Galaria v. Nationwide Mutual Insurance Co., 663 F. App'x 384

Nationwide experienced a 2012 data breach that exposed sensitive personal information (names, DOBs, SSNs, driver’s license numbers) of plaintiffs Mohammad Galaria and Anthony Hancox and ~1.1 million others.
Nationwide notified victims, offered one year of third-party credit monitoring/identity protection, and advised placing fraud alerts or credit freezes but did not pay for freeze fees.
Plaintiffs filed putative class actions alleging FCRA violations (willful and negligent failure to safeguard data), negligence, bailment, and public-disclosure invasion of privacy; district court dismissed most claims for lack of jurisdiction or failure to state a claim.
Plaintiffs appealed dismissal of negligence, bailment, and FCRA claims; they did not appeal the invasion-of-privacy dismissal.
The Sixth Circuit majority held that plaintiffs adequately alleged Article III standing (substantial risk of identity theft + mitigation costs) and reversed the dismissal of the negligence, bailment, and FCRA claims for lack of subject-matter jurisdiction, remanding for further proceedings.
A dissent argued plaintiffs failed to plead the necessary causal link between Nationwide’s conduct and plaintiffs’ alleged injury because intervening criminal actors broke the chain of causation and that plaintiffs also failed to plead an FCRA cause of action.

Issue	Plaintiff's Argument	Defendant's Argument	Held
Article III standing — injury in fact from data breach	Plaintiffs: theft of data creates substantial, imminent risk of identity theft and reasonable mitigation costs = concrete injury	Nationwide: alleged injuries are speculative and caused by third-party hackers, not Nationwide	Held: Plaintiffs have Article III standing — substantial risk + mitigation costs suffice at pleading stage
Article III standing — causation/traceability	Plaintiffs: injuries traceable to Nationwide’s alleged failure to safeguard data	Nationwide: hackers were intervening actors; plaintiffs fail to plead factual link to Nationwide’s conduct	Held: Traceability met at pleading stage; allegations that inadequate security enabled theft suffice
Redressability	Plaintiffs: damages and relief would remedy injuries	Nationwide: (argued lack of cognizable injury)	Held: Plaintiffs’ requested relief would redress alleged harms; redressability satisfied
Subject-matter jurisdiction / "statutory standing" under FCRA	Plaintiffs: alleged violations of FCRA substantive provisions related to safeguarding consumer information	Nationwide: complaints invoke only FCRA purpose language and lack a cause of action under FCRA; district court treated as jurisdictional defect	Held: District court erred treating cause-of-action issue as jurisdictional; Article III jurisdiction exists and merits (whether FCRA claim states a cause) to be decided on remand

Lujan v. Defenders of Wildlife, 504 U.S. 555 (standing requires injury in fact, traceability, redressability)
Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (concrete injury requirement for standing)
Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (imminence/substantial risk standard and limits on speculative injury)
Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir.: data-breach victims alleged substantial risk and had standing)
Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir.: standing after data breach of payment card data)
Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir.: laptop theft of personal data supports standing)
Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir.: declined standing where facts did not show intentional/malicious access or use)
Parsons v. U.S. Dep’t of Justice, 801 F.3d 701 (6th Cir.: pleading-stage standards for standing; traceability discussion)
Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir.: data breach injuries fairly traceable to inadequate security)
Lambert v. Hartman, 517 F.3d 433 (6th Cir.: identity theft fairly traceable to defendant who published sensitive data)