In Galaria v. Nationwide Mutual Insurance Company, an Ohio federal judge dismissed claims stemming from a large scale data breach because plaintiffs failed to demonstrate an injury sufficient to confer legal standing. The judge found their data was not misused and that any threatened harm was not “certainly impending.” The court rejected plaintiffs’ arguments that they had standing based on an increased risk of identity theft, loss of privacy, and deprivation of value of personally identifiable information.
The class action litigation arose from an October 2012 breach in Nationwide’s data security that exposed the personally identifiable information of an estimated 1.1 million Americans. The cyber thieves made off with names, Social Security numbers, driver’s license numbers, and birthdays of Nationwide customers as well as those seeking insurance quotes. In response, Nationwide notified those affected and offered free credit monitoring and identity theft protection services for a year. It is important to note that the named plaintiffs did not allege that their personally identifiable information was actually misused or that they suffered from identity theft resulting from the data breach.
In dismissing these claims, the court relied heavily on the Supreme Court’s decision in Clapper v. Amnesty International, which held that a “threatened injury must be ‘certainly impending’ to constitute injury in fact” sufficient to confer Article III standing. While the Galaria court was not the first to apply the year-old decision to bar claims arising from a large-scale data breach, it is the latest example of the difficulties data breach plaintiffs face in surviving a motion to dismiss based on a lack of Article III standing.
Increased Risk of Harm
Similar to other data breach plaintiffs, the Galaria plaintiffs attempted to establish standing by arguing that their increased risk for identity theft and related mitigation costs caused them injury in fact. The court disagreed, finding that the subsequent harm depended on the criminal actions of independent decision makers. The Galaria court likewise found that mitigation costs did not confer standing. Citing Clapper, it reasoned that, “respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”
Loss of Privacy
Plaintiffs also argued they had standing because Nationwide publicly disseminated their personally identifiable information. The court, however, ruled that plaintiffs failed to allege adverse consequences aside from increased risk. The alleged loss of privacy did constitute an injury in fact for plaintiffs’ state invasion of privacy claim, but plaintiffs failed to establish a causal connection between Nationwide’s actions and plaintiffs’ injuries. That is, plaintiffs lacked standing because they failed to properly allege that defendants disclosed their private affairs where the data were stolen rather than published, and because any public dissemination would result from independent hack activity.
Deprivation of Value of Personally Identifiable Information
Finally, plaintiffs claimed that deprivation of the value of their personally identifiable information constituted an injury in fact. They reasoned that because personally identifiable information has value on the black market, Nationwide injured them by exposing their information and therefore depriving the plaintiffs of the information’s value. The Galaria court disagreed, holding that regardless of the information’s value, plaintiffs did not demonstrate they had access to this black market, nor that third parties deprived them of profits by selling their information there.