CyberSecurity News: Spokeo, Galaria and Braitberg
Two Courts of Appeals have issued decisions during the past week related to cybersecurity and data retention which anyone who maintains electronic data and personal information should read.
Yesterday, the Sixth Circuit Court of Appeals revived a cybersecurity data breach class action case in a 2-1 decision. In Galaria v. Nationwide Mut, Ins., Case Nos. 15-3386/3387 (6th Cir. Sept. 12, 2016), plaintiffs brought negligence and Fair Credit Reporting Act claims against Nationwide Insurance on behalf of over one million customers following a 2012 data breach incident where hackers stole personal information from Nationwide’s systems. The district court dismissed the complaint because it concluded that plaintiffs did not have standing and had not suffered an injury in fact. The Sixth Circuit reversed, finding “[p]laintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage of the litigation.” The Sixth Circuit based its ruling on the Supreme Court’s decision this summer in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016). The Sixth Circuit also followed two recent decisions by the Seventh Circuit (Lewart v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016) and Remijas v. Nieman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015)) and recognized that its decision further exacerbates an already existing split among the circuits (see, e.g., Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011)).
In a well-reasoned dissenting opinion, Judge Batchelder concluded that the court did not need to “take sides in the existing circuit split regarding whether an increased risk of identity theft is an Article III injury” because plaintiffs cannot allege a causal connection between Nationwide’s alleged conduct/inaction and plaintiffs’ alleged injury: “[i]f [plaintiffs] suffered injury, it was at the hands of criminal third-party actors, and their complaints do not make the factual allegations necessary to fairly trace that injury to Nationwide.”
We believe there may be an attempt at an en banc hearing and that the apparent developing circuit split on Article III constitutional standing may also be heading back to the Supreme Court in the future for clarification of the Spokeo standard. At this time, however, the recent trend is to allow these cases to move forward beyond motions to dismiss.
At the other end of the spectrum, the Eighth Circuit last week affirmed dismissal of a putative class action against Charter Communications related to data storage. In Braitberg v. Charter Communications, Inc., 2016 U.S. App. Lexis 16477 (8th Cir. Sept. 8, 2016), plaintiffs alleged that Charter Communications had a policy of maintaining customer information after the customer canceled services with Charter and that the policy violated the Cable Communications Policy Act. Plaintiffs alleged that they did not have to show actual harm in light of the alleged statutory violation, but the Eighth Circuit disagreed. Relying upon Spokeo, the Eighth Circuit reversed its prior precedent and concluded that plaintiffs did not have standing to pursue claims because they could not establish an injury in fact. Plaintiffs could not establish that the data had been accessed or that there was a material risk of harm related to the retention.
Both of these cases emphasize the importance of information governance. Companies need to examine their data retention/destruction and information governance policies and review their cybersecurity practices. Companies should evaluate what data they need to maintain (and what data they can discard) and how they are protecting it.
KMK’s Cybersecurity & Privacy Team is monitoring these developments as courts struggle with cybersecurity issues in litigation and is able to help advise clients on information governance and cybersecurity practices and defend clients in litigation when needed. Should you have any questions or need assistance, please contact a member of the KMK Law Cybersecurity & Privacy Team.
KMK Legal Alerts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. Please consult with counsel of your choice regarding any specific questions you may have.
©2016 Keating Muething & Klekamp PLL. All Rights Reserved.