On Monday, February 12, a Southern District of Ohio district court dismissed two proposed class actions relating to an October 2012 Nationwide Mutual Insurance Co. data breach. Galaria v. Nationwide Mutual Ins. Co., No. 2:13-cv-118 (S.D. Ohio Feb. 10, 2014); Hancox v. Nationwide Mutual Ins. Co., No. 2:13-cv-257 (S.D. Ohio Feb. 10, 2014). The court held that neither case could proceed because the Plaintiffs had not sufficiently alleged an injury that would give them standing to sue in federal court under Article III of the U.S. Constitution. In their complaint, Plaintiffs alleged several putative injuries, including increased risk of identity theft and fraud arising from the breach, costs associated with mitigating that increased risk, “loss of privacy,” and deprivation of the value of their personal information. The court rejected each theory, in turn. The opinion is the latest in a series of opinions holding that plaintiffs seeking to recover in data breach case must allege more than the mere possibility of future harm.
The Nationwide Plaintiffs first claimed they had suffered an injury because they faced increased risk of identity theft, identity fraud, medical fraud, and of being victimized in a phishing attack. Plaintiffs alleging these types of harms have struggled to satisfy Article III standing requirements following the Supreme Court’s February 2013 Clapper v. Amnesty Int’l, USA decision requiring a threatened injury be “certainly impending” to confer standing. Plaintiffs contended that their injuries were “certainly impending” because there was an “objectively reasonable likelihood” injuries would occur or, alternatively, because their injuries were “not merely speculative.”
In support of their theory, Plaintiffs cited reports concluding that people whose information is involved in a data breach were 9.5 times more likely than the general public to become victims of fraud and that consumers who receive a breach notification—as Plaintiffs did here—had a fraud incidence rate of 19% in 2011. The court rejected Plaintiffs’ positions, noting that the “objectively reasonable likelihood” and “not merely speculative” standards on which they relied pre-dated Clapper and that Plaintiffs’ alleged injuries were too speculative to satisfy the new “certainly impending” requirement. In so doing, the court emphasized the fact that the alleged injury-in-fact depended on the actions of independent decision-makers.
Plaintiffs’ also asserted they had suffered an injury sufficient for standing because the breach resulted in their “loss of privacy.” But, the court found that loss of privacy allegations “alone, [did] not amount to an injury that [was] concrete and particularized,” as is required of Article III injuries. Again, the court noted that Plaintiffs had failed to allege that their loss of privacy resulted in any adverse consequences apart from the speculative injury of increased risk of harm. Specifically, the court noted that Plaintiffs did not allege that their personal information had been misused or that they were victims of identity theft.
Finally, the court rejected Plaintiffs’ contention that they suffered an injury because they were deprived of the ability to sell their personal information at a fair price. The court noted that Plaintiffs did not allege how the data breach actually prevented them from reaping the full value from their information and did not allege that any third party actually sold Plaintiffs’ personal, thereby depriving Plaintiffs of its value.