Data Breach Lawsuits Don’t Allege Viable Invasion of Privacy Claim


This entry was posted by on .

Last week, The Coverage Inkwell discussed a new data breach case, Galaria v. Nationwide Mut. Ins. Co., No. 13-118 (S.D. Ohio Feb. 10, 2014), in which an Ohio federal court held that a slew of allegations in two putative class action lawsuits, including increased risk of identity theft, and out-of-pocket credit monitoring expenses, did not constitute an injury for purposes of standing.  The court also addressed whether the lawsuits alleged viable claims of the tort of invasion of privacy.  This latter issue is now addressed here.

In Galaria, Nationwide Mutual Insurance Company was sued by two putative class actions after it notified class members that data thieves had hacked into its computer systems and stolen class members’ personally identifiable information (PII).  (Id. at 2-3.)  In its notification letter, Nationwide suggested that plaintiffs undertake steps to safeguard their PII, including to monitor their credit reports and bank statements, and it offered them one year of free credit monitoring and identity theft protection through Equifax. (Id. at 2.)  Nationwide also suggested that plaintiffs freeze on their credit reports at their own expense.  (Id.)

Nationwide moved to dismiss the lawsuits on various grounds, including that the lawsuits did not allege a viable claim for invasion of privacy.  In general, a claim for invasion of privacy entails four separate and distinct torts.  Publicity to private life and intrusion upon seclusion are the torts most commonly implicated in a data breach claim.  Publicity given to private life involves rights of secrecy and happens when private facts are published and their publication would be highly offensive and not of legitimate public concern.  Intrusion upon seclusion involves a person’s the right to be left alone, including freedom from investigation of private affairs.  Intrusion upon seclusion does not have a publication component or requirement.

In Galaria, Nationwide contended that the lawsuits’ invasion of privacy claims failed because there were no allegations that Nationwide had publicly disclosed the PII in question.  (Id. at 27.)  Specifically, Nationwide argued that because the complaint acknowledged that the PII had been stolen, the complaint necessarily acknowledged that Nationwide took no action to publicize the PII as would be required to prove liability under the tort.  (Id. at 28.)  Nationwide also argued that the complaint failed to allege that the PII had reached the public at large, or that the PII was substantially certain to become public knowledge, in order to met the tort’s publication requirements.  (Id. at 27-28.)

Plaintiffs counter-argued that tort of publication of private facts does not require publication to the public at large, contending that the inquiry focuses on the type of information disclosed rather than the number of individuals whom obtain the information.  (Id. at 29.)  In the alternative, plaintiffs also argued that the lawsuits alleged intrusion upon seclusion, which does not require publication.  (Id.)

The Court disagreed with plaintiffs and concluded that the lawsuits did not allege a viable invasion of privacy claim for two reasons.  First, because the complaint failed to allege that Nationwide had taken any action to disseminate information, Nationwide could not be held liable for an invasion of privacy claim as a matter of law:

First, there is no allegation in the Complaint that Defendant disclosed Named Plaintiffs’ private affairs.  While the Complaint alleges Defendant disseminated Named Plaintiffs’ PII, that allegation is conclusory.  There are no factual allegations in the Complaint to make plausible the allegation that Defendant disseminated Named Plaintiffs’ PII.  Rather, the Complaint alleges the PII was stolen from Defendant, not that Defendant disseminated it to anyone.

(Id. at 29.)

Second, the Court held that the complaint failed to allege a sufficient dissemination of the information to the public at large to satisfy the publication requirements of the tort:

The Complaint fails to allege publicity.  It alleges the PII is in the hands of the hacker(s), not the general public.  Specifically, the Complaint alleges that “the criminal(s) and/or their customers now have Plaintiffs and the other Class Members’ compromised PII,” Compl. ¶ 19, ECF No. 1.  The Complaint thus fails to allege how many hackers ever had the PII and whether the hacker(s) sold the PII to anyone, let alone to how many people the hacker(s) sold the PII.  Therefore, the allegation that the data breach “resulted in the theft and wrongful dissemination of Plaintiffs and the other Class Members’ PII into the public domain,” Id. at ¶ 55, is conclusory in that Named Plaintiffs allege no facts to make plausible the assertion that Named Plaintiffs’ PII is in the public domain.

(Id. at 30.)

Notably, the Court did not address the intrusion upon seclusion argument.  This may be an oversight.  However, based on the Court’s analysis, my take is that the Court would have rejected the argument because there were no allegations that plaintiffs’ seclusion had been breached, or that Nationwide was doing the “intruding.”

What does this case mean?  Most data breach lawsuits allege common law invasion of privacy as a throw-in, boilerplate claim.  This case highlights an important wrinkle that makes such claims susceptible to early dismissal.  The tort of publicity to private life requires that the defendant disseminate information to the public at large.  However, few, if any, data breach lawsuits allege that that the corporate defendant suffering the breach, itself, disseminated anything, or that the information reached the public.  A fundamental premise to the Galaria court’s holding is that theft is not a dissemination of information (1) by the defendant (2) to the public at large.  Thus, these lawsuits may not satisfy the tort’s prima facie requirements.  Similar analysis should apply to an intrusion upon seclusion claim.

When rendering its decision, the Court also correctly focused upon the type of dissemination alleged (or not alleged), rather than the nature of information at issue.  The Galaria plaintiffs’ argument that a court’s inquiry for publication should focus on the type of information being disclosed rather than the number of individuals whom obtained the information is a common refrain of claimants in both defense and insurance coverage contexts.  But a determination of the meaning of “publication” should be independent of the nature of the information at issue, whether that information be ZIP codes, social security numbers, internet cookies, or whatever.

Finally, Galaria also highlights a decision where a court rejected conclusory assertions as a substitute for factual allegations.  That’s a good thing.  Too often, conclusory assertions that are completely divorced of the context of the factual allegations are asserted for the mere purpose of surviving early dismissal motions and/or in hope of hooking insurance coverage.

Questions and comments are welcome.

This entry was posted in Data Breach Insurance Coverage.