Monthly Archives: February 2014

Sony Data Breach: No Publication By Sony, No Coverage


This entry was posted by on .

Today, as reported by Law360, the New York Supreme Court (New York’s trial court) held that two insurers have no duty to defend Sony Corporation in approximately 60 underlying lawsuits filed in connection with the 2011 data breach of Sony’s PlayStation Network.  There is no written opinion available.

Following oral arguments, Judge Oing ruled from the bench that Sony’s liability policies, which provide personal and advertising injury coverage for oral or written publication of material that violates a person’s right to privacy, applies only to actions committed by Sony, as the policyholder, and not to the actions of third-parties who hacked into the network and stole personally identifiable information (PII).

Sony argued that the policies did not possess language excluding coverage on the basis that the policyholder, itself, was not the entity accused of disseminating or publishing the material at issue.  Zurich, on the other hand, argued that because there were no allegations that Sony disseminated the stolen PII, there was no “publication” of material to implicate coverage.   As quoted in Law360, Zurich distinguished the authorities cited by Sony, stating that “[i]n every case cited by Sony in support of the proposition that negligent security equals publication, the conduct has been by the insured.”

What does this case mean?  Further analysis will be provided as more information on the New York court’s holding becomes available.  If the existence of coverage is to be demarcated by whether or not the policyholder itself published the lost or stolen information, most data breach lawsuits will fall outside the scope of personal and advertising injury coverage.

The holding does have some similarities with two other recent data breach cases, Recall Total Info. Management, Inc. v. Fed. Ins. Co., — A.3d –, 2014 WL 43529 (Conn. App. Ct. Jan. 14, 2014) and Galaria v. Nationwide Mut. Ins. Co., No. 13-118 (S.D. Ohio Feb. 10, 2014), each of which essentially held that the theft or loss of information in of itself does not constitute a publication.

This entry was posted in Data Breach Insurance Coverage.

Data Breach Lawsuits Don’t Allege Viable Invasion Of Privacy Claim


This entry was posted by on .

Last week, The Coverage Inkwell discussed a new data breach case, Galaria v. Nationwide Mut. Ins. Co., No. 13-118 (S.D. Ohio Feb. 10, 2014), in which an Ohio federal court held that a slew of allegations in two putative class action lawsuits, including increased risk of identity theft, and out-of-pocket credit monitoring expenses, did not constitute an injury for purposes of standing.  The court also addressed whether the lawsuits alleged viable claims of the tort of invasion of privacy.  This latter issue is now addressed here.

In Galaria, Nationwide Mutual Insurance Company was sued by two putative class actions after it notified class members that data thieves had hacked into its computer systems and stolen class members’ personally identifiable information (PII).  (Id. at 2-3.)  In its notification letter, Nationwide suggested that plaintiffs undertake steps to safeguard their PII, including to monitor their credit reports and bank statements, and it offered them one year of free credit monitoring and identity theft protection through Equifax. (Id. at 2.)  Nationwide also suggested that plaintiffs freeze on their credit reports at their own expense.  (Id.)

Nationwide moved to dismiss the lawsuits on various grounds, including that the lawsuits did not allege a viable claim for invasion of privacy.  In general, a claim for invasion of privacy entails four separate and distinct torts.  Publicity to private life and intrusion upon seclusion are the torts most commonly implicated in a data breach claim.  Publicity given to private life involves rights of secrecy and happens when private facts are published and their publication would be highly offensive and not of legitimate public concern.  Intrusion upon seclusion involves a person’s the right to be left alone, including freedom from investigation of private affairs.  Intrusion upon seclusion does not have a publication component or requirement.

In Galaria, Nationwide contended that the lawsuits’ invasion of privacy claims failed because there were no allegations that Nationwide had publicly disclosed the PII in question.  (Id. at 27.)  Specifically, Nationwide argued that because the complaint acknowledged that the PII had been stolen, the complaint necessarily acknowledged that Nationwide took no action to publicize the PII as would be required to prove liability under the tort.  (Id. at 28.)  Nationwide also argued that the complaint failed to allege that the PII had reached the public at large, or that the PII was substantially certain to become public knowledge, in order to met the tort’s publication requirements.  (Id. at 27-28.)

Plaintiffs counter-argued that tort of publication of private facts does not require publication to the public at large, contending that the inquiry focuses on the type of information disclosed rather than the number of individuals whom obtain the information.  (Id. at 29.)  In the alternative, plaintiffs also argued that the lawsuits alleged intrusion upon seclusion, which does not require publication.  (Id.)

The Court disagreed with plaintiffs and concluded that the lawsuits did not allege a viable invasion of privacy claim for two reasons.  First, because the complaint failed to allege that Nationwide had taken any action to disseminate information, Nationwide could not be held liable for an invasion of privacy claim as a matter of law:

First, there is no allegation in the Complaint that Defendant disclosed Named Plaintiffs’ private affairs.  While the Complaint alleges Defendant disseminated Named Plaintiffs’ PII, that allegation is conclusory.  There are no factual allegations in the Complaint to make plausible the allegation that Defendant disseminated Named Plaintiffs’ PII.  Rather, the Complaint alleges the PII was stolen from Defendant, not that Defendant disseminated it to anyone.

(Id. at 29.)

Second, the Court held that the complaint failed to allege a sufficient dissemination of the information to the public at large to satisfy the publication requirements of the tort:

The Complaint fails to allege publicity.  It alleges the PII is in the hands of the hacker(s), not the general public.  Specifically, the Complaint alleges that “the criminal(s) and/or their customers now have Plaintiffs and the other Class Members’ compromised PII,” Compl. ¶ 19, ECF No. 1.  The Complaint thus fails to allege how many hackers ever had the PII and whether the hacker(s) sold the PII to anyone, let alone to how many people the hacker(s) sold the PII.  Therefore, the allegation that the data breach “resulted in the theft and wrongful dissemination of Plaintiffs and the other Class Members’ PII into the public domain,” Id. at ¶ 55, is conclusory in that Named Plaintiffs allege no facts to make plausible the assertion that Named Plaintiffs’ PII is in the public domain.

(Id. at 30.)

Notably, the Court did not address the intrusion upon seclusion argument.  This may be an oversight.  However, based on the Court’s analysis, my take is that the Court would have rejected the argument because there were no allegations that plaintiffs’ seclusion had been breached, or that Nationwide was doing the “intruding.”

What does this case mean?  Most data breach lawsuits allege common law invasion of privacy as a throw-in, boilerplate claim.  This case highlights an important wrinkle that makes such claims susceptible to early dismissal.  The tort of publicity to private life requires that the defendant disseminate information to the public at large.  However, few, if any, data breach lawsuits allege that that the corporate defendant suffering the breach, itself, disseminated anything, or that the information reached the public.  A fundamental premise to the Galaria court’s holding is that theft is not a dissemination of information (1) by the defendant (2) to the public at large.  Thus, these lawsuits may not satisfy the tort’s prima facie requirements.  Similar analysis should apply to an intrusion upon seclusion claim.

When rendering its decision, the Court also correctly focused upon the type of dissemination alleged (or not alleged), rather than the nature of information at issue.  The Galaria plaintiffs’ argument that a court’s inquiry for publication should focus on the type of information being disclosed rather than the number of individuals whom obtained the information is a common refrain of claimants in both defense and insurance coverage contexts.  But a determination of the meaning of “publication” should be independent of the nature of the information at issue, whether that information be ZIP codes, social security numbers, internet cookies, or whatever.

Finally, Galaria also highlights a decision where a court rejected conclusory assertions as a substitute for factual allegations.  That’s a good thing.  Too often, conclusory assertions that are completely divorced of the context of the factual allegations are asserted for the mere purpose of surviving early dismissal motions and/or in hope of hooking insurance coverage.

Questions and comments are welcome.

This entry was posted in Data Breach Insurance Coverage.

Attention Shoppers: Increased Risk Of Identity Theft From A Data Breach Is Not An Injury


This entry was posted by on .

A new data breach decision has just come out, Galaria v. Nationwide Mut. Ins. Co., No. 13-118 (S.D. Ohio Feb. 10, 2014).  The decision, a copy of which is attached, involves two putative class action lawsuits alleging increased risk of identity theft as a result of a data breach and theft of personally identifiable information (“PII”).  The issues addressed by the Court are whether such claims allege an injury, and whether they allege a viable claim for invasion of privacy.

Both issues are critical in data breach claims.  Because space afforded here is limited, The Coverage Inkwell will address each issue separately.  This issue focuses on the Court’s discussion of whether allegations of increased risk of identity theft, fraud, and phishing resulting from a data breach constitutes an actual injury to satisfy standing requirements.  The next issue will focus on the Court’s discussion of whether the data breach claim alleged a viable claim for invasion of privacy.

In Galaria, Nationwide Mutual Insurance Company was sued by two putative class actions after it notified class members that data thieves had hacked into its computer systems and stolen class members’ PII.  (Id. at 2-3.)  In its notification letter, Nationwide suggested that plaintiffs undertake steps to safeguard their PII, including to monitor their credit reports and bank statements, and offered them one year of free credit monitoring and identity theft protection through Equifax. (Id. at 2.)  Nationwide also suggested that plaintiffs freeze on their credit reports at their own expense.  (Id.)

The lawsuits that followed alleged claims for violation of the Fair Credit Reporting Act (“FCRA”), and common law claims for negligence, invasion of privacy, and bailment.  (Id. at 1.)  The lawsuits alleged that because of the data breach, plaintiffs incurred damages in the form of: (i) the increased risk of identity theft and phishing, (ii) out-of-pocket expenses incurred to purchase credit monitoring and to mitigate the risk of identity theft, (iii) loss of value in their PII, and (iv) loss of privacy.  (Id. at 4-5.)  Importantly, neither lawsuit alleged that named plaintiffs’ PII had been misused or that his identity had been stolen.  (Id. at 3.)

Nationwide moved for dismissal, arguing that plaintiffs lacked standing because they failed to allege an injury-in-fact.  (Id. at 4.)  The Court agreed.

What is Standing?  In order to prosecute a lawsuit, a plaintiff must demonstrate standing by showing that he or she has suffered an injury that can be redressed by the court.  The alleged injury must be “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.”  (Id. at 6, citing Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138, 1146 (2013).)  The “imminent” requirement for an injury is to ensure that the alleged injury, if not actual, is “certainly impending.”  (Id. (same).)  As explained by the Court in Galaria, allegations of “increased risk” of injury alone are insufficient:

Thus, the Supreme Court has “repeatedly reiterated that threatened injury must be certainly impending to constitute injury in fact, and that [a]llegations of possible future injury are not sufficient” to confer standing.  Id. (internal quotations and citations omitted).  Moreover, the Supreme Court is “reluctan[t] to endorse standing theories that rest on speculation about the decisions of independent actors.”

(Id.)

The Galaria Court held that the lawsuits failed to allege an actual or imminent injury to satisfy standing requirements, thereby requiring their dismissal.  Looking at the case before it, the Galaria Court noted that although plaintiffs alleged their PII had been stolen and disseminated, they did not allege that it had been used or that they had been victimized by identity theft.  (Id. at 11.)  Instead, they urged that the data theft placed them at an increased risk of fraud.  According to the Court, this was not enough.  Allegations of increased risk of identity theft and phishing alone do not satisfy the requirement that an injury be actual or imminent:

In this case, an increased risk of identity theft, identity fraud, medical fraud or phishing is not itself an injury-in-fact because Named Plaintiffs did not allege—or offer facts to make plausible—an allegation that such harm is “certainly impending.”  Even though Plaintiffs alleged they are 9.5 times more likely than the general public to become victims of theft or fraud, that factual allegation sheds no light as to whether theft or fraud meets the “certainly impending” standard.  That is, a factual allegation as to how much more likely they are to become victims than the general public is not the same as a factual allegation showing how likely they are to become victims.

(Id. at 12 (emphasis added).)  (The Court also held that the lawsuits did not satisfy statutory standing under FCRA – id. at 7-9.)

Buttressing the Court’s conclusion that the alleged injuries were “speculative” was the fact that any actual injury would be wholly dependent upon the future actions of a independent third party, not the defendant:

That speculative nature of the injury is further evidenced by the fact that its occurrence will depend on the decisions of independent actors.  Even though Named Plaintiffs allege a third party or parties have their PII, whether Named Plaintiffs will become victims of theft or fraud or phishing is entirely contingent on what, if anything, the third party criminals do with that information.  If they do nothing, there will be no injury.

(Id. at 13.)  Because the lawsuits did not show that injury from identity theft or phishing was certainly impending, there was no alleged injury.  (Id. at 20.)

The Court also rejected that plaintiffs’ alleged out-of-pocket expenses incurred to monitor their credit and safeguard against fraud constituted an actual injury.  The Court based its conclusion on the observation that litigants cannot bootstrap standing by incurring costs to create an injury:

Named Plaintiffs allege they incurred costs to mitigate the increased risk of identity theft, identity fraud, medical fraud, and phishing. . . . Such injury does not suffice to confer standing because “respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.

(Id. at 18, quoting Clapper, supra (emphasis added).)  According to the Court, allowing plaintiffs to “bring this action based on costs they incurred in response to a speculative threat would be tantamount to accepting a repackaged version of [Named Plaintiffs’] first failed theory of standing.”  (Id. at 19, citation omitted.)  A plaintiff “cannot create standing by choosing to make expenditures in order to mitigate a purely speculative harm.”  (Id. at 20.)

The Court also rejected arguments that the loss of value of PII constituted an injury.  Sidestepping the argument of whether PII has value, the Court held that because the lawsuits did not show how plaintiffs had been deprived of any value, there was no alleged injury:

Regardless of whether Named Plaintiffs argue the value of their PII has merely diminished or whether they allege complete deprivation of value, they have failed to allege any facts explaining how their PII became less valuable to them (or lost all value) by the data breach.  Specifically, Named Plaintiffs allege that stolen PII can be sold on the cyber black market for $14 to $25 per record … but fail to allege how the data breach prevents them from selling their PII at that value.  Indeed, Named Plaintiffs fail to allege that they could even access that illegal market and sell their PII. For example, neither Named Plaintiff alleges he tried to sell his PII after the data breach but was unable to do so because of the breach or was forced to sell it for less than its full worth.

(Id. at 22-23.)

Finally, the Court held that while the theft and dissemination of PII alleged a loss of privacy, that loss alone does not constitute an injury to satisfy standing:

Named Plaintiffs failed to allege that the loss of privacy has itself resulted in any adverse consequences apart from the speculative injury of increased risk of identity theft, identity fraud, medical fraud, or phishing.  A finding that the loss of privacy alone constitutes an injury sufficient to confer standing would contradict the Court’s above conclusion that mere exposure of PII is insufficient to confer standing and would mean that any time a plaintiffs PII has been exposed as a result of a data breach, he would have standing to sue—regardless of whether that PII is ever actually misused or the plaintiff ever suffers adverse consequences from the exposure.

(Id. at 21.)

What does this case mean?  There is a lot to ponder in this case.  The case represents a momentary blow for those class action lawsuits that have nothing to show in terms of “injury” other than the claim of “increased risk” of identity theft.  Paging Target shoppers….  I say “momentary,” because I anticipate that clever pleading may find its way into future complaints for the sole purpose of surviving similar motions to dismiss.  Nevertheless, the decision draws a line on what constitutes an injury and what does not for data breach cases whose central premise is that consumers have been injured through an increased risk of fraud.

Although Galaria is not an insurance coverage case, does it have coverage implications?  You bet.  If an increased risk of identity theft and phishing does not constitute an injury for purposes of standing, could it be argued that such claims cannot allege “damages” because of “personal and advertising injury”?  The argument has been made in other contexts.  It’s an issue to think about.

Questions and comments are welcome.

This entry was posted in Data Breach Insurance Coverage.