Federal Court Dismisses California Cybersecurity Litigation Concerning Alleged Disclosure of Information in Website Hack
This month a federal court dismissed a data event litigation pending in federal court concerning claims raised under the federal Drivers’ Privacy Protection Act (“DPPA”), 18 U.S.C. Section 2724, and California statutory and common law. The decision reiterates that plaintiffs in data event litigations who allege they are merely at future risk of speculative injury continue to face an uphill battle in establishing Article III standing—a prerequisite for a federal court to have subject matter jurisdiction to hear a case or controversy. Greenstein v. Noblr Reciprocal Exch., 2022 U.S. Dist. LEXIS 30228 (N.D. Cal. Feb. 14, 2022). Read on to learn more and what the case means for other data event litigations.
First, the facts. Noblr is an insurance company that provides online insurance quotes to individuals. To generate an instant quote on Noblr’s platform, the user submits certain personal and Noblr matches that data with “related information automatically pulled from a third-party” to generate a quote. Plaintiffs alleged that they received a letter from Noblr in May 2021 that stated Plaintiffs personal information (“PI”) could have been compromised (the “Notice”). The Notice providing information regarding a data event (the “Data Event”) where starting on January 21, 2021, Noblr’s web team noticed “unusual quote activity” on its webpage and commenced an internal investigation. The investigation discovered that the hackers had submitted multiple names and birth dates into the Noblr system during the instant quote process and in the final policy application to access Plaintiffs’ driver’s license numbers. The Notice stated that these driver’s license numbers were “inadvertently included in the page source code.” The Notice stated that the “name, driver’s license number, and address” of each Plaintiff may have been accessed by the attackers.”
Plaintiffs filed suit, raising claims for (1) violations of the DPPA; (2) negligence; (3) violation of California’s Unfair Competition Law, California Business & Professions Code section 17200, et seq. (“UCL”); and (4) declaratory and injunctive relief. As a result of the Data Event, Plaintiffs alleged that they and the Class Members face an imminent threat of future harm in the form of identity theft and fraud. As in many other data event litigations, Plaintiffs also asserted that “PI of consumers remains of high value to criminals.” Plaintiffs also argued that their stolen driver’s license numbers are highly sensitive PI and claimed that they incurred injury from increased effort and time spent monitoring their credit reports. One named Plaintiff additionally claimed that her PI “was fraudulently used to apply for unemployment benefits” in New York and that she purchased additional credit monitoring.
As a reminder, any party wishing to sue in federal court must have Article III standing, which requires that a plaintiff is able to demonstrate: (1) an injury in fact; (2) the injury was caused by defendant’s conduct; and (3) the injury can likely be redressed by a favorable judicial decision. An injury-in-fact sufficient for purposes of Article III standing must be “concrete and particularized.” Id. at 1548 (emphasis in original).
In a class action, standing exists where at least one named plaintiff meets these requirements. To demonstrate standing, the “named plaintiffs who represent a class must allege and show they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.” (quotation omitted). At least one named plaintiff must have standing with respect to each claim that the class representatives seek to bring.
Moreover, in the context of requests for injunctive relief, the standing inquiry requires plaintiffs to “demonstrate that [they have] suffered or [are] threatened with a ‘concrete and particularized’ legal harm, coupled with a ‘sufficient likelihood that [they] will again be wronged in a similar way.’” (quotation omitted). This requires the plaintiff has a “real and immediate threat of repeated injury” that is “certainly impending” to constitute an injury in fact for injunctive relief purposes. (quotation omitted).
Defendant moved to dismiss the case for lack of standing. The Court, upon considering relevant Ninth Circuit case law and other federal precedent, ultimately agreed and dismissed the Complaint. In making this determination, the Court first noted that in the Ninth Circuit courts have distinguished the risk of harm to individuals from a data event based upon the types of information disclosed. In the case of driver’s license numbers, other federal courts have held that “driver’s license numbers do not provide hackers with a clear ability to commit fraud” and are considered not as sensitive as other categories of information and data.
And in any event, the Court held, Plaintiffs did not present a credible claim for being at future risk of identity theft. This was because, the Court reasoned, “Plaintiffs only allege that Noblr exposed the names, addresses, and driver’s license numbers of the Class Members,” which is “insufficient to open a new account in Plaintiffs’ names or to gain access to personal accounts likely to have more sensitive information.” While one named Plaintiff had alleged that a fraudulent unemployment benefit claim was submitted under her name, the Court commented that this Plaintiff “fail[ed] to demonstrate whether the application was successful or harmed her in any way,” and also had not explained why the additional purchase of credit monitoring services was necessary.
Finally, although Plaintiffs also sought to establish Article III standing by asserting that their PI had lost value, the Court noted that “to successfully demonstrate injury in fact by diminution in value of PI, Plaintiffs must ‘establish both the existence of a market for her personal information and an impairment of her ability to participate in that market.’” On this basis as well the Complaint failed. The Court explained that:
Plaintiffs cannot rely on a loss of privacy to demonstrate diminution in value. Although Plaintiffs rely on news sources that warn of the danger of driver’s license numbers on the dark web, Plaintiffs do not show how the [Data Event] caused their names, addresses, and driver’s license numbers to be less valuable than before the breach. Moreover, Plaintiffs do not allege they had plans to sell their names, addresses, or driver’s license numbers. The [Data Event] does not prevent Plaintiffs from selling such information in the future. While Plaintiffs claim that a market exists for driver’s license numbers and other sensitive information on the “dark web,” markets for individual data generally value more sensitive and important data than limited information such as names and driver’s license numbers. Plaintiffs’ PI has suffered no tangible, monetary, or property loss. As a result, Plaintiffs’ allegations of diminished value of personal information are insufficient to establish injury for Article III purposes.
(emphasis supplied) (citations omitted). On this reasoning, the Court held that the Complaint had to be dismissed for Plaintiffs’ failure to establish Article III standing. However, the Court granted the Plaintiffs another chance to overcome the deficiencies highlighted in its ruling with leave to amend. Of course, whether Plaintiffs are able to establish standing with an amended complaint remains to be seen. Not to worry, CPW will be there to keep you in the loop.