Attention Shoppers: Increased Risk of Identity Theft From a Data Breach Is Not an Injury


This entry was posted by on .

A new data breach decision has just come out, Galaria v. Nationwide Mut. Ins. Co., No. 13-118 (S.D. Ohio Feb. 10, 2014).  The decision, a copy of which is attached, involves two putative class action lawsuits alleging increased risk of identity theft as a result of a data breach and theft of personally identifiable information (“PII”).  The issues addressed by the Court are whether such claims allege an injury, and whether they allege a viable claim for invasion of privacy.

Both issues are critical in data breach claims.  Because space afforded here is limited, The Coverage Inkwell will address each issue separately.  This issue focuses on the Court’s discussion of whether allegations of increased risk of identity theft, fraud, and phishing resulting from a data breach constitutes an actual injury to satisfy standing requirements.  The next issue will focus on the Court’s discussion of whether the data breach claim alleged a viable claim for invasion of privacy.

In Galaria, Nationwide Mutual Insurance Company was sued by two putative class actions after it notified class members that data thieves had hacked into its computer systems and stolen class members’ PII.  (Id. at 2-3.)  In its notification letter, Nationwide suggested that plaintiffs undertake steps to safeguard their PII, including to monitor their credit reports and bank statements, and offered them one year of free credit monitoring and identity theft protection through Equifax. (Id. at 2.)  Nationwide also suggested that plaintiffs freeze on their credit reports at their own expense.  (Id.)

The lawsuits that followed alleged claims for violation of the Fair Credit Reporting Act (“FCRA”), and common law claims for negligence, invasion of privacy, and bailment.  (Id. at 1.)  The lawsuits alleged that because of the data breach, plaintiffs incurred damages in the form of: (i) the increased risk of identity theft and phishing, (ii) out-of-pocket expenses incurred to purchase credit monitoring and to mitigate the risk of identity theft, (iii) loss of value in their PII, and (iv) loss of privacy.  (Id. at 4-5.)  Importantly, neither lawsuit alleged that named plaintiffs’ PII had been misused or that his identity had been stolen.  (Id. at 3.)

Nationwide moved for dismissal, arguing that plaintiffs lacked standing because they failed to allege an injury-in-fact.  (Id. at 4.)  The Court agreed.

What is Standing?  In order to prosecute a lawsuit, a plaintiff must demonstrate standing by showing that he or she has suffered an injury that can be redressed by the court.  The alleged injury must be “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.”  (Id. at 6, citing Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138, 1146 (2013).)  The “imminent” requirement for an injury is to ensure that the alleged injury, if not actual, is “certainly impending.”  (Id. (same).)  As explained by the Court in Galaria, allegations of “increased risk” of injury alone are insufficient:

Thus, the Supreme Court has “repeatedly reiterated that threatened injury must be certainly impending to constitute injury in fact, and that [a]llegations of possible future injury are not sufficient” to confer standing.  Id. (internal quotations and citations omitted).  Moreover, the Supreme Court is “reluctan[t] to endorse standing theories that rest on speculation about the decisions of independent actors.”

(Id.)

The Galaria Court held that the lawsuits failed to allege an actual or imminent injury to satisfy standing requirements, thereby requiring their dismissal.  Looking at the case before it, the Galaria Court noted that although plaintiffs alleged their PII had been stolen and disseminated, they did not allege that it had been used or that they had been victimized by identity theft.  (Id. at 11.)  Instead, they urged that the data theft placed them at an increased risk of fraud.  According to the Court, this was not enough.  Allegations of increased risk of identity theft and phishing alone do not satisfy the requirement that an injury be actual or imminent:

In this case, an increased risk of identity theft, identity fraud, medical fraud or phishing is not itself an injury-in-fact because Named Plaintiffs did not allege—or offer facts to make plausible—an allegation that such harm is “certainly impending.”  Even though Plaintiffs alleged they are 9.5 times more likely than the general public to become victims of theft or fraud, that factual allegation sheds no light as to whether theft or fraud meets the “certainly impending” standard.  That is, a factual allegation as to how much more likely they are to become victims than the general public is not the same as a factual allegation showing how likely they are to become victims.

(Id. at 12 (emphasis added).)  (The Court also held that the lawsuits did not satisfy statutory standing under FCRA – id. at 7-9.)

Buttressing the Court’s conclusion that the alleged injuries were “speculative” was the fact that any actual injury would be wholly dependent upon the future actions of a independent third party, not the defendant:

That speculative nature of the injury is further evidenced by the fact that its occurrence will depend on the decisions of independent actors.  Even though Named Plaintiffs allege a third party or parties have their PII, whether Named Plaintiffs will become victims of theft or fraud or phishing is entirely contingent on what, if anything, the third party criminals do with that information.  If they do nothing, there will be no injury.

(Id. at 13.)  Because the lawsuits did not show that injury from identity theft or phishing was certainly impending, there was no alleged injury.  (Id. at 20.)

The Court also rejected that plaintiffs’ alleged out-of-pocket expenses incurred to monitor their credit and safeguard against fraud constituted an actual injury.  The Court based its conclusion on the observation that litigants cannot bootstrap standing by incurring costs to create an injury:

Named Plaintiffs allege they incurred costs to mitigate the increased risk of identity theft, identity fraud, medical fraud, and phishing. . . . Such injury does not suffice to confer standing because “respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.

(Id. at 18, quoting Clapper, supra (emphasis added).)  According to the Court, allowing plaintiffs to “bring this action based on costs they incurred in response to a speculative threat would be tantamount to accepting a repackaged version of [Named Plaintiffs’] first failed theory of standing.”  (Id. at 19, citation omitted.)  A plaintiff “cannot create standing by choosing to make expenditures in order to mitigate a purely speculative harm.”  (Id. at 20.)

The Court also rejected arguments that the loss of value of PII constituted an injury.  Sidestepping the argument of whether PII has value, the Court held that because the lawsuits did not show how plaintiffs had been deprived of any value, there was no alleged injury:

Regardless of whether Named Plaintiffs argue the value of their PII has merely diminished or whether they allege complete deprivation of value, they have failed to allege any facts explaining how their PII became less valuable to them (or lost all value) by the data breach.  Specifically, Named Plaintiffs allege that stolen PII can be sold on the cyber black market for $14 to $25 per record … but fail to allege how the data breach prevents them from selling their PII at that value.  Indeed, Named Plaintiffs fail to allege that they could even access that illegal market and sell their PII. For example, neither Named Plaintiff alleges he tried to sell his PII after the data breach but was unable to do so because of the breach or was forced to sell it for less than its full worth.

(Id. at 22-23.)

Finally, the Court held that while the theft and dissemination of PII alleged a loss of privacy, that loss alone does not constitute an injury to satisfy standing:

Named Plaintiffs failed to allege that the loss of privacy has itself resulted in any adverse consequences apart from the speculative injury of increased risk of identity theft, identity fraud, medical fraud, or phishing.  A finding that the loss of privacy alone constitutes an injury sufficient to confer standing would contradict the Court’s above conclusion that mere exposure of PII is insufficient to confer standing and would mean that any time a plaintiffs PII has been exposed as a result of a data breach, he would have standing to sue—regardless of whether that PII is ever actually misused or the plaintiff ever suffers adverse consequences from the exposure.

(Id. at 21.)

What does this case mean?  There is a lot to ponder in this case.  The case represents a momentary blow for those class action lawsuits that have nothing to show in terms of “injury” other than the claim of “increased risk” of identity theft.  Paging Target shoppers….  I say “momentary,” because I anticipate that clever pleading may find its way into future complaints for the sole purpose of surviving similar motions to dismiss.  Nevertheless, the decision draws a line on what constitutes an injury and what does not for data breach cases whose central premise is that consumers have been injured through an increased risk of fraud.

Although Galaria is not an insurance coverage case, does it have coverage implications?  You bet.  If an increased risk of identity theft and phishing does not constitute an injury for purposes of standing, could it be argued that such claims cannot allege “damages” because of “personal and advertising injury”?  The argument has been made in other contexts.  It’s an issue to think about.

Questions and comments are welcome.

This entry was posted in Data Breach Insurance Coverage.