Some plaintiffs trying to bring a class action suit against Nationwide Insurance for an alleged data breach ran into a problem with standing which resulted in the dismissal of their case. The Ohio federal court concluded that the plaintiffs failed to allege an “injury in fact” and for that reason, lacked standing to pursue the case.
“Standing” is a legal term that encompasses a fairly simple concept – a party has to have a genuine claim before it can initiate a lawsuit. One element of a genuine claim is actual injury. A plaintiff has to be able to make a legitimate claim that the defendant either harmed the plaintiff or that the harm is imminent. The plaintiffs in the Nationwide case couldn’t meet that burden.
The case originated on October 23, 2012 (my birthday – mark your calendars) when thieves hacked into the Nationwide system and stole personally identifiable information (PII) from a number of Nationwide customers. On November 16, Nationwide notified the affected customers and advised them to take steps to monitor their credit reports and bank statements. Nationwide also offered the affected customers one year of free credit monitoring and identity theft protection from the Equifax company.
The class action plaintiffs apparently didn’t think that was enough. They filed the suit asking the court to certify a class of similarly situated Nationwide customers. According to the plaintiffs, Nationwide’s failure to guard the data put them at increased risk of identity theft, fraud and “phishing.” They claimed that at some point they could need to spend money to mitigate those risks.
But in the court’s view, an “increased risk of harm” is not the same thing as “harm.” The plaintiffs did not allege that they were actually victims of any identity theft, fraud or “phishing.” And that meant no injury in fact.
The plaintiffs may have hurt themselves with their own evidence. They cited a study that said consumers who receive a data breach notification had a fraud incidence rate of 19% in 2011. And that kind of backfired on them. According to the court, an injury can hardly be considered “imminent” when there’s only a 20% chance of it happening. There’s a reason why we don’t count on .200 hitters to get the clutch hit. Same basic analysis here.
The standing requirement makes all the sense in the world, but in the case of a data breach it is a little troubling. The concern one feels upon receiving a breach notification is genuine. And it must be frustrating to feel that there’s no legal remedy. But rules are rules.