Court Dismisses Insurance Breach Lawsuit, Rules Alleged Injuries Aren't Impending

Feb. 11 --Neither the plaintiffs' increased risk of harm following a data breach at Nationwide Mutual Insurance Co. nor the plaintiffs' expenses to mitigate that risk constitute injuries in fact sufficient to provide standing to sue, the U.S. District Court for the Southern District of Ohio ruled Feb. 10 (Galaria v. Nationwide Mut. Ins. Co., S.D. Ohio, No. 2:13-cv-00118-MHW-MRA, dismissed 2/10/14).

In November 2012, Nationwide sent letters to some 1 million policyholders and non-policyholders, informing them that its computer network was hacked and that some of their personally identifiable information (PII) may have been compromised.

The named plaintiffs in these related lawsuits sued Nationwide on behalf of proposed classes, alleging violations of the Fair Credit Reporting Act, 15 U.S.C. § 1681, negligence, invasion of privacy and bailment.

Nationwide moved to dismiss, arguing that the plaintiffs lacked standing because they failed to allege that they suffered an injury in fact. The company also argued that the complaint should be dismissed for failure to state a claim. Judge Michael H. Watson granted the motion and dismissed the plaintiffs' claims.

The court first found that the plaintiffs had no statutory standing under FCRA because they failed to allege an injury arising from a specific requirement or prohibition in FCRA, instead alleging that Nationwide violated the statute's general statement of purpose at Section 1681(b).

The court then concluded that none of the plaintiffs' claimed injuries--an increased risk of harm, the costs to mitigate that increased risk, loss of privacy and deprivation of the value of PII--satisfied the injury in fact requirement for Article III standing.

Risk of Harm, Costs

The court compared the allegation of an increased risk of harm to that in Clapper v. Amnesty International USA, 133 S. Ct. 1138, 2013 BL 50248 (2013). In that case, the U.S. Supreme Court held that a group of human rights activists, journalists and lawyers lacked standing to challenge a wiretapping program because their claims of injury were not “certainly impending” .

Relying on Clapper, the court here held that “the increased risk that Plaintiffs will be victims of identity theft, identity fraud, medical fraud, or phishing at some indeterminate point in the future does not constitute injury sufficient to confer standing where, as here, the occurrence of such future injury rests on the criminal actions of independent decisionmakers and where, as here, the Complaint lacks sufficient factual allegations to show such future injury is imminent or certainly impending.”

Some allegations in the complaint demonstrate that such harm is not certainly impending, the court said, pointing to the claim of a fraud incidence rate of 19 percent in 2011 for consumers who received a data breach notification. “An injury can hardly be said to be 'certainly impending' if there is less than a 20% chance of it occurring,” the court said.

The court added that its conclusion is supported by the decisions of many other courts, such as Reilly v. Ceridian Corp., 664 F.3d 38, 2011 BL 313102 (3d Cir. 2011) . Although other courts, such as Krottner v. Starbucks Corp., 628 F.3d 1139, 2010 BL 295445 (9th Cir. 2010) , have concluded that an increased risk of theft or fraud is a concrete injury in fact for purposes of standing, many of those decisions were decided before Clapper, the court here said.

In addition, the plaintiffs “cannot create standing by choosing to make expenditures in order to mitigate a purely speculative harm,” the court said, again relying on Clapper. Other courts, such as Reilly, have rejected such costs as injuries in the data breach context, the court added.

Other Claimed Injuries

The court also held that “even if deprivation of value of PII is an injury-in-fact, Named Plaintiffs failed to allege deprivation of value of PII and therefore lack standing.”

Although some federal district courts have concluded that PII has no “inherent monetary value,” others have held that plaintiffs must, at a minimum, allege facts demonstrating that they were deprived of that value for purposes of standing, the court said. Here, the plaintiffs failed to allege how the data breach prevents them from accessing the “cyber black market” and selling their records for $14 to $25 each, the court explained.

The court also concluded that a loss of privacy is an insufficient injury for standing for the plaintiffs' negligence and bailment claims, finding that the plaintiffs failed to allege that the loss of privacy resulted in specific adverse consequences.

Although the court found such an injury sufficient to confer standing for the plaintiffs' state law invasion of privacy claim, it granted the motion to dismiss that claim because the plaintiffs failed to allege that Nationwide disclosed their PII or publicized their PII to the general public.

Ben Barnow of Barnow and Associates PC, in Chicago; Richard L. Coffman of the Coffman Law Firm, in Beaumont, Texas; Charles T. Lester Jr., of Fort Thomas, Ky.; Ralph K. Phalen of Ralph K. Phalen Law PC, in Kansas City, Mo.; Mitchell L. Burgess of Burgess & Lamb PC, in Kansas City, Mo.; and Cory S. Fein of Caddell & Chapman, in Houston, represented the plaintiffs. Michael H. Carpenter of Carpenter Lipps & Leland LLP, in Columbus, Ohio; and Harvey J. Wolkoff, Richard D. Batchelder Jr. and Kristin G. Ali of Ropes & Gray LLP, in Boston, represented Nationwide.

Full text of the court's opinion is available at