Since we reviewed the issue of identity theft almost a year ago (Good News for Defendants in Data Privacy Litigation, March 13, 2013), there has been a steady flow of activity in the area, and number of noteworthy security breaches have occurred. The hackings at Target and Neiman Marcus resulted in the theft of tens of millions of customers’ PII (personal identification information.) Class action litigation has commenced against Target in several jurisdictions.
In addition, an opinion was rendered that lowers the bar for plaintiffs seeking to defeat a motion to dismiss their data privacy claims. That decision came from the MDL Tribunal in Nevada, in the case of In re Zappos.com, Customer Data Security Breach Litigation. In Zappos, the plaintiffs alleged only negligent loss of their personal identification information and that they had “actual harm” in the form of money spent on fraud prevention and credit monitoring. The Court found that the plaintiffs did indeed have standing to bring the claim because they alleged that they had to pay money to monitor their credit scores and secure their financial information due to the “increased risk” of criminal fraud against them occasioned by the defendant’s negligence.
As stated in last year’s article, a string of decisions had held that this type of alleged harm does not rise to the level of actionable harm, and therefore dismissal is warranted for lack of standing and/or failure to state a claim. So Zappos and couple of its predecessors (Claridge v Rock You, 785 F. Supp. 2d 855; and Resnick v AvMed, 693 F.3d 1317) implied a trend toward easier pleading for plaintiffs.
The good news, however, is that just two weeks ago the District Court in Ohio corrected the course and reaffirmed that an alleged increase in “risk of future injury” is not sufficient to withstand a motion to dismiss. The Court further held that mitigation costs such as credit monitoring expenses are not compensable and therefore will not support a claim of actual harm.
In Mohammad S. Galaria, on Behalf of all Other Similarly Situated v. Nationwide Mutual Insurance Co., the U.S. District Court for the Southern District of Ohio, Eastern Division, granted Defendant’s motion to dismiss on the basis of lack of standing and failure to state a claim. The case was brought by class members who gave their PII in the course of purchasing insurance products. Plaintiffs were notified that thieves had hacked into a portion of defendant’s computer network and that their PII was stolen and disseminated. Nationwide offered plaintiffs one year of free credit monitoring and identity theft protection. It suggested that plaintiffs take steps to safeguard their PII, including closely monitoring their credit reports and bank statements.
Plaintiffs did not allege that their PII actually had been misused; rather they followed the line of allegations in prior cases that the theft caused them an “increased risk” of being victimized.
That the Ohio Court dismissed the action is reassuring to businesses that use PII. The opinion provides additional support for the premise that the cost of credit monitoring and other preventive measures alone are not actual harm. Nationwide thus adds to the arsenal of other similar cases.