On October 12, the Sixth Circuit denied Nationwide Mutual Insurance Company’s petition for rehearing en banc on the Court’s decision to revive a putative class action stemming from a 2012 data breach. 

According to the plaintiffs’ class action complaint, hackers who breached Nationwide’s computer network on October 3, 2012, stole the personal information of the named plaintiffs as well as 1.1 million other individuals.  The complaint alleged claims for invasion of privacy, negligence, bailment, and violations of the Fair Credit Reporting Act.  Plaintiffs claimed that the data breach created an “imminent, immediate and continuing increased risk” that they would be subject to identity fraud.  The district court originally dismissed the complaint, holding that the plaintiffs failed to state a claim for invasion of privacy, lacked Article III standing to bring the negligence and bailment claims, and lacked statutory standing to bring the FCRA claims.   

On appeal, the Sixth Circuit, in a 2-1 decision, reversed the district court and held that the plaintiffs had Article III standing.  Specifically, the majority held that “Plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage of the litigation.  …  Plaintiffs and the other putative class members must expend time and money to monitor their credit, check their bank statements, and modify their financial accounts,” stated the Court. 

Judge Batchelder dissented from the majority, finding that the plaintiffs’ complaint did not adequately plead a causal connection between Nationwide’s alleged inaction and the plaintiffs’ alleged injury, which is necessary to establish Article III standing.  “The complaints simply allege that hackers were in fact able to access the plaintiffs’ personal information. …  But plaintiffs make no factual allegations regarding how the hackers were able to breach Nationwide’s system, nor do they indicate what Nationwide might have done to prevent that breach but failed to do.”  In other words, there are no allegations that Nationwide is responsible for the criminal acts that increased the plaintiffs’ risk of identity theft. 

The Sixth Circuit denied Nationwide’s petition for rehearing en banc, with Judge Batchelder noting that she would grant rehearing for the reasons stated in her dissent.  The case is now remanded to the district court for further proceedings.