--Neither the plaintiffs' increased risk of harm following a data breach at
Nationwide Mutual Insurance Co. nor the plaintiffs' expenses to mitigate that
risk constitute injuries in fact sufficient to provide standing to sue, the
U.S. District Court for the Southern District of Ohio ruled Feb. 10 (Galaria v. Nationwide Mut. Ins.
Co., S.D. Ohio, No. 2:13-cv-00118-MHW-MRA, dismissed
In November 2012, Nationwide sent letters to some 1 million
policyholders and non-policyholders, informing them that its computer network
was hacked and that some of their personally identifiable information (PII) may
have been compromised.
The named plaintiffs in these related lawsuits
sued Nationwide on behalf of proposed classes, alleging violations of the Fair
Credit Reporting Act, 15 U.S.C. § 1681, negligence, invasion of privacy and
Nationwide moved to dismiss, arguing that the plaintiffs
lacked standing because they failed to allege that they suffered an injury in
fact. The company also argued that the complaint should be dismissed for
failure to state a claim. Judge Michael H. Watson granted the motion and
dismissed the plaintiffs' claims.
The court first found that the
plaintiffs had no statutory standing under FCRA because they failed to allege
an injury arising from a specific requirement or prohibition in FCRA, instead
alleging that Nationwide violated the statute's general statement of purpose at
The court then concluded that none of the plaintiffs'
claimed injuries--an increased risk of harm, the costs to mitigate that
increased risk, loss of privacy and deprivation of the value of PII--satisfied
the injury in fact requirement for Article III standing.
The court compared the allegation of an increased risk of harm to
that in Clapper v. Amnesty International USA, 133 S. Ct. 1138, 2013 BL
50248 (2013). In that case, the U.S. Supreme Court held that a group of human
rights activists, journalists and lawyers lacked standing to challenge a
wiretapping program because their claims of injury were not “certainly
Relying on Clapper, the court here held that “the
increased risk that Plaintiffs will be victims of identity theft, identity
fraud, medical fraud, or phishing at some indeterminate point in the future
does not constitute injury sufficient to confer standing where, as here, the
occurrence of such future injury rests on the criminal actions of independent
decisionmakers and where, as here, the Complaint lacks sufficient factual
allegations to show such future injury is imminent or certainly impending.”
Some allegations in the complaint demonstrate that such harm is not
certainly impending, the court said, pointing to the claim of a fraud incidence
rate of 19 percent in 2011 for consumers who received a data breach
notification. “An injury can hardly be said to be 'certainly impending' if
there is less than a 20% chance of it occurring,” the court said.
court added that its conclusion is supported by the decisions of many other
courts, such as Reilly v. Ceridian Corp., 664 F.3d 38, 2011 BL 313102
(3d Cir. 2011) . Although other courts, such as Krottner v. Starbucks
Corp., 628 F.3d 1139, 2010 BL 295445 (9th Cir. 2010) , have concluded
that an increased risk of theft or fraud is a concrete injury in fact for
purposes of standing, many of those decisions were decided before
Clapper, the court here said.
In addition, the plaintiffs “cannot
create standing by choosing to make expenditures in order to mitigate a purely
speculative harm,” the court said, again relying on Clapper. Other
courts, such as Reilly, have rejected such costs as injuries in the data
breach context, the court added.
court also held that “even if deprivation of value of PII is an injury-in-fact,
Named Plaintiffs failed to allege deprivation of value of PII and therefore
Although some federal district courts have concluded
that PII has no “inherent monetary value,” others have held that plaintiffs
must, at a minimum, allege facts demonstrating that they were deprived of that
value for purposes of standing, the court said. Here, the plaintiffs failed to
allege how the data breach prevents them from accessing the “cyber black
market” and selling their records for $14 to $25 each, the court explained.
The court also concluded that a loss of privacy is an insufficient injury
for standing for the plaintiffs' negligence and bailment claims, finding that
the plaintiffs failed to allege that the loss of privacy resulted in specific
Although the court found such an injury sufficient
to confer standing for the plaintiffs' state law invasion of privacy claim, it
granted the motion to dismiss that claim because the plaintiffs failed to
allege that Nationwide disclosed their PII or publicized their PII to the
Ben Barnow of Barnow and Associates PC, in Chicago;
Richard L. Coffman of the Coffman Law Firm, in Beaumont, Texas; Charles T.
Lester Jr., of Fort Thomas, Ky.; Ralph K. Phalen of Ralph K. Phalen Law PC, in
Kansas City, Mo.; Mitchell L. Burgess of Burgess & Lamb PC, in Kansas City,
Mo.; and Cory S. Fein of Caddell & Chapman, in Houston, represented the
plaintiffs. Michael H. Carpenter of Carpenter Lipps & Leland LLP, in
Columbus, Ohio; and Harvey J. Wolkoff, Richard D. Batchelder Jr. and Kristin G.
Ali of Ropes & Gray LLP, in Boston, represented Nationwide.
Full text of the court's opinion is available at http://www.bloomberglaw.com/public/document/Galaria_v_Nationwide_Mutual_Insurance_Company_Docket_No_213cv0011.
To view additional stories from Privacy & Security Law
Report® register for a free trial now