US District Court in Ohio Finds Plaintiffs Have No Standing for Data Breach Class Action

The United States District Court for the Southern District of Ohio recently dismissed a class action seeking damages for injuries stemming from a data breach at Nationwide Mutual Insurance Company. Galaria v. Nationwide Mut. Ins. Co. 2014 U.S. Dist. LEXIS 23798 was filed after Nationwide’s computer system was hacked on October 3, 2012 and the personally identifiable information (PII) of over 1 million customers and potential customers was compromised.

Nationwide provided notice to the affected individuals on November 16, 2012, informing them of the data breach and that the compromised data included names, social security numbers, driver’s license numbers, and dates of birth. Nationwide offered the affected class one year of free credit monitoring and identity theft protection.

The putative class filed suit alleging injuries stemming from the data breach and seeking damages in three categories: (1) increased risk of harm/cost to mitigate increased risk of identity theft; (2) loss of privacy; and (3) deprivation of the value of their PII.

Nationwide’s defense was that plaintiffs did not suffer a cognizable injury and thus lacked appropriate standing to sue.

In its analysis, the Court discussed two distinct lines of data breach cases – those such as Reilly v. Ceridian Corp, 664 F.3d 38 (3rd Cir. 2011) and In re Barnes & Noble Pin Pad Litg., 2013 U.S. Dist. LEXIS 125730 (N.D. Ill. Sept. 3, 2013) that dismissed data breach actions on dispositive motion practice by finding plaintiffs lacked requisite standing or were otherwise unable to prove the damages element of their claims and those that found plaintiffs have standing in such data breach cases like Krottner v. Starbucks Corp, 628 F.3d 1139 (9th Cir. 2010) and Sutton v. St. Jude Med. S.C., Inc., 419 F.3d 568 (6th Cir. 2005).

Addressing the putative class’ first category of purported damages, the court agreed with Reilly and In re Barnes & Noble, that the mere increased risk of theft or fraud is insufficiently concrete to confer constitutional standing.

As to the alleged diminution or deprivation of the value of plaintiffs’ PII, the Court followed several other recent cases and ruled that to have standing, an individual’s PII does not have inherent monetary value or that at the very least, plaintiffs must demonstrate that they were actually deprived of their PII’s value. See, e.g. Willingham v. Global Payments, Inc., 2013 U.S. Dist. LEXIS 27764 (N.D. Ga. Feb. 5, 2013) (finding plaintiffs’ PII does not have any inherent monetary value); In re Google Inc. Cookie Placement Consumer Privacy Litig., 2013 U.S. Dist. LEXIS 145727 (D. Del. Oct, 9, 2013) (plaintiff must allege facts to show actual deprivation of value in PII).

While the Court found that plaintiffs’ invasion of privacy cause of action was otherwise sufficiently plead, the Court still dismissed the count because the complaint did not allege that Nationwide took any action to publicize plaintiffs’ PII or publicly disclose PII, an essential element of invasion of privacy.

 

Topics:  Class Action, Data Breach, Data Protection, Dismissals, Personally Identifiable Information, Standing

Published In: Civil Procedure Updates, Constitutional Law Updates, Insurance Updates, Privacy Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Traub Lieberman Straus & Shrewsberry LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »