At this point in the development of data breach litigation, it is clear that plaintiffs may be on a sinking ship when they try to establish liability and damages against defendants. In order to meet their burden, a plaintiff must show they suffered a concrete injury from a data breach and that they were injured by that particular data breach and not another unrelated incident involving their personal information. Consequently, the potential causes of action available to data breach plaintiffs seem to decrease with each new decision.

The October 31, 2017 decision of the District Court for the Southern District of Ohio provides another example of a court limiting plaintiffs’ chances of recovery after a data breach and dismissing their claims via a motion to dismiss.  The plaintiffs in Galaria v. Nationwide Mut. Ins. Co., 13-cv-257, 2017 WL 4918634 (Oct. 31, 2017 S.D. Ohio), filed action in the District Court for the Southern District of Ohio when they learned in November of 2012 that Nationwide breached personally identifiable data provided in insurance applications. In August 2017, the District Court issued an order dismissing all plaintiffs’ claims with the exception of a bailment claim.  (The Privacy Risk Report has addressed the dismissal of Plaintiffs’ other claims here).

In order to establish a viable implied bailment claim, the plaintiffs in Galaria were required to show they delivered their personal information to Nationwide “for the specific purpose” that the “property ‘shall be returned or accounted for when this special purpose is accomplished or retained until the bailor reclaims the property.’” That is, Nationwide’s liability hinged on whether the property was returned undamaged.

Prior to getting into its analysis, the District Court reviewed the reasoning of other courts on this issue:

“A number of courts across the country have considered bailment claims in the context of data security breaches and concluded that the scenario in which a person provides personally identifiable information to a business and the information is stolen does not give rise to a bailment liability.”


Applying the law of various states, those courts have concluded that a person in that scenario has not transferred possession of the data with “the expectation that the recipient will return the date and does not base any claim for damages on the recipient’s unlawful retention of the data.”

In applying this reasoning found in a number of data breach cases including In re Target Data Security Breach Litig., 66 F. Supp. 3d 1154, 1177 (D. Minn. 2014) and In re Sony Gaming Networks and Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942 (S.D. Cal. 2012), the District Court found “[i]ntangible property, including personally identifiable data, may or may not constitute the sort of personal property that may be bailed.” However, the District Court did not have to address this question “because Plaintiffs have not alleged that they transferred control or custody of their personal identifiers to Defendant with the expectation that Defendant would hold them for some purpose and then return them undamaged to Plaintiffs.”   Here, the Plaintiffs never relinquished custody or control over the data. (“They retained their personal identifiers and continued to use them throughout the period of the alleged bailment.”) The Plaintiffs’ bailment claim failed since plaintiffs did not allege “that they expected Defendant to return the data because they were never without their personal identifiers.”

The District Court’s analysis illustrates the struggle data breach plaintiffs face to establish viable causes of action. Even if they demonstrate they have standing to bring suit against a data collector, plaintiffs still must address the fact that their data is intangible and, therefore, may not be subject to laws protecting tangible property. Further, while many states have laws protecting data, most privacy laws do not create a private cause of action to recover after a breach.

It is important to remember these cases, which may be used to limit liability, do not support a decision to pass on cyber insurance.  The costs of defending these cases more than justify the cost of cyber insurance.  There is more at stake than third-party liability in most data breach incidents.  Therefore, the costs of dealing with a cyber incident more than justify paying the premium and deductible of a cyber insurance policy.

For more information, click here to contact a Tressler attorney.