On Monday, a federal district court dismissed two related putative class action suits filed against Nationwide Mutual Insurance Company following a data breach at Nationwide in October 2012 that affected over 1 million individuals. The opinion shows that courts remain skeptical of plaintiffs’ ability to show any real injury from the fact that their personally identifiable information (“PII”) was compromised without some additional evidence of concrete harm such as identity fraud. The opinion also sheds important light on the ability of plaintiffs to overcome this standing barrier by alleging that their injury derives from the violation of a federal statute.
The court rejected the plaintiffs’ argument that their increased risk of becoming victims of fraud, identity theft, or phishing at some point in the future was sufficient to constitute “injury-in-fact.” Relying on the Supreme Court’s decision last year in Clapper v. Amnesty International USA, the court found that plaintiffs’ theory of future harm failed to meet the standing requirement that the threatened injury be “certainly impending.” In a statement with important implications for data breach claimants, the court found that “the speculative nature of the injury is further evidenced by the fact that its occurrence will depend on the decisions of independent actors,” specifically those unidentified persons who might misuse the plaintiffs’ PII. The court cited prior decisions “rejecting risk of harm as an injury in fact in the context of data breaches,” and found unpersuasive contrary authority that preceded Clapper.
The court similarly rejected plaintiffs’ argument that cognizable injury resulted from the costs they incurred in attempting to mitigate the increased risk of identity fraud through credit monitoring and the like, characterizing the argument as an attempt to “manufacture” standing based on mitigation of a hypothetical future harm. The court also rejected plaintiffs’ argument that they lost the value of their PII when they failed to plead how the value of that information had been diminished.
The inability to establish standing not only undermined most of the plaintiffs’ common law causes of action, but it also derailed their claims under the Fair Credit Report Act (FCRA). Plaintiffs alleged that Nationwide violated section 1681(b) of FCRA, which sets forth the statutory purpose as requiring consumer reporting agencies to adopt certain procedures for handling information “in accordance with the requirement of th[e] subchapter.” The court found such allegation insufficient to demonstrate standing because plaintiffs never asserted that Nationwide transgressed any particular requirement of FRCA. “To hold otherwise,” the court explained, would confer standing “on any plaintiff who alleges a defendant violated the purpose of a statute regardless of whether the defendant took or failed to take an action the statute prohibited or required.”
This finding has important implications for plaintiffs seeking to plead sufficient injury under Article III. Simply alleging that conduct ran afoul of a statute’s purpose is not enough; a plaintiff must show that defendant transgressed a specific statutory provision the violation of which constitutes a cognizable injury. It remains to be seen whether plaintiffs will be successful in asserting such an injury in future data breach suits.