Court Says Customers Can Sue For Data Breaches

HackedA new data breach or hack attack is in the news almost every week.

For example, the New York Times recently reported about secret "back doors" in some Android phones that sent information about where users went, who they talked to, and what texts they sent to China.

And of course, hacking and the threat of hacking has been a big part of the story of the 2016 elections. As Fortune reported,

A Homeland Security official has confirmed that hackers have targeted the voter registration systems of more than 20 states...

Possibly the biggest attack ever involved Yahoo. As Fortune reported, hackers

obtained consumers’ names, email addresses, phone numbers, birthdates and “hashed passwords”...  In some cases they also stole security questions and answers that would let the hackers access the account.

What can consumers do when their personal information is compromised?

For one thing, they can sue.


In the case of Galaria v. Nationwide Mutual Insurance Co., two plaintiffs brought putative class actions after hackers breached the computer network of Nationwide Mutual Insurance Company and stole their personal information.

The theft involved "names, dates of birth, marital statuses, genders, occupations, employers, Social Security numbers, and driver’s license numbers." The theft affected 1.1 million people.

Nationwide responded by telling victims about steps they could take to prevent or mitigate misuse of the stolen data, including monitoring their bank and credit card statements for unusual activity.

Nationwide offered a free year of credit monitoring and identify fraud protection. Nationwide also suggested that the victims set up a fraud alert and put a security freeze on their credit reports. However, this freeze could impede victims' ability to obtain credit and it could cost from $5 to $20 to place and remove each freeze -- something Nationwide didn't offer to pay for.


The plaintiffs alleged a number of claims, including invasion of privacy, negligence, bailment, and violations of the Fair Credit Reporting Act (FCRA).

The plaintiffs claimed that victims of identity theft and fraud 

“typically spend hundreds of hours in personal time and hundreds of dollars in personal funds,” incurring an average of $354 in out-of-pocket expenses and $1,513 in total economic loss.

The district court dismissed the complaints.  One basis for the dismissal was that the plaintiffs didn't have "standing" to sue, because they hadn't alleged a "cognizable injury."

The Court of Appeals disagreed:

Here, Plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage of the litigation. Plaintiffs allege that the theft of their personal data places them at a continuing, increased risk of fraud and identity theft beyond the speculative allegations of “possible future injury” or “objectively reasonable likelihood” of injury that the Supreme Court has explained are insufficient.

Protecting Yourself from Data Breaches

There are things you can do to protect yourself in the event of a data breach. Here are some ideas from the New York Times.

comments powered by Disqus