The case arose from a data breach at Nationwide, in which hackers stole personal information from 1.1 million Nationwide customers, including the plaintiffs. In response, Nationwide offered its customers one year of free credit monitoring and identity-fraud protection of up to $1 million and also “suggested” its customers set up a fraud alert and place a security freeze on their credit reports. Unlike the monitoring and protection, Nationwide did not offer to pay the $5 to $20 to set up the alert and implement the freeze. (In addition, the security freeze could also impede consumers’ ability to obtain credit.) Plaintiffs sued for violation of the FCRA, which the district court dismissed, reasoning that the plaintiffs lacked Article III standing and “statutory standing.”
On appeal, to test for Article III standing, the Sixth Circuit considered whether plaintiffs established an injury-in-fact, traceability from that injury to the defendant’s alleged conduct, and redressability through a favorable judicial decision.
1. As to injury-in-fact, to the majority, it was enough that the plaintiffs were placed “at a continuing, increased risk of fraud and identity theft” and a “sufficiently substantial risk of harm” beyond just a “possible future injury.” The court’s conclusion was based in part on the assumption that “hackers will use the victims’ data for the fraudulent purposes” alleged by the plaintiffs: The court reasoned that a plaintiff whose information has been stolen need not wait for an actual fraud to occur before taking steps to ensure their security, particularly where, as in Galaria, the defendant had already recommended taking those steps (but did not offer to pay for them, and certainly not into perpetuity). The costs of the plaintiffs to monitor their credit and bank statements and to modify their financial accounts “are a concrete injury suffered to mitigate an imminent harm” that satisfies Article III’s injury-in-fact requirement.
2. As to traceability, the Sixth Circuit found this requirement to be met because the hackers could access data only because of Nationwide’s failure to secure the information. In dissent, Judge Batchelder challenged the conclusion that there was a link between Nationwide and the plaintiffs’ alleged injury.
3. As to redressability, to the majority, a favorable verdict would provide the compensatory damages the plaintiffs seek for their injuries.
Because the plaintiffs had alleged Article III standing, the majority explained that Spokeo did not apply, acknowledging that FCRA claims “may” give rise to Article III standing issues “where the alleged FCRA violation is procedural in nature and the plaintiff suffers no harm.” Thus, despite the lip service to Spokeo, Galaria's finding of Article III standing from the mere “risk” of harm raises questions about what FCRA violation could be so merely “procedural” in a data breach class action to not satisfy Article III.