Two Courts of Appeals have issued decisions during the past week related to cybersecurity and data retention which anyone who maintains electronic data and personal information should read.
Yesterday, the Sixth Circuit Court of Appeals revived a cybersecurity data breach class action case in a 2-1 decision. In Galaria v. Nationwide Mut, Ins., Case Nos. 15-3386/3387 (6th Cir. Sept. 12, 2016), plaintiffs brought negligence and Fair Credit Reporting Act claims against Nationwide Insurance on behalf of over one million customers following a 2012 data breach incident where hackers stole personal information from Nationwide’s systems. The district court dismissed the complaint because it concluded that plaintiffs did not have standing and had not suffered an injury in fact. The Sixth Circuit reversed, finding “[p]laintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage of the litigation.” The Sixth Circuit based its ruling on the Supreme Court’s decision this summer in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016). The Sixth Circuit also followed two recent decisions by the Seventh Circuit (Lewart v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016) and Remijas v. Nieman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015)) and recognized that its decision further exacerbates an already existing split among the circuits (see, e.g., Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011)).
In a well-reasoned dissenting opinion, Judge Batchelder concluded that the court did not need to “take sides in the existing circuit split regarding whether an increased risk of identity theft is an Article III injury” because plaintiffs cannot allege a causal connection between Nationwide’s alleged conduct/inaction and plaintiffs’ alleged injury: “[i]f [plaintiffs] suffered injury, it was at the hands of criminal third-party actors, and their complaints do not make the factual allegations necessary to fairly trace that injury to Nationwide.”
We believe there may be an attempt at an en banc hearing and that the apparent developing circuit split on Article III constitutional standing may also be heading back to the Supreme Court in the future for clarification of the Spokeo standard. At this time, however, the recent trend is to allow these cases to move forward beyond motions to dismiss.
At the other end of the spectrum, the Eighth Circuit last week affirmed dismissal of a putative class action against Charter Communications related to data storage. In Braitberg v. Charter Communications, Inc., 2016 U.S. App. Lexis 16477 (8th Cir. Sept. 8, 2016), plaintiffs alleged that Charter Communications had a policy of maintaining customer information after the customer canceled services with Charter and that the policy violated the Cable Communications Policy Act. Plaintiffs alleged that they did not have to show actual harm in light of the alleged statutory violation, but the Eighth Circuit disagreed. Relying upon Spokeo, the Eighth Circuit reversed its prior precedent and concluded that plaintiffs did not have standing to pursue claims because they could not establish an injury in fact. Plaintiffs could not establish that the data had been accessed or that there was a material risk of harm related to the retention.
Both of these cases emphasize the importance of information governance. Companies need to examine their data retention/destruction and information governance policies and review their cybersecurity practices. Companies should evaluate what data they need to maintain (and what data they can discard) and how they are protecting it.
KMK’s Cybersecurity & Privacy Team is monitoring these developments as courts struggle with cybersecurity issues in litigation and is able to help advise clients on information governance and cybersecurity practices and defend clients in litigation when needed. Should you have any questions or need assistance, please contact a member of the KMK Law Cybersecurity & Privacy Team.
KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.
© 2021 Keating Muething & Klekamp PLL. All Rights Reserved
Joe Callow helps clients manage and reduce litigation risk and litigation costs. When litigation arises, he handles and coordinates cases on a national, regional, and local basis.
Joe primarily works on class action and complex ...
Drew Hicks assists clients in litigation and dispute resolution by, among other things, advising clients on litigation risk management and cost issues. Drew focuses his practice on representing public and private companies in a ...
Jacob Rhode assists clients with litigation and dispute resolution, helping develop and implement strategies to successfully resolve corporate disputes.
Jacob primarily works on complex commercial and financial services ...
- Class Action Litigation
- Cybersecurity and Privacy Law
- Data Breach
- Securities Law
- Supreme Court
- Sixth Circuit
- Intellectual Property
- Social Media
- Trademark Litigation
- Initial Coin Offering
- Federal Rules of Civil Procedure
- Bet-the-Company Litigation
- E-Discovery Case Law
- Electronic Data Discovery
- Employment Law
- Workplace Accommodations
- Employer Policies
- Labor & Employment Law
- Labor Law
- General Data Protection Regulation
- Securities Litigation
- Stock Drop
- Drug Enforcement Agency
- Medical Marijuana
- Ohio Foreclosure Reform
- Craft Brewing
- Cybersecurity Regulation
- Copyright Law
- Environmental Law
- Fair Housing Act
- Health Care Act
- Healthcare Reform
- Pregnancy Discrimination
- Religion Discrimination
- Seventh Circuit
- Electronically Stored Information
- Americans with Disabilities Act
- Cyber Insurance
- Receivership Statute
- Business Process Improvement
- Employment Litigation
- Employer Handbook
- Employer Rules
- National Labor Relations Act
- National Labor Relations Board
- E-Discovery Project Plan
- Predictive Coding
- TAR ( Technology Assisted Review)
- Quality Representation
- Land Use & Zoning
- Statute of Limitations
- Construction Litigation
- Federal Rule
- TransUnion LLC v. Ramirez and the Impact on Class Action Litigation
- Questioning the Questionnaires: New PPP-Related Litigation Raises Issues for Borrowers
- "You Don't Have to Go Home But You Can't Stay Here": Updates to Ohio and Kentucky’s COVID-19 Orders Impacting Bars & Restaurants
- Kentucky Restaurants Begin Opening with Limited Capacity Amid COVID-19 Epidemic
- Ohio Restaurants and Bars Begin Soft Openings for Diners Amid COVID-19 Epidemic
- Supreme Court Sidesteps “Cy Pres” Challenge
- Golfers, New and Old - Be Careful!
- "Aloha Poke": Social Media and Consumer Perception are Part of the Trademark Enforcement Equation
- GDPR: Less Than 100 Day and Counting to "G-Day" - Here's What You Need to Know
- Rapid SEC Action Against AriseBank Reveals New Playbook For Allegedly Fraudulent ICOs