6th Circuit denies en banc on data breach standing issue. Prelude to SCOTUS?

October 14, 2016

(Reuters) – Someday, this endless presidential campaign will be over, a new president will take office and the Senate will confirm a ninth justice for the U.S. Supreme Court. (One hopes.) We obviously have no idea if that future justice will have the same appetite for class action issues as the late Justice Antonin Scalia. But eventually, the Supreme Court will probably have to resolve a circuit split on data breach class actions that was cemented this week by the 6th U.S. Circuit Court of Appeals.

The 6th Circuit denied a petition by Nationwide Insurance to rehear a three-judge panel’s Sept. 2016 decision to allow a negligence class action stemming from a 2012 data breach to proceed. Nationwide’s lawyers at Morgan Lewis & Bockius argued in the en banc petition (as the insurer argued in federal district court in Columbus, Ohio, and before the three-judge panel) that Nationwide customers whose data was stolen do not have constitutional standing to sue because they have not actually been harmed.

Like just about every data breach class action defendant in the past few years, Nationwide relied heavily on the U.S. Supreme Court’s 2013 analysis in Clapper v. Amnesty International of what sort of injury gives rise to constitutional standing. The injurer contended that in the four years since hackers gained access to customers’ personal information, those customers have experienced no harm – “no out-of-pocket expenses, no fraudulent charges, no identity theft,” Nationwide said in the en banc petition. Under Clapper, the petition said, the possibility that the information may be misused in the future does not establish standing. (For what it’s worth, the Nationwide class wants to file an amended complaint alleging that one plaintiff’s data has already been misused by the hackers.)

In rejecting the petition for rehearing, the 6th Circuit panel – Judges Helene White and Alice Batchelder, as well as U.S. District Judge Sheryl Lipman of Memphis, sitting by designation – said it had already considered those arguments before it issued its decision in September.

In that ruling, the 6th Circuit sided with the 7th Circuit in holding that data breach victims don’t have to wait until their identity has been stolen to sue. “A substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage of the litigation,” Judge White wrote for the 6th Circuit panel. “There is no need for speculation where plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals.”

The 3rd Circuit has interpreted constitutional requirements for data breach suits differently than the 6th and 7th Circuits, albeit before the Supreme Court’s Clapper decision. In 2011’s Reilly v. Ceridian, the 3rd Circuit refused to allow customers of the payroll processing company to move ahead with a data breach class action, holding that their “allegations of ‘possible future injury’ are not sufficient to satisfy Article III.”

So the 6th Circuit’s ruling in the Nationwide case seems to presage a showdown at the Supreme Court over just what data breach plaintiffs must show in order to establish standing. Neiman Marcus, which was on the losing end of the 2015 7th Circuit decision that initially created the split, apparently considered filing a petition for Supreme Court review; its lawyers at Sidley Austin sought and received two extensions on the deadline for a certiorari filing. Ultimately, Neiman Marcus did not go to the justices.

I called Nationwide counsel Allyson Ho of Morgan Lewis to ask if the insurer planned to go where Neiman Marcus did not. I didn’t hear back from her.

For more of my posts, please go to WestlawNext Practitioner Insights

Follow me on Twitter

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/