From Casetext: Smarter Legal Research

Galaria v. Nationwide Mut. Ins. Co.

United States District Court, S.D. Ohio, Eastern Division.
Feb 10, 2014
998 F. Supp. 2d 646 (S.D. Ohio 2014)

Summary

finding no standing even though personal information was stolen from an insurance company's computer network and was actually disseminated

Summary of this case from Khan v. Children's Nat'l Health Sys.

Opinion

Case Nos. 2:13–CV–118 2:13–cv–257.

2014-02-10

Mohammad S. GALARIA, individually and on behalf of all others similarly situated, Plaintiff, v. NATIONWIDE MUTUAL INSURANCE CO., Defendant. Anthony Hancox, individually and on behalf of all others similarly situated, Plaintiff, v. Nationwide Mutual Insurance Company, Defendant.

Ben Barnow, Barnow and Associates, P.C., One North Lasalle, Chicago, IL, Mitchell L. Burgess, Burgess & Lamb, P.C., Ralph K. Phalen, Ralph K. Phalen Law PC, Kansas City, MO, Richard L. Coffman, The Coffman Law Firm, Beaumont, TX, Charles T. Lester, Jr., Charles T. Lester, Jr., Attorney at Law, Fort Thomas, KY, for Plaintiff. Michael Hiram Carpenter, Katheryn M. Lloyd, Carpenter Lipps & Leland LLP, Columbus, OH, Harvey J. Wolkoff, Mark P. Szpak, Richard D. Batchelder, Jr., Ropes & Gray LLP, Boston, MA, Gregory T. Wolf, SNR Denton US, LLP, Kansas City, MO, for Defendant.



Ben Barnow, Barnow and Associates, P.C., One North Lasalle, Chicago, IL, Mitchell L. Burgess, Burgess & Lamb, P.C., Ralph K. Phalen, Ralph K. Phalen Law PC, Kansas City, MO, Richard L. Coffman, The Coffman Law Firm, Beaumont, TX, Charles T. Lester, Jr., Charles T. Lester, Jr., Attorney at Law, Fort Thomas, KY, for Plaintiff. Michael Hiram Carpenter, Katheryn M. Lloyd, Carpenter Lipps & Leland LLP, Columbus, OH, Harvey J. Wolkoff, Mark P. Szpak, Richard D. Batchelder, Jr., Ropes & Gray LLP, Boston, MA, Gregory T. Wolf, SNR Denton US, LLP, Kansas City, MO, for Defendant.

OPINION AND ORDER


MICHAEL H. WATSON, District Judge.

Mohammad S. Galaria and Anthony Hancox (“Named Plaintiffs”) are the named plaintiffs in these related putative class action lawsuits. Named Plaintiffs sue Nationwide Mutual Insurance Company (“Defendant”), alleging violations of the Fair Credit Reporting Act (“FCRA”), negligence, invasion of privacy, and bailment. Defendant moves to dismiss both Complaints for lack of standing and failure to state a claim. Mot. Dismiss, ECF No. 21. For the following reasons, the Court grants Defendant's motion.

The Complaints in both cases are virtually identical. Compare Compl., ECF No. 1, Case No. 2:13–cv–118with Compl., ECF No. 1, Case No. 2:13–cv–257. The Court will therefore cite only to the Complaint and motion to dismiss in case number 2:13–cv–118 as it is the earliest filed case. The conclusions herein apply with equal force to case number 2:13–cv–257.

I. FACTS

The following facts are taken from Named Plaintiffs' Complaints.

Mohammad S. Galaria is a citizen and resident of Minnesota. Anthony Hancox is a citizen and resident of Kansas. Defendantis an Ohio corporation, with its principal place of business in Columbus, Ohio, which provides insurance and financial services.

Named Plaintiffs and the putative class members gave their personally identifiable information (“PII”) to Defendant in the course of purchasing or seeking to purchase insurance products. Specifically, Galaria provided his PII when he purchased an insurance policy, and Hancox provided his PII when he sought an insurance quote from Defendant. Named Plaintiffs allege Defendant was required by law to safeguard, protect, lawfully obtain, and retain their PII.

Plaintiffs allege the class consists of approximately 1.1 million people who purchased insurance products from Defendant or sought insurance quotes from Defendant and were affected by the data breach. Compl. ¶ 14, ECF No. 1.

PII in this case refers to the plaintiffs' names and some combination of their social security numbers, driver's license numbers, birth dates, marital statuses, genders, occupations, and employers' names and addresses.

On November 16, 2012, Named Plaintiffs received a letter from Defendant indicating that on October 23, 2012, thieves hacked into a portion of Defendant's computer network and that their PII was stolen and disseminated as part of the theft.

Defendant's letter suggested Named Plaintiffs take steps to safeguard their PII, including closely monitoring their credit reports and bank statements. Defendant offered Named Plaintiffs one year of free credit monitoring and identity theft protection through Equifax. Defendant further suggested Named Plaintiffs place a security freeze on their credit reports at their own expense. Neither Named Plaintiff alleges his PII was misused or that his identity was stolen as a result of the data theft.

II. STANDARD OF REVIEW

A claim survives a motion to dismiss pursuant to Rule 12(b)(6) if it “contain [s] sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’ ” Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (internal quotations omitted). “The plausibility standard is not akin to a ‘probability requirement,’ but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Id. A complaint's “[f]actual allegations must be enough to raise a right to relief above the speculative level, on the assumption that all of the complaint's allegations are true.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555–56, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) (internal citations omitted).

A court must also “construe the complaint in the light most favorable to the plaintiff.” Inge v. Rock Fin. Corp., 281 F.3d 613, 619 (6th Cir.2002). Nonetheless, a plaintiff must provide “more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Twombly, 550 U.S. at 555, 127 S.Ct. 1955; see also Iqbal, 556 U.S. at 678, 129 S.Ct. 1937 (“Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.”). “[A] naked assertion ... gets the complaint close to stating a claim, but without some further factual enhancement it stops short of the line between possibility and plausibility....” Twombly, 550 U.S. at 557, 127 S.Ct. 1955.

III. ANALYSIS

Defendant argues Named Plaintiffs lack standing because they failed to allege in their Complaint that they suffered an injury-in-fact or, if they did suffer an injury-in-fact, that the injury was causally connected to Defendant's actions or failure to act.

Alternatively, Defendant argues that even if Named Plaintiffs have standing, Defendant is entitled to a dismissal of each of the five counts in the Complaint for failure to state a claim. Because it implicates jurisdiction, the Court considers the standing issue first.

A. Standing

The Complaint states that as a direct and/or proximate result of Defendant's wrongful actions and/or inaction and the resulting data breach, Plaintiffs have incurred (and will continue to incur) damages in the form of: (i) the imminent, immediate, and continuing increased risk of identity theft, identity fraud and/or medical fraud; (ii) out-of-pocket expenses to purchase credit monitoring, internet monitoring, identity theft insurance and/or other data breach risk mitigation products; (iii) out-of-pocket expenses incurred to mitigate the increased risk of identity theft, identity fraud and/or medical fraud, including the costs of placing a credit freeze and thereafter removing the credit freeze; (iv) the value of the time spent mitigating the increased risk of identity theft, identity fraud and/or medical fraud; (v) the substantial increased risk of being victimized by “phishing;” (vi) loss of privacy; and (vii) deprivation of the value of their PII. Compl. ¶¶ 28, 38, ECF No. 1.

Phishing is an attempt to acquire personal information by masquerading as a trustworthy entity through an electronic communication. Compl. ¶ 28, ECF No. 1.

These damages may be grouped into three broad categories: (i) increased risk of harm/cost to mitigate increased risk; (ii) loss of privacy; and (iii) deprivation of the value of PII. Named Plaintiffs contend they have statutory standing for their FCRA claims and argue the above “damages” suffice as injuries-in-fact to confer standing for their negligence, invasion of privacy, and bailment claims.

Defendant agrees Named Plaintiffs have statutory standing to bring their claim for willful violation of the FCRA but argues the Complaint fails to state a claim for such a violation and that Named Plaintiffs lack standing for their claim of negligent violation of the FCRA. Defendant avers none of the above-mentioned injuries amounts to a cognizable injury sufficient to confer Article III standing for Named Plaintiffs' negligence, invasion of privacy, or bailment claims.

1. General Principals of Standing

“Article III of the Constitution limits federal courts' jurisdiction to certain ‘Cases' and ‘Controversies.’ ” Clapper v. Amnesty Intern. USA, ––– U.S. ––––, 133 S.Ct. 1138, 1146, 185 L.Ed.2d 264 (2013). “One element of the case-or-controversy requirement is that plaintiffs must establish that they have standing to sue.” Id. (internal citations and quotations omitted). “In sum, when a plaintiffs standing is brought into issue the relevant inquiry is whether, assuming justiciability of the claim, the plaintiff has shown an injury to himself that is likely to be redressed by a favorable decision.” Simon v. E. Ky. Welfare Rights Org., 426 U.S. 26, 38, 96 S.Ct. 1917, 48 L.Ed.2d 450 (1976). “To establish Article III standing, an injury must be concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.” Clapper, 133 S.Ct. at 1146 (internal quotation and citations omitted).

The imminence requirement is designed to ensure the injury is “certainly impending.” Clapper, 133 S.Ct. at 1146 (citation omitted). Thus, the Supreme Court has “repeatedly reiterated that threatened injury must be certainly impending to constitute injury in fact, and that [a]llegations of possible future injury are not sufficient” to confer standing. Id. (internal quotations and citations omitted). Moreover, the Supreme Court is “reluctan[t] to endorse standing theories that rest on speculation about the decisions of independent actors.” Id. at 1150.

“The party invoking federal jurisdiction bears the burden of establishing these [standing] elements.” Lujan v. Defenders of Wildlife, 504 U.S. 555, 561, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992). Moreover, each element must be proven with the requisite “degree of evidence required at the successive stages of the litigation.” Id. Here, Plaintiffs bear the burden to establish standing, and as this case is before the Court on a motion to dismiss, the inquiry is whether Plaintiffs have adequately pleaded facts which, if true, plausibly establish standing.

Finally, “the Supreme Court has stated that in a class action lawsuit any named plaintiff who proposes to represent a class ‘must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.’ ” Kahle v. Litton Loan Serv. LP, 486 F.Supp.2d 705, 709 (S.D.Ohio 2007) (quoting Simon v. Eastern Ky. Welfare Rights Org., 426 U.S. 26, 40 n. 20, 96 S.Ct. 1917, 48 L.Ed.2d 450 (1976)). Thus, Named Plaintiffs cannot represent a class unless they personally satisfy the standing requirement.

2. Statutory Standing under FCRA

Named Plaintiffs argue they have statutory standing for their FCRA claims. Defendant concedes statutory standing only with respect to Named Plaintiffs' claim for willful violation of the FCRA. Defendant's concession does not end the inquiry, however, because the Court has an independent duty to examine the standing issue. Having done so, the Court finds Named Plaintiffs have no statutory standing under the FCRA.

“Congress has the power to create new legal rights, [including] right[s] of action whose only injury-in-fact involves the violation of that statutory right.” In re Carter, 553 F.3d 979, 988 (6th Cir.2009) (citations omitted). Nonetheless, there are two constitutional limitations on that power. “Among other things, Congress may confer standing to redress injuries only on parties who actually have been deprived of the newly established statutory rights: the ‘injury in fact’ test requires ... that the party seeking review be himself among the injured.” Id. at 988 (quotations and citations omitted); Beaudry v. TeleCheck Servs., Inc., 579 F.3d 702, 707 (6th Cir.2009) (analyzing standing for FCRA claim). “Second, although a right created by Congress need not be economic in nature, it still must cause individual, rather than collective, harm.” Beaudry, 579 F.3d at 707.

Section 1681n(a) and § 1681 o of the FCRA create causes of action for, respectively, the willful and negligent failure “to comply with any requirement imposed under this subchapter....” 15 U.S.C. §§ 1681n(a); 1681 o. Named Plaintiffs allege in the Complaint that Defendant violated § 1681(b), Section 1681(b) is the statement of purpose. It states the purpose of the subchapter is to:

require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information in accordance with the requirements of this subchapter.
15 U.S.C. § 1681(b) (emphasis added). Accordingly, the statement of purpose merely educates the public as to the purpose of the statute and states that the specific requirements of the subchapter are set forth in the remainder of the subchapter.

Named Plaintiffs' vague allegation that Defendant violated the statement of purpose by “failing to adopt and maintain such protective procedures ...,” Compl. ¶ 55, ECF No. 1, is insufficient to confer statutory standing because it fails to allege Defendant violated one of the requirements of the subchapter. In other words, the Complaint does not allege a specific requirement in the FCRA that Defendant failed to perform or a specific prohibition that Defendant ignored.

To the extent Named Plaintiffs meant to allege that Defendant violated § 1681b by impermissibly furnishing their consumer reports, the Complaint does not so state. The Complaint does not cite § 1681b as a specific violation, and indeed, it not only cites, but also almost quotes verbatim, the statement of purpose in § 1681(b) as the section Defendant violated. This was not an inadvertent reference to § 1681(b). Rather, Named Plaintiffs made a conscious decision to rely on that section as the basis for their FCRA claims.

To hold otherwise would confer statutory standing on any plaintiff who alleges a defendant violated the purpose of a statute regardless of whether the defendant took or failed to take an action the statute prohibited or required. The Court cannot find that Congress intended to confer statutory standing in instances where a plaintiff alleges a defendant violated a statute in a manner other than as provided by Congress in the statute. Accordingly, Named Plaintiffs do not have statutory standing to bring their FCRA claims because they have not alleged injury arising from the violation of a particular statutory requirement or prohibition set forth in the FCRA.

3. Whether Named Plaintiffs Plead an Injury–In–Fact for Their State Law Claims

The Court turns now to Defendant's contention that Named Plaintiffs have not suffered an injury-in-fact to confer standing for their negligence, invasion of privacy, and bailment claims. Named Plaintiffs argue they suffered three types of injury which satisfy the injury-in-fact requirement and confer constitutional standing for those claims: (i) increased risk of harm/cost to mitigate increased risk; (ii) loss of privacy; and (iii) deprivation of the value of PII.

a. Increased Risk of Harm/Cost to Mitigate Increased Risk

Named Plaintiffs argue they face an increased risk of identity theft, identity fraud, or medical fraud; an increased risk of “phishing;” and that they have spent time and have incurred or will incur costs to mitigate those risks (such as through buying credit monitoring products, identity theft insurance or other risk mitigation products, and placing and removing a credit freeze). Named Plaintiffs contend these are sufficient injuries to confer standing.

Defendant argues all of those injuries are speculative because the Complaint does not allege Named Plaintiffs' PII was misused or that Named Plaintiffs suffered actual identity theft. Moreover, Defendant argues the injuries are speculative because Named Plaintiffs have not alleged they actually incurred any out-of-pocket costs or have spent any time to mitigate the potential risk of identity theft, identity fraud, medical fraud, or phishing.

The Court first considers whether an increased risk of harm can serve to satisfy the injury-in-fact element of standing before turning to whether mitigation expenses can satisfy the same.

i. Increased Risk of Harm

Named Plaintiffs alleged their PII was stolen and disseminated, but they have not alleged any adverse consequences from the theft or dissemination as they do not allege their PII has been misused. For example, they do not allege they have been victimized by identity theft, identity fraud, medical fraud, or phishing. Instead, they argue the dissemination of their PII puts them at an increased risk of such injury in the future.

As discussed below, Named Plaintiffs do not allege any facts to make plausible their assertion that their PII has been disseminated to persons other than the hackers themselves.

Named Plaintiffs' contention that an increased risk of harm constitutes injury-in-fact is similar to the respondent's position in Clapper v. Amnesty Intern. USA, ––– U.S. ––––, 133 S.Ct. 1138, 1142–43, 185 L.Ed.2d 264 (2013). In that case, respondents challenged the Foreign Intelligence Surveillance Act of 1978, which permitted surveillance of individuals who were not “United States persons” and who were believed to be located outside the U.S. Id. at 1142. The respondents were various persons who argued they would likely engage in sensitive communications with individuals who would be targets of surveillance under the Act. Id.

Although Clapper determined standing at the summary judgment stage, it is still applicable to this case. While the evidence needed to support an assertion of standing changes as the case progresses, in this case, Plaintiffs have failed to even allege the necessary injury to confer standing.

When their standing was challenged, respondents argued that there was “an objectively reasonable likelihood that their communications will be acquired under § 1881a at some point in the future.” Id. at 1143. But the Supreme Court concluded “respondents' theory of future injury is too speculative to satisfy the well-established requirement that threatened injury must be ‘certainly impending.’ ” Id. (citation omitted).

In this case, an increased risk of identity theft, identity fraud, medical fraud or phishing is not itself an injury-in-fact because Named Plaintiffs did not allege—or offer facts to make plausible—an allegation that such harm is “certainly impending.” Even though Plaintiffs alleged they are 9.5 times more likely than the general public to become victims of theft or fraud, that factual allegation sheds no light as to whether theft or fraud meets the “certainly impending” standard. That is, a factual allegation as to how much more likely they are to become victims than the general public is not the same as a factual allegation showing how likely they are to become victims.

Other allegations in the Complaint show such harm is not certainly impending. For example, Named Plaintiffs state that consumers who receive a data breach notification had a fraud incidence rate of 19% in 2011. Compl. ¶ 24, ECF No. 1. An injury can hardly be said to be “certainly impending” if there is less than a 20% chance of it occurring. Moreover, Named Plaintiffs' allegation that Defendant offered a free year of credit monitoring and identity theft protection further supports the Court's conclusion that risk of injury is not certainly impending. Thus, Named Plaintiffs failed to allege facts demonstrating the increased risk makes any future injury “certainly impending” as opposed to speculative.

Nor do the facts pleaded demonstrate there is a “substantial risk” of injury. See Clapper, 133 S.Ct. at 1150 n. 5 (stating the Court has sometimes found standing based on a “substantial risk” that the harm will occur but not stating whether that standard is distinct from the “clearly impending” standard). Named Plaintiffs have alleged less than a 20% chance of being victimized by identity theft, identity fraud, medical fraud, or phishing, which does not create a substantial risk given the uncertainties in third party action required to produce harm here.

That speculative nature of the injury is further evidenced by the fact that its occurrence will depend on the decisions of independent actors. Even though Named Plaintiffs allege a third party or parties have their PII, whether Named Plaintiffs will become victims of theft or fraud or phishing is entirely contingent on what, if anything, the third party criminals do with that information. If they do nothing, there will be no injury. It is only if the third parties themselves attempt to and successfully use Named Plaintiffs' PII to commit theft, fraud, or phishing or sell Named Plaintiffs' PII to others who then attempt to and successfully use it to commit theft, fraud, or phishing that injury will occur. As noted, the Supreme Court is reluctant to find standing where the injury-in-fact depends on the actions of independent decisionmakers as the injury in those circumstances is speculative. Clapper, 133 S.Ct. at 1141.

The Court's conclusion in this regard is supported by many other courts which have considered the arguments Named Plaintiffs make here. These courts have dismissed similar data breach cases at the motion to dismiss or summary judgment stages because the plaintiffs either lacked standing or could not prove the damages element of their claim. See, e.g., Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3rd Cir.2011) (finding plaintiffs lacked standing because harm depended on third parties reading, copying, and understanding their personal information, intending to use such information to commit future criminal acts, and being able to make unauthorized transactions in plaintiffs' names in the future); In re Barnes & Noble Pin Pad Litig., No. 12–cv–8617, 2013 WL 4759588, at *3 (N.D.III. Sept. 3, 2013) (citing Clapper and stating, “[m]erely alleging an increased risk of identity theft or fraud is insufficient to establish standing.”); Hammond v. The Bank of New York Mellon Corp., No. 08 Civ. 6060, 2010 WL 2643307, at *2 (S.D.N.Y. June 25, 2010) (“Plaintiffs here do not have Article III standing ( i.e., there is no “case or controversy”) because they claim to have suffered little more than an increased risk of future harm from the loss (whether by accident or theft) of their personal information.”); Allison v. Aetna, Inc., No. 09–2560, 2010 WL 3719243, at *5 (E.D.Pa. Mar. 9, 2010) (granting motion to dismiss for lack of standing because the plaintiffs “alleged injury of an increased risk of identity theft is far too speculative.”); Amburgy v. Express Scripts, Inc., 671 F.Supp.2d 1046, 1052 (E.D.Mo.2009) (“[P]laintiff surmises that, as a result of the security breach, he faces an increased risk of identity theft at an unknown point in the future. On the facts as alleged in the Complaint, it cannot be said that the alleged injury to plaintiff is imminent.”); Hinton v. Heartland Payment Sys., Inc., 2009 WL 704139, at *1 (D.N.J. Mar. 16, 2009) ( sua sponte dismissing case because plaintiff's allegations of increased risk of identity theft and fraud “amount to nothing more than mere speculation.”); Randolph v. ING Life Ins. and Annuity Co., 486 F.Supp.2d 1, 8 (D.D.C.2007) ( “Plaintiffs' allegations therefore amount to mere speculation that at some unspecified point in the indefinite future they will be the victims of identity theft.”); Key v. DSW, Inc., 454 F.Supp.2d 684, 689 (S.D.Ohio 2006) (“In the identity theft context, courts have embraced the general rule that an alleged increase in risk of future injury is not an ‘actual or imminent’ injury.”); Bell v. Acxiom Corp., No. 4:06CV00485–WRW, 2006 WL 2850042, at *2 (E.D.Ark. Oct. 3, 2006) (rejecting plaintiff's allegation of increased risk of identity theft and stating, “[b]ecause Plaintiff has not alleged that she has suffered any concrete damages, she does not have standing under the case-or-controversy requirement.”).

In contrast, other courts have found plaintiffs have standing in similar data breach cases. E.g., Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir.2010) (finding plaintiffs had standing because they alleged a credible threat of real and immediate harm as the laptop with their information was stolen); Ruiz v. Gap, Inc., 380 Fed.Appx. 689, 691 (9th Cir.2010) (finding standing because risk of identity theft from stolen laptop was “real, and not merely speculative”); Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 634 (7th Cir.2007) (finding standing because “the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant's actions” but dismissing because the cost of credit monitoring is not a compensable damage) (citing, inter alia, Sutton v. St. Jude Med. S.C., Inc., 419 F.3d 568 (6th Cir.2005)); McLoughlin v. People's United Bank, Inc., No. 3:08–cv–00944 (VLB), 2009 WL 2843269, at *4 (D.Conn. Aug. 31, 2009) (finding standing because the Second Circuit standard for injury in fact consisted “of as little as simply ... the fear or anxiety of future harm” but dismissing for failure to state a claim) (internal citation omitted); Caudle v. Towers, Perrin, Forster & Crosby, Inc., 580 F.Supp.2d 273, 280, 284 (S.D.N.Y.2008) (finding standing but granting summary judgment to defendant on negligence and breach of fiduciary duty claims because New York would not likely recognize mitigation costs as damages without rational basis for plaintiffs fear of misuse of PII).

The Court disagrees with the finding of such cases that the mere increased risk of theft or fraud is a sufficiently concrete injury-in-fact to confer standing. First, all of the cases cited above were decided prior to Clapper. Clapper specifically rejected the idea that an injury is certainly impending if there is an “objectively reasonable likelihood” it will occur, Clapper, 133 S.Ct. at 1147, and the same reasoning seems to preclude the Ninth Circuit's even lower “not merely speculative” standard for injury-in-fact. The increased risk of harm may satisfy those standards, but under Clapper, more is required to show an injury is certainly impending.

Moreover, the Court agrees with the reasoning in Key that data breach cases are distinguishable from the medical monitoring case Sutton, in which the Sixth Circuit found a risk of developing severe and disabling medical conditions satisfied the injury-in-fact standing requirement. 454 F.Supp.2d at 690–91 (distinguishing Sutton because the Sutton plaintiff had already been exposed to the harm as he was implanted with the defective medical device, the harm in that case did not depend on the criminal acts of third parties, and Sutton involved preserving public health); see also Ruiz v. Gap, Inc., 622 F.Supp.2d 908, 914 (N.D.Cal.2009) (doubting that a California court would find data breach cases analogous to medical monitoring cases). In fact, the Sixth Circuit has implied in dicta that the type of injury suffered here is conjectural and hypothetical. Lambert v. Hartman, 517 F.3d 433, 438 (6th Cir.2008) (finding allegation that identity was stolen and that credit rating and financial security suffered was a sufficient injury to confer standing but stating that risk of future identity theft is somewhat hypothetical and conjectural).

Although Lambert later suggests, in the redressability discussion, that credit-monitoring would remedy an injury of future identity theft, Lambert does not hold that a risk of future identity theft is an injury-in-fact which confers standing. Lambert, 517 F.3d at 438.

In sum, the Court finds persuasive the reasoning in the line of cases rejecting risk of harm as an injury-in-fact in the context of data breaches. The Court therefore holds that the increased risk that Plaintiffs will be victims of identity theft, identity fraud, medical fraud, or phishing at some indeterminate point in the future does not constitute injury sufficient to confer standing where, as here, the occurrence of such future injury rests on the criminal actions of independent decisionmakers and where, as here, the Complaint lacks sufficient factual allegations to show such future injury is imminent or certainly impending.

This is true even though the Complaint alleges Named Plaintiffs' information was actually disseminated rather than was possibly disseminated. The fact that Plaintiffs' information was disseminated certainly increases the risk of identity fraud, identity theft, medical fraud, or phishing, but alone is insufficient to show injury is certainly impending.

ii. Cost to Mitigate Increased Risk

Named Plaintiffs allege they incurred costs to mitigate the increased risk of identity theft, identity fraud, medical fraud, and phishing. The Complaint states the Named Plaintiffs “have incurred (and will continue to incur) ... out-of-pocket expenses to purchase credit monitoring, internet monitoring, identity theft insurance and/or other Data Breach mitigation products [and] ... out-of-pocket expenses incurred to mitigate the increased risk of identity theft, identity fraud and/or medical fraud ... including the costs of placing a credit freeze and subsequently removing a credit freeze....” Compl. ¶ 38, ECF No. 1.

Such injury does not suffice to confer standing because “respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” Clapper, 133 S.Ct. at 1143, 1151 (rejecting respondents' alternative argument that they were suffering “ present injury because the risk of ... surveillance already has forced them to take costly and burdensome measures to protect the confidentiality of their international communications.”). “[A]llowing [Named Plaintiffs] to bring this action based on costs they incurred in response to a speculative threat would be tantamount to accepting a repackaged version of [Named Plaintiffs'] first failed theory of standing.” Id. (citing Am. Civil Liberties Union v. Nat'l Sec. Agency, 493 F.3d 644, 656–57 (6th Cir.2007)).

Lower courts have rejected Named Plaintiffs' argument in the data breach context as well. See, e.g., Reilly, 664 F.3d at 46 (“costs incurred to watch for a speculative chain of future events based on hypothetical future criminal acts are no more ‘actual’ injuries than the alleged ‘increased risk of injury’ which forms the basis for Appellants' claims.”); Brit Ins. Holdings N.V. v. Krantz, No. 1:11 CV 948, 2012 WL 28342, at *9 (N.D.Ohio Jan. 5, 2012) (“defendants' expenditure of resources to investigate the ramifications of plaintiffs' disclosure, and to purchase personal credit and identity protection services to protect against future harm, are insufficient to demonstrate that defendants suffered an actual injury-in-fact.”); Giordano v. Wachovia Sec., LLC, Civ No. 06–476, 2006 WL 2177036, at *4 (D.N.J. July 31, 2006) (“Plaintiffs allegations that ... she will incur costs associated with obtaining credit monitoring services in order to prevent identity theft simply does not rise to the level of creating a concrete and particularized injury.”).

In sum, Named Plaintiffs' Complaint does not sufficiently allege that the injury of identity theft, identity fraud, medical fraud, or phishing is certainly impending.Therefore, the increased risk of such injury does not suffice to confer standing. Additionally, they cannot create standing by choosing to make expenditures in order to mitigate a purely speculative harm. Accordingly, neither the increased risk nor the expenses to mitigate that risk constitute an injury-in-fact sufficient to confer standing for Named Plaintiffs' negligence, invasion of privacy, or bailment claims.

b. Loss of Privacy

Named Plaintiffs also allege they suffered an injury-in-fact in the form of a loss of privacy because their PII was disseminated to unauthorized persons. Defendant avers that injury is insufficient to confer Article III standing because Named Plaintiffs failed to allege facts indicating that a loss of privacy actually occurred. Rather, Defendant argues Named Plaintiffs' Complaint merely alleges the Named Plaintiffs may, in the future, suffer a loss of privacy if their PII is misused. Thus, because any loss of privacy depends on the independent actions of third parties, Defendant contends loss of privacy is not “certainly impending.”

The Court agrees with Named Plaintiffs that the loss of privacy is not speculative, conjectural, or hypothetical—they sufficiently alleged their PII was already stolen and disseminated to criminals. Thus, to the extent stolen PII amounts to a loss of privacy, it has been sufficiently plead.

Nonetheless, the next question is whether the loss of privacy, alone, amounts to an injury that is concrete and particularized. “Abstract injury is not enough to demonstrate injury-in-fact. [A p]laintiff must allege that he has sustained or is in immediate danger of sustaining some direct injury as a result of the challenged conduct.” Amburgy, 671 F.Supp.2d 1046 at 1051 (citing O'Shea v. Littleton, 414 U.S. 488, 494, 94 S.Ct. 669, 38 L.Ed.2d 674 (1974)).

The Court finds Named Plaintiffs' standing argument with respect to loss of privacy is unavailing as it is simply a rephrasing of their first argument. Essentially, Named Plaintiffs reargue that the mere exposure of their PII constitutes an injury-in-fact which confers standing. The Court rejects this argument for the same reasons it rejected their “risk of harm” arguments: Named Plaintiffs failed to allege that the loss of privacy has itself resulted in any adverse consequences apart from the speculative injury of increased risk of identity theft, identity fraud, medical fraud, or phishing. A finding that the loss of privacy alone constitutes an injury sufficient to confer standing would contradict the Court's above conclusion that mere exposure of PII is insufficient to confer standing and would mean that any time a plaintiff's PII has been exposed as a result of a data breach, he would have standing to sue—regardless of whether that PII is ever actually misused or the plaintiff ever suffers adverse consequences from the exposure.

Thus, loss of privacy is an insufficient injury to confer standing for Plaintiffs' negligence and bailment claims.

Ohio recognizes a tort for invasion of privacy, however, which imposes liability for the publication of one's private affairs with which the public has no legitimate concern. Henson v. Henson, No. 22772, 2005 WL 3193841, at *3 (Ohio Ct.App. 9th Dist. Nov. 30, 2005). The Court concludes Named Plaintiffs' allegation that their PII was disseminated describes an injury sufficient to confer standing for their state law invasion of privacy claims.

c. Deprivation of Value of PII

Finally, Named Plaintiffs allege there is a cyber black market on which their PII can be sold for profit. They contend they suffered an injury-in-fact in the form of deprivation of the value of their PII. Defendant avers that is not a cognizable injury sufficient for standing. Named Plaintiffs respond that they do not allege diminution of value but rather complete deprivation of value, which is a sufficient injury to confer standing. The Court finds that even if deprivation of value of PII is an injury-in-fact, Named Plaintiffs failed to allege deprivation of value of PII and therefore lack standing.

A few courts have concluded “[p]laintiffs' PII does not have inherent monetary value.” Willingham v. Global Payments, Inc., No. 1:12–CV–1157–RWS, 2013 WL 440702, at *6 (N.D.Ga. Feb. 5, 2013) (citing In re Facebook Privacy Litig., No. C 10–2389, 2011 WL 6176208, at *5 (N.D.Cal. Nov. 22, 2011)); accord In re Google Android Consumer Privacy Litig., No. 11–MD–2264 JSW, 2013 WL 1283236, at *4 (N.D.Cal. Mar. 26, 2013) (“district courts have been reluctant to find standing based solely on a theory that the value of a plaintiffs PII has been diminished.”).

Others hold that even if PII has value, the deprivation of which could confer standing, plaintiffs must allege facts in their Complaint which show they were actually deprived of that value in order to have standing. In re Google Inc. Cookie Placement Consumer Privacy Litig., 988 F.Supp.2d 434, 442, MDL Civ. No. 12–2358, 2013 WL 5582866, at *3 (D.Del. Oct. 9, 2013) (“while plaintiffs have offered some evidence that the online personal information at issue has some modicum of identifiable value to an individual plaintiff, plaintiffs have not sufficiently alleged that the ability to monetize their PII has been diminished or lost by virtue of Google's previous collection of it.”); In re Barnes & Noble Pin Pad Litig., No. 12–cv–8617, 2013 WL 4759588, at *5 (N.D.III. Sept. 3, 2013) (“The Plaintiffs' claim of injury in the form of deprivation of the value of their PII is insufficient to establish standing. Actual injury of this sort is not established unless a plaintiff has the ability to sell his own information and a defendant sold the information.”) (internal citations omitted); Low v. LinkedIn Corp, No. 11–CV–01468, 2011 WL 5509848, at *4–5 (N.D.Cal. Nov. 11, 2011) (finding in a class action complaint alleging personally identifiable browsing history was disclosed to third parties, that an allegation that “personal information has an independent economic value, and that [plaintiff] was not justly compensated for [defendant's] transfer of his personal data to third party data aggregators” was “too abstract and hypothetical to support Article III standing” because plaintiff “failed to allege how he was foreclosed from capitalizing on the value of his personal data or how he was deprived of the economic value of his personal information simply because his unspecified personal information was purportedly collected by a third party.”) (internal quotations and citations omitted); LaCourt v. Specific Media, Inc., No. SACV 10–1256–GW(JCGx), 2011 WL 1661532, at *5 (C.D.Cal. Apr. 28, 2011) (“Defendant aptly notes that the Complaint does not identify a single individual who was foreclosed from entering into a ‘value-for-value exchange’ as a result of Specific Media's alleged conduct.”); In re Google Android Consumer Privacy Litig., 2013 WL 1283236, at *4 (“Plaintiffs also do not allege they attempted to sell their personal information, that they would do so in the future, or that they were foreclosed from entering into a value for value transaction relating to their PII, as a result of [defendant's] conduct.”) (citation omitted); In re iPhone Application Litig., No. 11–MD–2250–LHK, 2011 WL 4403963, at *5 (N.D.Cal. Sept. 20, 2011) (“Plaintiffs have stated general allegations about the [defendants], the market for apps, and similar abstract concepts (e.g., lost opportunity costs, value-for-value exchanges), but Plaintiffs have not identified an actual injury to themselves sufficient for Article III standing.”). Although most of the cases cited above dealt with PII such as browsing history, the requirement that plaintiffs allege facts to make plausible their claim as to deprivation of value of PII applies equally here.

The Court agrees with the reasoning in these cases. Regardless of whether Named Plaintiffs argue the value of their PII has merely diminished or whether they allege complete deprivation of value, they have failed to allege any facts explaining how their PII became less valuable to them (or lost all value) by the data breach. Specifically, Named Plaintiffs allege that stolen PII can be sold on the cyber black market for $14 to $25 per record, Compl. ¶ 5, but fail to allege how the data breach prevents them from selling their PII at that value. Indeed, Named Plaintiffs fail to allege that they could even access that illegal market and sell their PII. For example, neither Named Plaintiff alleges he tried to sell his PII after the data breach but was unable to do so because of the breach or was forced to sell it for less than its full worth. Nor does either Named Plaintiff allege that any third party sold his PII and that Named Plaintiff was deprived of his rightful profit.

Moreover, while Named Plaintiffs argue in their response brief that Defendant's conduct “has stripped them of the ability to choose whether or not to take advantage of the value of their PII,” Resp. 10, ECF No. 26, Named Plaintiffs failed to both allege that injury in the Complaint and to allege facts that would support that assertion.

Thus, even if deprivation of value of PII was an injury sufficient to confer standing, Named Plaintiffs failed to allege facts supporting their assertion that they were deprived of the value of their PII. For that reason, such an injury does not confer standing in this case.

d. Conclusion Regarding Injury–In–Fact

For the above reasons, the Court finds Named Plaintiffs lack standing to bring their FCRA, negligence, and bailment claims because they have not alleged an injury-in-fact. Nonetheless, Named Plaintiffs have alleged an injury-in-fact with respect to their state law invasion of privacy claim.

4. Whether Named Plaintiffs Plead Causal Connection

In addition to arguing Named Plaintiffs cannot demonstrate an injury-in-fact to confer standing, Defendant argues Named Plaintiffs cannot show a causal connection between Defendant's actions and Named Plaintiffs' injury because Named Plaintiffs acknowledged their PII was stolen by unauthorized criminals.

Defendant's argument is unavailing. Named Plaintiffs do not have to show that Defendant is the “proximate cause” of the injury in order to have standing. Resnick v. AvMed, Inc., 693 F.3d 1317, 1324 (11th Cir.2012). Rather, they must show that the injury is “fairly traceable to the challenged action” of the defendant. Clapper, 133 S.Ct. at 1146.

For standing purposes, Named Plaintiffs satisfy this requirement for their invasion of privacy claim. Named Plaintiffs allege the invasion of privacy was caused by both the hacker(s)' breach of Defendant's system and Defendant's failure to safeguard Named Plaintiffs' PII. Compl. ¶ 74, ECF No. 1. Accordingly, the injury is fairly traceable to Defendant's actions. See Lambert, 517 F.3d at 437–38 (finding where thief took PII from the defendant's website and stole the plaintiff's identity, the plaintiff showed injury was fairly traceable to the defendant's action of publishing the PM on its website); Resnick, 693 F.3d at 1324 (allegations that the defendant failed to secure the plaintiffs' PM on laptop which was stolen satisfy “fairly traceable” prong). The Court therefore finds Named Plaintiffs have standing to bring their invasion of privacy claim and turns to whether the allegations in the Complaint state a claim for invasion of privacy via publicity of one's private affairs.

Defendant does not attack the redressability prong, and the Court finds it is met here.

B. Failure to State a Claim

1. Invasion of Privacy

Defendant contends Named Plaintiffs' common law invasion of privacy claim fails because Named Plaintiffs did not allege Defendant publicly disclosed their personal information, that the personal information reached the public at large, or that Defendant intentionally publicized the information.

The first issue is which law governs Named Plaintiffs' invasion of privacy claims. Federal courts sitting in diversity must apply the choice-of-law rules of the forum state. Miami Valley Mobile Health Services, Inc. v. ExamOne Worldwide, Inc., 852 F.Supp.2d 925, 931 (S.D.Ohio 2012). Accordingly, the Court applies Ohio's choice of law rules.

Defendant avers that under Ohio's choice of law rules, there are three possible jurisdictions whose laws could apply to Named Plaintiffs' invasion of privacy claim—Kansas, Minnesota, or Ohio. Mot. Dismiss 17, ECF No. 21. Named Plaintiffs do not address Defendant's choice of law analysis and presume Ohio's law applies. Resp. 27, ECF No. 26. As Kansas, Minnesota, and Ohio each require publicity of a private fact in order to state a claim for invasion of privacy, it is unnecessary to determine at this juncture which state's law applies. Dotson v. McLaughlin, 216 Kan. 201, 207–08, 531 P.2d 1 (Kan.1975) (adopting Restatement (Second) of Torts § 652(D)); Lake v. Wal–Mart Stores, Inc., 582 N.W.2d 231, 233, 235 (Minn.1998) (quoting Restatement (Second) of Torts § 652D and recognizing tort for publication of private facts); Greenwood v. Taft, Stettinius & Hollister, 105 Ohio App.3d 295, 303, 663 N.E.2d 1030 (Ohio Ct.App. 1st Dist.1995) (citing Restatement (Second) of TortsSS § 652D).

Publicity “means that the matter is made public, by communicating it to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge....” Restatement (Second) of TortsSS § 652D, comment a); Zhu v. St. Francis Health Ctr., –––Kan.App.2d ––––, 150 P.3d 926, at *5 (Kan.Ct.App. Feb. 2, 2007); Bodah v. Lakeville Motor Express, Inc., 663 N.W.2d 550, 557–58 (Minn.2003) (holding that dissemination of 204 employees' names and social security numbers to sixteen managers in six states does not constitute “publication” for invasion of privacy claim); Berry v. Cahoon, No. 3:10–cv–81, 2012 WL 569039, at *11 (S.D.Oh. Feb. 22, 2012).

Defendant argues Named Plaintiffs fail to allege that Defendant disclosed Named Plaintiffs' PII because the Complaint acknowledges that the PII was stolen from Defendant. Thus, Defendant argues, the Complaint acknowledges that Defendant took no action to publicize the PII. Additionally, Defendant argues that even if the Complaint contains an allegation that Defendant disclosed Named Plaintiffs' private matters, the Complaint does not allege the PII reached the public at large or was substantially certain to become public knowledge.

Named Plaintiffs respond first that the tort of invasion of privacy by intrusion into seclusion does not require damages, an argument which is irrelevant given Named Plaintiffs bring a cause of action for invasion of privacy by publication of private facts. Next, they argue that the tort of publication of private facts does not require publication to the public at large. They contend the inquiry focuses on the type of information being disclosed rather than the number of individuals to whom the information was disclosed, citing Prince v. St. Francis–St. George Hosp., Inc., 20 Ohio App.3d 4, 484 N.E.2d 265, 267–68 (Ohio Ct.App. 1st Dist.1985).

Defendant's argument is well-taken. First, there is no allegation in the Complaint that Defendant disclosed Named Plaintiffs' private affairs. While the Complaint alleges Defendant disseminated Named Plaintiffs' PII, that allegation is conclusory. There are no factual allegations in the Complaint to make plausible the allegation that Defendant disseminated Named Plaintiffs' PII. Rather, the Complaint alleges the PII was stolen from Defendant, not that Defendant disseminated it to anyone. Compl. ¶ 14, ECF No. 1.

Second, even if the Complaint sufficiently alleged dissemination, the Complaint fails to allege publicity. The tort of invasion of privacy by publication of private facts includes as an element publicity to the public at large or to so many persons that the information is certain to become public knowledge. See, e.g.,Restatement (second) of Torts § 652D, comment a; Yoder v. Ingersoll–Rand Co., 172 F.3d 51, at *2–3 (6th Cir. Dec. 22, 1998) (three people not enough to qualify as “public at large.”); Mushkat v. Pickawillany Condo. Unit Owners' Ass'n, No. 80AP–765, 1981 WL 3125, at *3 (Ohio Ct.App. 10th Dist. Apr. 14, 1981); Zhu, 150 P.3d 926, at *5; Bodah, 663 N.W.2d at 557–58.

The case Named Plaintiffs cite, Prince v. St. Francis–St. George Hosp., Inc., found a genuine issue of material fact as to whether there was publication of private information where a doctor mailed a health insurance claim form containing a diagnosis of alcoholism to a co-worker of the patient's husband. 20 Ohio App.3d 4, 484 N.E.2d 265, 267–68 (Ohio Ct.App. 1st Dist.1985). The court was silent as to whether the disclosure satisfied the requirement that information be publicized to the public at large or to so many people that the information is certain to become public knowledge, and to that end, it sheds no light on whether the tort includes that requirement. For that reason, the Court finds it unpersuasive.

The Complaint fails to allege publicity. It alleges the PII is in the hands of the hacker(s), not the general public. Specifically, the Complaint alleges that “the criminal(s) and/or their customers now have Plaintiff's and the other Class Members' compromised PII.” Compl. ¶ 19, ECF No. 1. The Complaint thus fails to allege how many hackers ever had the PII and whether the hacker(s) sold the PII to anyone, let alone to how many people the hacker(s) sold the PII. Therefore, the allegation that the data breach “resulted in the theft and wrongful dissemination of Plaintiff's and the other Class Members' PII into the public domain,” Id. at ¶ 55, is conclusory in that Named Plaintiffs allege no facts to make plausible the assertion that Named Plaintiffs' PII is in the public domain. While the Complaint alleges Named Plaintiffs face an increased risk the hackers will sell their PII and that it will become a matter of public knowledge, there is no allegation that that has yet occurred. Moreover, if the hacker(s) sell Named Plaintiffs' PII or otherwise disseminate it into the public domain, it would not be Defendant who “publicized” Named Plaintiffs PII.

As such, the Complaint fails to allege their PII has been disclosed by Defendant, let alone that Defendant “publicized” their PII to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge. The Court therefore grants Defendant's motion to dismiss Named Plaintiffs' invasion of privacy claim for failure to state a claim.

IV. CONCLUSION

For the foregoing reasons, the Court GRANTS Defendant's motion to dismiss, ECF No. 21. The Court dismisses Named Plaintiffs' FCRA, negligence, and bailment claims for lack of jurisdiction. The Court dismisses Named Plaintiffs' invasion of privacy claim with prejudice under Rule 12(b)(6) for failure to state a claim.

Defendant's objections to the Magistrate Judge's Order on its motion to stay discovery, ECF No. 35, are dismissed as moot. The Clerk shall terminate these cases.

IT IS SO ORDERED.


Summaries of

Galaria v. Nationwide Mut. Ins. Co.

United States District Court, S.D. Ohio, Eastern Division.
Feb 10, 2014
998 F. Supp. 2d 646 (S.D. Ohio 2014)

finding no standing even though personal information was stolen from an insurance company's computer network and was actually disseminated

Summary of this case from Khan v. Children's Nat'l Health Sys.

finding no standing where plaintiffs alleged their personal information was stolen and disseminated but did not allege that their data had been misused

Summary of this case from In re Zappos.Com, Inc.

finding that the reasoning in Clapper “seems to preclude the Ninth Circuit's even lower ‘not merely speculative’ standard for injury-in-fact” articulated in Krottner

Summary of this case from In re Zappos.Com, Inc.

determining that injury from theft of personally identifiable information such as names and social security numbers was speculative at best

Summary of this case from Nat'l Union Fire Ins. Co. v. Tyco Integrated Sec., LLC

rejecting a similar argument because the named plaintiffs failed to allege that the data security breach actually prevented them from selling their information at the price they claimed the data was worth

Summary of this case from In re Capital One Consumer Data Sec. Breach Litig.

rejecting the argument that "the loss of privacy alone" was a cognizable injury

Summary of this case from Perlin v. Time Inc.

rejecting a similar argument because the named plaintiffs failed to allege that the data security breach actually prevented them from selling their information at the price they claimed the data was worth

Summary of this case from In re Zappos.Com, Inc.

Rejecting standing because, "[e]ven though Named Plaintiffs allege a third party or parties have their [personal information], whether Named Plaintiffs will become victims of theft or fraud or phishing is entirely contingent on what, if anything, the third party criminals do with that information."

Summary of this case from In re Horizon Healthcare Servs. Inc.

dismissing an argument that the value of the plaintiffs' PII diminished where they “failed to allege any facts explaining how their PII became less valuable to them (or lost all value) by the data breach”

Summary of this case from Whalen v. Michael Stores Inc.
Case details for

Galaria v. Nationwide Mut. Ins. Co.

Case Details

Full title:Mohammad S. GALARIA, individually and on behalf of all others similarly…

Court:United States District Court, S.D. Ohio, Eastern Division.

Date published: Feb 10, 2014

Citations

998 F. Supp. 2d 646 (S.D. Ohio 2014)

Citing Cases

In re Zappos.Com, Inc.

Even assuming that Plaintiffs' data has value on the black market, Plaintiffs do not allege any facts…

In re SuperValu, Inc.

We agree with the holdings in those cases.") (internal citations omitted); In re Zappos.com, Inc. Customer…