Two Courts of Appeals have issued decisions during the past week related to cybersecurity and data retention which anyone who maintains electronic data and personal information should read.
Yesterday, the Sixth Circuit Court of Appeals revived a cybersecurity data breach class action case in a 2-1 decision. In Galaria v. Nationwide Mut, Ins., Case Nos. 15-3386/3387 (6th Cir. Sept. 12, 2016), plaintiffs brought negligence and Fair Credit Reporting Act claims against Nationwide Insurance on behalf of over one million customers following a 2012 data breach incident where hackers stole personal information from Nationwide’s systems. The district court dismissed the complaint because it concluded that plaintiffs did not have standing and had not suffered an injury in fact. The Sixth Circuit reversed, finding “[p]laintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage of the litigation.” The Sixth Circuit based its ruling on the Supreme Court’s decision this summer in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016). The Sixth Circuit also followed two recent decisions by the Seventh Circuit (Lewart v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016) and Remijas v. Nieman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015)) and recognized that its decision further exacerbates an already existing split among the circuits (see, e.g., Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011)).
In a well-reasoned dissenting opinion, Judge Batchelder concluded that the court did not need to “take sides in the existing circuit split regarding whether an increased risk of identity theft is an Article III injury” because plaintiffs cannot allege a causal connection between Nationwide’s alleged conduct/inaction and plaintiffs’ alleged injury: “[i]f [plaintiffs] suffered injury, it was at the hands of criminal third-party actors, and their complaints do not make the factual allegations necessary to fairly trace that injury to Nationwide.”
We believe there may be an attempt at an en banc hearing and that the apparent developing circuit split on Article III constitutional standing may also be heading back to the Supreme Court in the future for clarification of the Spokeo standard. At this time, however, the recent trend is to allow these cases to move forward beyond motions to dismiss.
At the other end of the spectrum, the Eighth Circuit last week affirmed dismissal of a putative class action against Charter Communications related to data storage. In Braitberg v. Charter Communications, Inc., 2016 U.S. App. Lexis 16477 (8th Cir. Sept. 8, 2016), plaintiffs alleged that Charter Communications had a policy of maintaining customer information after the customer canceled services with Charter and that the policy violated the Cable Communications Policy Act. Plaintiffs alleged that they did not have to show actual harm in light of the alleged statutory violation, but the Eighth Circuit disagreed. Relying upon Spokeo, the Eighth Circuit reversed its prior precedent and concluded that plaintiffs did not have standing to pursue claims because they could not establish an injury in fact. Plaintiffs could not establish that the data had been accessed or that there was a material risk of harm related to the retention.
Both of these cases emphasize the importance of information governance. Companies need to examine their data retention/destruction and information governance policies and review their cybersecurity practices. Companies should evaluate what data they need to maintain (and what data they can discard) and how they are protecting it.
KMK’s Cybersecurity & Privacy Team is monitoring these developments as courts struggle with cybersecurity issues in litigation and is able to help advise clients on information governance and cybersecurity practices and defend clients in litigation when needed. Should you have any questions or need assistance, please contact a member of the KMK Law Cybersecurity & Privacy Team.
KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.
© 2023 Keating Muething & Klekamp PLL. All Rights Reserved
Joe Callow helps clients manage and reduce litigation risk and litigation costs. When litigation arises, he handles and coordinates cases on a national, regional, and local basis.
Joe primarily works on class action and complex ...
Jacob Rhode assists clients with litigation and dispute resolution, helping develop and implement strategies to successfully resolve corporate disputes. He serves as co-leader of the firm's Litigation Group.
Jacob primarily ...
- Appellate Law
- Class Action Litigation
- Cybersecurity and Privacy Law
- Data Breach
- Securities Law
- Sixth Circuit
- Supreme Court
- Intellectual Property
- Social Media
- Trademark Litigation
- Initial Coin Offering
- Bet-the-Company Litigation
- E-Discovery Case Law
- Electronic Data Discovery
- Federal Rules of Civil Procedure
- Employment Law
- Workplace Accommodations
- Employer Policies
- Labor & Employment Law
- Labor Law
- Stock Drop
- General Data Protection Regulation
- Securities Litigation
- Craft Brewing
- Cybersecurity Regulation
- Drug Enforcement Agency
- Medical Marijuana
- Ohio Foreclosure Reform
- Copyright Law
- Environmental Law
- Fair Housing Act
- Health Care Act
- Healthcare Reform
- Pregnancy Discrimination
- Religion Discrimination
- Seventh Circuit
- Electronically Stored Information
- Americans with Disabilities Act
- Business Process Improvement
- Cyber Insurance
- Employment Litigation
- Receivership Statute
- Employer Handbook
- Employer Rules
- National Labor Relations Act
- National Labor Relations Board
- E-Discovery Project Plan
- Predictive Coding
- TAR ( Technology Assisted Review)
- Quality Representation
- Construction Litigation
- Land Use & Zoning
- Statute of Limitations
- Federal Rule
- Agency Deference Loses its Luster Under Ohio Law—Is Interpretation of Administrative Statutes Ohio's Next Legal Hot Topic?
- United States Supreme Court Clarifies Boundaries of Federal Civil Rule 60(b)
- Motion for Reconsideration in an Appeal: Sometimes the Court will Reconsider if you Argue its Initial Decision was Just Wrong
- TransUnion LLC v. Ramirez and the Impact on Class Action Litigation
- Questioning the Questionnaires: New PPP-Related Litigation Raises Issues for Borrowers
- "You Don't Have to Go Home But You Can't Stay Here": Updates to Ohio and Kentucky’s COVID-19 Orders Impacting Bars & Restaurants
- Kentucky Restaurants Begin Opening with Limited Capacity Amid COVID-19 Epidemic
- Ohio Restaurants and Bars Begin Soft Openings for Diners Amid COVID-19 Epidemic
- Supreme Court Sidesteps “Cy Pres” Challenge
- Golfers, New and Old - Be Careful!