I had noted the Galaria opinion and order over on databreaches.net, but Judy Selby has a discussion of the ruling in terms of the impact of the Supreme Court’s ruling in Clapper that is worth noting here:
Article III standing has once again proved to be an insurmountable hurdle for data breach class action plaintiffs whose personal information hasn’t been misused. In Galaria v. Nationwide Mutual Insurance Co., an Ohio federal court relied on the United States Supreme Court’s decision in Clapper v. Amnesty Intern. USA, 133 S.Ct. 1138 (2013), and held that the plaintiffs did not sustain an injury sufficient to confer standing to sue Nationwide following a 2012 hacking incident during which their personally identifying information (PII) was stolen.
The plaintiffs alleged that as a result of the breach, they incurred and will continue to incur damages consisting of (1) the imminent, immediate, and continuing increased risk of identity theft, identity fraud and/or medical fraud; (2) out-of-pocket expenses to purchase credit monitoring, internet monitoring, identity theft insurance and/or data breach risk mitigation products; (3) out-of-pocket expenses incurred to mitigate the increased risk of identity theft, identity fraud and/or medical fraud, including the costs of placing and removing credit freezes; (4) the value of time spent mitigating the increased risk of identity theft, identity fraud and/or medical fraud; (5) the substantially increased risk of being victimized by phishing; (6) loss of privacy; and (7) deprivation of the value of their PII. The court grouped those alleged damages into three categories: (1) increased risk of harm/cost to mitigate increased risk; (2) loss of privacy; and (3) deprivation of value of PII. The plaintiffs asserted claims for violation of the Fair Credit Reporting Act (FCRA), negligence, invasion of privacy and bailment, but they did not allege that their PII was misused or that their identity was stolen. Nationwide moved to dismiss the complaint based on lack of standing and failure to state a claim.
Read more on Data Privacy Monitor.