On September 12, the 6th Circuit Court of Appeals concluded that members of a class action have Article III standing to sue Nationwide Insurance for negligence after hackers breached Nationwide’s computer network and stole personal information. Galaria/Hancox v. Nationwide Mut. Ins. Co., Nos. 15-3386/3387, 2016 WL 4728027 (6th Cir. Sep. 12, 2016).
As with the P.F. Chang and Neiman Marcus opinions, this court found that plaintiffs alleged a substantial risk of harm and reasonable mitigation costs to satisfy the injury-in-fact standard. And like those cases, Galaria noted that Nationwide’s offer to pay for credit monitoring and its recommendation (but not reimbursement) for other protective measures were evidence of concrete and imminent harm.
This rationale causes a dilemma for an entity that has a breach and is required to notify its customers or clients. Most breached entities offer credit monitoring, although no state law requires credit monitoring (California law creates a duration for credit monitoring, but only if it is offered in the first instance). Companies that offer protection typically do so out of a sense of responsibility or to regain customer loyalty or to mitigate long-term damages if credit monitoring works to reduce identity theft.
Companies may think twice about offering remediation services because the services may become evidence of concrete and imminent harm. But whether the company offers mitigation relief or not, a customer’s reasonable belief that a breach threatens his financial identity may be proof enough of concrete and imminent injury. A company’s notification requirements are governed by statute but it can still weigh for itself whether offering credit monitoring becomes too sharp of a double-edged sword.