Published on February 25th, 2022 📆 | 2306 Views ⚑
0Cybersecurity Litigation Concerning Alleged Disclosure of Information Dismissed
This month a federal court dismissed a data event litigation pending in federal court concerning claims raised under the federal Driversâ Privacy Protection Act (âDPPAâ), 18 U.S.C. Section 2724, and California statutory and common law. The decision reiterates that plaintiffs in data event litigations who allege they are merely at future risk of speculative injury continue to face an uphill battle in establishing Article III standingâa prerequisite for a federal court to have subject matter jurisdiction to hear a case or controversy.  Greenstein v. Noblr Reciprocal Exch., 2022 U.S. Dist. LEXIS 30228 (N.D. Cal. Feb. 14, 2022). Read on to learn more and what the case means for other data event litigations.
First, the facts. Noblr is an insurance company that provides online insurance quotes to individuals. To generate an instant quote on Noblrâs platform, the user submits certain personal and Noblr matches that data with ârelated information automatically pulled from a third-partyâ to generate a quote. Plaintiffs alleged that they received a letter from Noblr in May 2021 that stated Plaintiffs personal information (âPIâ) could have been compromised (the âNoticeâ). The Notice providing information regarding a data event (the âData Eventâ) where starting on January 21, 2021, Noblrâs web team noticed âunusual quote activityâ on its webpage and commenced an internal investigation.  The investigation discovered that the hackers had submitted multiple names and birth dates into the Noblr system during the instant quote process and in the final policy application to access Plaintiffsâ driverâs license numbers.  The Notice stated that these driverâs license numbers were âinadvertently included in the page source code.â The Notice stated that the âname, driverâs license number, and addressâ of each Plaintiff may have been accessed by the attackers.â
Plaintiffs filed suit, raising claims for (1) violations of the DPPA; (2) negligence; (3) violation of Californiaâs Unfair Competition Law, California Business & Professions Code section 17200, et seq. (âUCLâ); and (4) declaratory and injunctive relief. As a result of the Data Event, Plaintiffs alleged that they and the Class Members face an imminent threat of future harm in the form of identity theft and fraud.  As in many other data event litigations, Plaintiffs also asserted that âPI of consumers remains of high value to criminals.â  Plaintiffs also argued that their stolen driverâs license numbers are highly sensitive PI and claimed that they incurred injury from increased effort and time spent monitoring their credit reports. One named Plaintiff additionally claimed that her PI âwas fraudulently used to apply for unemployment benefitsâ in New York and that she purchased additional credit monitoring.
As a reminder, any party wishing to sue in federal court must have Article III standing, which requires that a plaintiff is able to demonstrate: (1) an injury in fact; (2) the injury was caused by defendantâs conduct; and (3) the injury can likely be redressed by a favorable judicial decision.  An injury-in-fact sufficient for purposes of Article III standing must be âconcrete and particularized.â Id. at 1548 (emphasis in original).
In a class action, standing exists where at least one named plaintiff meets these requirements.  To demonstrate standing, the ânamed plaintiffs who represent a class must allege and show they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.â (quotation omitted).  At least one named plaintiff must have standing with respect to each claim that the class representatives seek to bring.
Moreover, in the context of requests for injunctive relief, the standing inquiry requires plaintiffs to âdemonstrate that [they have] suffered or [are] threatened with a âconcrete and particularizedâ legal harm, coupled with a âsufficient likelihood that [they] will again be wronged in a similar way.ââ  (quotation omitted). This requires the plaintiff has a âreal and immediate threat of repeated injuryâ that is âcertainly impendingâ to constitute an injury in fact for injunctive relief purposes. (quotation omitted).
Defendant moved to dismiss the case for lack of standing. The Court, upon considering relevant Ninth Circuit case law and other federal precedent, ultimately agreed and dismissed the Complaint. In making this determination, the Court first noted that in the Ninth Circuit courts have distinguished the risk of harm to individuals from a data event based upon the types of information disclosed. In the case of driverâs license numbers, other federal courts have held that âdriverâs license numbers do not provide hackers with a clear ability to commit fraudâ and are considered not as sensitive as other categories of information and data.
And in any event, the Court held, Plaintiffs did not present a credible claim for being at future risk of identity theft. This was because, the Court reasoned, âPlaintiffs only allege that Noblr exposed the names, addresses, and driverâs license numbers of the Class Members,â which is âinsufficient to open a new account in Plaintiffsâ names or to gain access to personal accounts likely to have more sensitive information.â While one named Plaintiff had alleged that a fraudulent unemployment benefit claim was submitted under her name, the Court commented that this Plaintiff âfail[ed] to demonstrate whether the application was successful or harmed her in any way,â and also had not explained why the additional purchase of credit monitoring services was necessary.
Finally, although Plaintiffs also sought to establish Article III standing by asserting that their PI had lost value, the Court noted that âto successfully demonstrate injury in fact by diminution in value of PI, Plaintiffs must âestablish both the existence of a market for her personal information and an impairment of her ability to participate in that market.ââ On this basis as well the Complaint failed. The Court explained that:
Plaintiffs cannot rely on a loss of privacy to demonstrate diminution in value. Although Plaintiffs rely on news sources that warn of the danger of driverâs license numbers on the dark web, Plaintiffs do not show how the [Data Event] caused their names, addresses, and driverâs license numbers to be less valuable than before the breach.  Moreover, Plaintiffs do not allege they had plans to sell their names, addresses, or driverâs license numbers. The [Data Event] does not prevent Plaintiffs from selling such information in the future.  While Plaintiffs claim that a market exists for driverâs license numbers and other sensitive information on the âdark web,â markets for individual data generally value more sensitive and important data than limited information such as names and driverâs license numbers. Plaintiffsâ PI has suffered no tangible, monetary, or property loss.  As a result, Plaintiffsâ allegations of diminished value of personal information are insufficient to establish injury for Article III purposes.
(emphasis supplied) (citations omitted). On this reasoning, the Court held that the Complaint had to be dismissed for Plaintiffsâ failure to establish Article III standing. However, the Court granted the Plaintiffs another chance to overcome the deficiencies highlighted in its ruling with leave to amend. Of course, whether Plaintiffs are able to establish standing with an amended complaint remains to be seen. Not to worry, CPW will be there to keep you in the loop.
Š Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 56
Gloss