The United States District Court for the Southern District of Ohio recently dismissed a class action seeking damages for injuries stemming from a data breach at Nationwide Mutual Insurance Company. Galaria v. Nationwide Mut. Ins. Co. 2014 U.S. Dist. LEXIS 23798 was filed after Nationwide’s computer system was hacked on October 3, 2012 and the personally identifiable information (PII) of over 1 million customers and potential customers was compromised.
Nationwide provided notice to the affected individuals on November 16, 2012, informing them of the data breach and that the compromised data included names, social security numbers, driver’s license numbers, and dates of birth. Nationwide offered the affected class one year of free credit monitoring and identity theft protection.
The putative class filed suit alleging injuries stemming from the data breach and seeking damages in three categories: (1) increased risk of harm/cost to mitigate increased risk of identity theft; (2) loss of privacy; and (3) deprivation of the value of their PII.
Nationwide’s defense was that plaintiffs did not suffer a cognizable injury and thus lacked appropriate standing to sue.
In its analysis, the Court discussed two distinct lines of data breach cases – those such as Reilly v. Ceridian Corp, 664 F.3d 38 (3rd Cir. 2011) and In re Barnes & Noble Pin Pad Litg., 2013 U.S. Dist. LEXIS 125730 (N.D. Ill. Sept. 3, 2013) that dismissed data breach actions on dispositive motion practice by finding plaintiffs lacked requisite standing or were otherwise unable to prove the damages element of their claims and those that found plaintiffs have standing in such data breach cases like Krottner v. Starbucks Corp, 628 F.3d 1139 (9th Cir. 2010) and Sutton v. St. Jude Med. S.C., Inc., 419 F.3d 568 (6th Cir. 2005).
Addressing the putative class’ first category of purported damages, the court agreed with Reilly and In re Barnes & Noble, that the mere increased risk of theft or fraud is insufficiently concrete to confer constitutional standing.
As to the alleged diminution or deprivation of the value of plaintiffs’ PII, the Court followed several other recent cases and ruled that to have standing, an individual’s PII does not have inherent monetary value or that at the very least, plaintiffs must demonstrate that they were actually deprived of their PII’s value. See, e.g. Willingham v. Global Payments, Inc., 2013 U.S. Dist. LEXIS 27764 (N.D. Ga. Feb. 5, 2013) (finding plaintiffs’ PII does not have any inherent monetary value); In re Google Inc. Cookie Placement Consumer Privacy Litig., 2013 U.S. Dist. LEXIS 145727 (D. Del. Oct, 9, 2013) (plaintiff must allege facts to show actual deprivation of value in PII).
While the Court found that plaintiffs’ invasion of privacy cause of action was otherwise sufficiently plead, the Court still dismissed the count because the complaint did not allege that Nationwide took any action to publicize plaintiffs’ PII or publicly disclose PII, an essential element of invasion of privacy.