On September 12, 2016, a divided panel of the Sixth Circuit Court of Appeals made it easier for putative victims of a data breach to sue the companies they blame for their information being stolen by hackers.
Specifically, in Galaria et al. v. Nationwide Mutual Insurance Co., the panel held that the class plaintiffs had standing to sue Nationwide Mutual Insurance Co. based on “allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs.” The court also held that the plaintiffs’ harm could be traced back to Nationwide—at least at the pleadings stage—since “but for Nationwide’s allegedly lax security, the hackers would not have been able to steal Plaintiffs’ data.” The ruling thus makes it much more likely that a putative class can survive a motion to dismiss for lack of standing and, at the least, prolong the litigation.
In the wake of the decision, companies across all industries that may be subject to cyber attacks by hackers—insurance companies, retailers, credit card companies—can do three key things to protect themselves.
First, remember that an ounce of prevention is worth a pound of cure. Companies should ensure that their cybersecurity measures are not “lax” by shoring up their cybersecurity defenses consistent with best practices. This may include conducting vulnerability assessments and penetration tests, installing network sensors, and implementing a cyber defense strategy designed to address how companies protect their critical assets today.
Second, be prepared to respond to a data breach or cyber incident. Companies should ensure that they have the appropriate policies and procedures in place in advance of an incident, so that critical decisions are not delayed or made on the fly. The company must also conduct an investigation to identify how the breach occurred; work to contain and then eliminate the threat; and potentially notify and work with law enforcement.
Third, companies must be prepared to devote the necessary resources to litigation, should it come to that. In addition to having the right lawyers, conducting litigation-related investigations can be critical to success by identifying information that supports the companies’ litigation strategies and case narratives.
The multidisciplinary teams at K2 Intelligence are uniquely situated to support companies in all three key steps above. K2 Intelligence’s teams—which include cybersecurity experts, former law enforcement and intelligence agents, former prosecutors, and experienced investigators—apply state-of-the-art technology to identify actionable intelligence and uncover hidden patterns across a range of information types—financial data, personal records, the dark web, or obscure paper trails.
K2 Intelligence’s experts can:
- Ensure that a company’s infrastructure is secure and cybersecurity defenses are in line with industry best practices;
- Help navigate the response to a breach, including assisting with an incident investigation and liaising with law enforcement; and
- Provide litigation support resources, ranging from identifying information to support witness interviews and depositions to reaching into the dark underbelly of the Internet to attempt to identify evidence that the plaintiffs’ personal information was already available to cyber criminals, meaning that any harm the plaintiffs may have suffered cannot actually be traced back to the company.
 See Galaria et al. v. Nationwide Mutual Insurance Co., No. 15-3386 (6th Cir. Sept. 12, 2016), available at http://www.opn.ca6.uscourts.gov/opinions.pdf/16a0526n-06.pdf; see also Allison Grande, “Nationwide Ruling Lowers Hurdle for Data Breach Victims,” Law360, September 13, 2016.
 See Galaria, No. 15-3386, at 6.
 See Id. at 10.