On September 12, 2016, a divided panel of the Sixth Circuit Court of Appeals made it easier for putative victims of a data breach to sue the companies they blame for their information being stolen by hackers.[1]
Specifically, in Galaria et al. v. Nationwide Mutual Insurance Co., the panel held that the class plaintiffs had standing to sue Nationwide Mutual Insurance Co. based on “allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs.”[2] The court also held that the plaintiffs’ harm could be traced back to Nationwide—at least at the pleadings stage—since “but for Nationwide’s allegedly lax security, the hackers would not have been able to steal Plaintiffs’ data.”[3] The ruling thus makes it much more likely that a putative class can survive a motion to dismiss for lack of standing and, at the least, prolong the litigation.
In the wake of the decision, companies across all industries that may be subject to cyber attacks by hackers—insurance companies, retailers, credit card companies—can do three key things to protect themselves.
First, remember that an ounce of prevention is worth a pound of cure. Companies should ensure that their cybersecurity measures are not “lax” by shoring up their cybersecurity defenses consistent with best practices. This may include conducting vulnerability assessments and penetration tests, installing network sensors, and implementing a cyber defense strategy designed to address how companies protect their critical assets today.
Second, be prepared to respond to a data breach or cyber incident. Companies should ensure that they have the appropriate policies and procedures in place in advance of an incident, so that critical decisions are not delayed or made on the fly. The company must also conduct an investigation to identify how the breach occurred; work to contain and then eliminate the threat; and potentially notify and work with law enforcement.
Third, companies must be prepared to devote the necessary resources to litigation, should it come to that. In addition to having the right lawyers, conducting litigation-related investigations can be critical to success by identifying information that supports the companies’ litigation strategies and case narratives.
[1] See Galaria et al. v. Nationwide Mutual Insurance Co., No. 15-3386 (6th Cir. Sept. 12, 2016), available at http://www.opn.ca6.uscourts.gov/opinions.pdf/16a0526n-06.pdf; see also Allison Grande, “Nationwide Ruling Lowers Hurdle for Data Breach Victims,” Law360, September 13, 2016.
[2] See Galaria, No. 15-3386, at 6.
[3] See Id. at 10.
