A new entry in a lawsuit against Nationwide Mutual relating to the insurer’s 2012 data breach questions whether a lower court misread a U.S. Supreme Court’s ruling governing standing for claims of potential future harm and could signal a new challenge to dismissals of data breach class actions.
A plaintiff in the failed class action against Nationwide, Mohammad Galaria, argued that the complaint against the insurer should not have been dismissed, since the plaintiffs in the case may have experienced identity theft and/or fraudulent charges for “years to come” based on “Nationwide’s failure to implement reasonable security measures” and should have been granted Article III standing.
Nationwide, according to court documents, discovered the data breach in 2012 and notified customers of the risk that their personally identifiable information had been stolen and offered guidance for monitoring their credit reports, as well as a year of free credit monitoring and identity theft protection.
One year is not enough for monitoring or to determine standing for claims of harm, according to the plaintiff.
“In January 2014, Galaria discovered that the increased risk created by the data breach was realized. When reviewing his credit report, he discovered three unauthorized attempts to open credit cards in his name,” noted the complaint. “He was subsequently informed by the concerned credit card companies that the fraudulent applications were made using his name, Social Security number, and data of birth—information stolen by criminals in the data breach.”
Galaria had filed a class action complaint in Ohio district court. Another was filed in a Kansas district court, with both alleging causes of action against Nationwide for willful violation of the federal Fair Credit Reporting Act, negligent violation of FCRA, negligence, invasion of privacy, and bailment. The two cases were consolidated in Ohio and then were denied, based on the court’s determination that the “real, immediate, and significant risk of identity theft” did not constitute a claim for the plaintiffs.
The court based its denial on the U.S. Supreme Court’s decision in Clapper v. Amnesty International USA, (133 S. Ct. 1138 (2013)). The plaintiffs now allege that
“The district court concluded that Clapper changed the law regarding Article III standing requirements and, as a result, was dismissive of a litany of data breach cases decided pre-Clapper similar to this matter finding the requirements of standing satisfied,” the complaint read.
Clapper does not apply in the case of the data breach, according to the plaintiff. The complaint instead pointed to another case, Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (2014) that was decided after Clapper and that noted, “The injury-in-fact requirement is satisfied if threatened injury is certainly impending, or there is a substantial risk that the harm will occur.”
The plaintiff added, “Here, the risk that plaintiffs’ private information will be misused by the criminals who hacked into Nationwide’s computer system and stole such information in violation of federal, state, and likely international law is ‘immediate and very real’ —not attenuated and speculative as in Clapper.”
The plaintiffs also note that the fact that organizations offer identity theft protection to data breach victims indicates that they recognize that the harm is neither speculative nor easily disregarded.
