costs of the plaintiffs to monitor their credit and bank statements and to modify their financial accounts “are a concrete injury suffered to mitigate an imminent harm” that satisfies Article III’s injury-in-fact requirement.

2. As to traceability, the Sixth Circuit found this requirement to be met because the hackers could access data only because of Nationwide’s failure to secure the information. In dissent, Judge Batchelder challenged the conclusion that there was a link between Nationwide and the plaintiffs’ alleged injury.

3. As to redressability, to the majority, a favorable verdict would provide the compensatory damages the plaintiffs seek for their injuries.

Because the plaintiffs had alleged Article III standing, the majority explained that Spokeo did not apply, acknowledging that FCRA claims “may” give rise to Article III standing issues “where the alleged FCRA violation is procedural in nature and the plaintiff suffers no harm.” Thus, despite the lip service to Spokeo, Galaria's finding of Article III standing from the mere “risk” of harm raises questions about what FCRA violation could be so merely “procedural” in a data breach class action to not satisfy Article III.

Ashley Trehan is counsel at Buchanan Ingersoll & Rooney in Tampa, Florida.

Copyright © 2016, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).