Article III standing has once again proved to be an insurmountable hurdle for data breach class action plaintiffs whose personal information hasn’t been misused. In Galaria v. Nationwide Mutual Insurance Co., an Ohio federal court relied on the United States Supreme Court’s decision in Clapper v. Amnesty Intern. USA, 133 S.Ct. 1138 (2013), and held that the plaintiffs did not sustain an injury sufficient to confer standing to sue Nationwide following a 2012 hacking incident during which their personally identifying information (PII) was stolen.
The plaintiffs alleged that as a result of the breach, they incurred and will continue to incur damages consisting of (1) the imminent, immediate, and continuing increased risk of identity theft, identity fraud and/or medical fraud; (2) out-of-pocket expenses to purchase credit monitoring, internet monitoring, identity theft insurance and/or data breach risk mitigation products; (3) out-of-pocket expenses incurred to mitigate the increased risk of identity theft, identity fraud and/or medical fraud, including the costs of placing and removing credit freezes; (4) the value of time spent mitigating the increased risk of identity theft, identity fraud and/or medical fraud; (5) the substantially increased risk of being victimized by phishing; (6) loss of privacy; and (7) deprivation of the value of their PII. The court grouped those alleged damages into three categories: (1) increased risk of harm/cost to mitigate increased risk; (2) loss of privacy; and (3) deprivation of value of PII. The plaintiffs asserted claims for violation of the Fair Credit Reporting Act (FCRA), negligence, invasion of privacy and bailment, but they did not allege that their PII was misused or that their identity was stolen. Nationwide moved to dismiss the complaint based on lack of standing and failure to state a claim.
Even though Nationwide agreed with the plaintiffs that they had statutory standing to bring their FCPA claim, the court exercised its independent duty to examine standing and ruled that it was lacking because the plaintiffs failed to allege a specific requirement under the FCRA that Nationwide failed to perform or a specific prohibition that Nationwide ignored. The plaintiffs’ “vague” allegations that Nationwide violated the FCRA’s statement of purpose was “insufficient to confer statutory standing.”
Increased Risk of Harm/Failure to Mitigate Increased Risk
Nationwide alleged that this grouping of injuries was speculative because plaintiffs did not allege that their PII was misused, that they suffered identity theft, that they actually incurred any out-of-pocket costs or spent time to mitigate any potential risks. The court noted that the plaintiffs “have not alleged any adverse consequences from the theft or dissemination as they do not allege their PII has been misused.” Following Clapper, the court held that the plaintiffs’ alleged harm was not “certainly impending.” “Even though Plaintiffs alleged they are 9.5 times more likely than the general public to become victims of theft or fraud, that factual allegation sheds no light as to whether theft or fraud meets the ‘certainly impending’ standard.” Noting that the Supreme Court is reluctant to find standing where the injury-in-fact depends on the actions of independent decision makers, the court held that “[t]he speculative nature of the injuries is further evidenced by the fact that it’s occurrence will depend on the decisions of independent actors. … [W]hether Named Plaintiffs will become victims of theft or fraud or phishing is entirely contingent on what, if anything, the third party criminals do withdraw information.”
Cost to Mitigate Increased Risk
Again citing Clapper, the court held that the costs incurred by the plaintiffs in connection with credit monitoring and other measures did not constitute injury sufficient to confer standing. The plaintiffs “cannot create standing by choosing to make expenditures in order to mitigate a purely speculative harm.”
Loss of Privacy
The plaintiffs alleged that the dissemination of their PII to unauthorized persons constituted an injury-in-fact in the form of loss of privacy. The court agreed with the plaintiffs that their loss of privacy was not speculative, conjectural or hypothetical – because it was stolen and disseminated to criminals – but held that it was too abstract to constitute injury-in-fact absent any allegation that the loss of privacy resulted in any adverse consequences.
Deprivation of Value of PII
Alleging that their stolen PII had value if sold on the cyber black market, the plaintiff claimed that they suffered an injury-in-fact in the form of deprivation of value of their PII. The court disagreed, stating, “Regardless of whether Named Plaintiffs argue the value of their PII has merely diminished or whether they allege complete deprivation of value, they have failed to allege any facts explaining how their PII became less valuable to them (or lost all value) by the data breach.”
Invasion of Privacy
With regard to the plaintiffs’ invasion of privacy claim, the court held that for standing purposes, the injury was fairly traceable to Nationwide’s actions, but the plaintiffs failed to state a claim. They failed to allege that their PII had been disclosed by Nationwide or that Nationwide “publicized” their PII to the public at large or to so many people that it should be regarded as substantially certain to become public knowledge.
With the exception of the recent Sony Playstation case in California, in the aftermath of Clapper, courts that have considered the issue have held that the breach of personal information without allegations of misuse does not constitute injury-in-fact sufficient to confer Article III standing. See our related blog posts on Omnicell and Barnes and Noble. Going forward, we can expect to see plaintiff lawyers assert more creative injury allegations in an attempt to circumvent the holding of Clapper and its progeny.