September 21, 2016 - In a ruling that is likely to be appealed to the US Supreme Court, the Sixth Circuit Court of Appeals overturned a lower court ruling that had dismissed a data breach lawsuit. The lower court ruling was based on the fact that victims of the breach had not been able to demonstrate financial losses as a result of identity theft or fraud from the breach. But the appeals court found that the costs of services like credit monitoring and identity theft prevention were enough to give the plaintiffs standing in the case. If the ruling stands, it is a game changer for consumers.
The case is known as Galaria, et. al. v. Nationwide Mut. Insur. Co. It stems from a data breach that occurred in October of 2012. That's when hacker broke into Nationwide's computer system and stole the personally identifiable information of 11 million of the company's customers.
The data that was take included names, addresses, birth dates, social security numbers, etc… Absolutely everything needed to commit identity theft.
Although Nationwide did agree to pay for a year of credit monitoring, the company sent out a letter to its customers advising them to take additional steps to protect themselves. Some of those steps included items that would cost their customers additional money. They included long term credit monitoring and credit freezes. Nationwide didn't offer to pay for the cost of credit freezes or provide a longer term monitoring solution that would be free of charge to victims of the breach.
Because of this, two people became the lead plaintiffs in two separate but similar class action lawsuits against the company. Those cases were later consolidated into the current case.
The appeals court ruling states that the ongoing costs not covered by Nationwide are sufficient to allow the suit to move forward.
Although the ruling is only valid in Michigan, Kentucky, Ohio and Tennessee (the states covered by the Sixth Circuit), it is likely to influence cases in other federal circuits. If the ruling isn't overturned on appeal, it provides a warning to all companies that store personal data on their customers. It means that the need to do everything within their power to prevent data breaches and in the event of a breach, seriously consider covering the foreseeable customer costs associated with the breach. Not doing so is now likely to lead to additional class action suits that could be significantly more costly than making a reasonable effort to cover customer costs in the first place.
byJim Malmberg
Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.
Follow me on Twitter:
|