In October 2012, hackers stole the personally identifiable information of Nationwide Mutual Insurance Company’s customers. In the wake of the theft, two putative class action lawsuits were filed against Nationwide Mutual in the Southern District of Ohio, alleging violations of the Fair Credit Reporting Act (“FCRA”), negligence, invasion of privacy, and bailment. The plaintiffs alleged that the class consisted of approximately 1.1 million people who were affected by the data breach after purchasing insurance or seeking insurance quotes from Nationwide Mutual. Plaintiffs did not, however, allege that their personal information was actually misused. Nationwide Mutual moved to dismiss both complaints, relying primarily on standing arguments. The district court granted Nationwide Mutual’ s motion to dismiss the negligence and bailment claims for lack of standing, holding that the plaintiffs did not allege that they suffered cognizable injury as a result of the data breach. Plaintiffs alleged three theories of injury: (1) Plaintiffs faced an increased risk of identity theft; (2) Plaintiffs spent money to mitigate the risk of identity theft; and (3) Plaintiff’s had been deprived of the value of their personal information. The court rejected plaintiffs’ arguments in light of the Supreme Court’s decision in Clapper v. Amnesty International, in which the Supreme Court held that a “theory of future injury is too speculative to satisfy the well-established requirement that threatened injury must be ‘certainly impending.’” Applying Clapper to the data breach fact pattern, the district court held the risk of identity theft is not “certainly impending” because its occurrence depends on the decisions of independent actors. The district court also relied on Clapper to reject plaintiffs’ attempt to “create standing” by choosing to make expenditures to mitigate their risk of harm. The district court also dismissed the FCRA claim for lack of standing, because plaintiffs had not alleged an actual violation of the statute or an injury resulting from that violation. The court did hold that plaintiffs had standing to allege their invasion of privacy claim, but ultimately held that plaintiffs had not sufficiently stated that claim because they failed to allege that Nationwide Mutual had disseminated their personal information. Rather, plaintiffs alleged that the personal information had been stolen from Nationwide Mutual, therefore the Ohio invasion of privacy statute, which requires actions by the defendant to disseminate the information, had not been triggered.

Tip: This case demonstrates that plaintiffs lawyers are becoming increasingly creative in attempting to formulate viable claims in an effort to certify large classes of individuals whose personal information was taken in a data breach.