Cybersecurity litigation over alleged disclosure of information dismissed
This month, a federal court dismissed a pending data event litigation in federal court regarding claims raised under the federal Driver Privacy Act (“DPPA”), 18 USC Section 2724, and California and common law. The decision reiterates that plaintiffs in data event litigation who allege they simply face a future risk of speculative harm continue to face an uphill battle to establish Article III standing – a prerequisite for a federal court to have jurisdiction over the matter to hear a case or controversy. Greenstein vs. Noblr Reciprocal Exchange., 2022 US Dist. LEXIS 30228 (ND Cal. Feb. 14, 2022). Read on to learn more and what the case means for other data event disputes.
First, the facts. Noblr is an insurance company that provides online insurance quotes to individuals. To generate an instant quote on Noblr’s platform, the user submits certain personal data and Noblr matches this data with “related information automatically extracted from a third party” to generate a quote. The Complainants alleged that they received a letter from Noblr in May 2021 stating that the Complainants’ personal information (“PI”) may have been compromised (the “Notice”). The notice providing information regarding a data event (the “Data Event”) where, starting on January 21, 2021, Noblr’s web team noticed “unusual quote activity” on its webpage and opened an internal investigation. The investigation found that the hackers had submitted multiple names and dates of birth into the Noblr system during the instant quote process and in the final policy application to access applicants’ driver’s license numbers. The notice stated that these driver’s license numbers had been “inadvertently included in the page’s source code.” The notice said each claimant’s “name, driver’s license number and address” may have been viewed by the attackers. »
The plaintiffs filed a lawsuit, raising claims for (1) violations of the DPPA; (2) negligence; (3) violation of the California Unfair Competition Act, California Business & Professions Code Section 17200, et seq. (“UCL”); and (4) declaratory and injunctive relief. As a result of the data event, the plaintiffs alleged that they and the class members face an imminent threat of future harm in the form of identity theft and fraud. As in many other data event disputes, the plaintiffs also asserted that “consumers’ personal information remains of great value to criminals.” The plaintiffs also argued that their stolen driver’s license numbers are highly sensitive PI and claimed that they suffered injuries due to increased effort and time spent monitoring their credit reports. A named complainant further claimed that her IP “was fraudulently used to apply for unemployment benefits” in New York and that she purchased additional credit monitoring.
As a reminder, any party wishing to sue in federal court must have standing under Article III, which requires that a plaintiff be able to demonstrate: (1) factual harm; (2) the injury was caused by the defendant’s conduct; and (3) the harm is likely to be repaired by a favorable court decision. Sufficient factual harm for the purposes of standing under Article III must be “concrete and detailed”. ID. to 1548 (emphasis in original).
In a class action, there is standing when at least one named plaintiff meets these requirements. To prove that they have standing, “named plaintiffs who represent a class must allege and demonstrate that they were personally injured, not that any harm has been suffered by other unidentified members of the class to which they belong and which they claim to represent. (quote omitted). At least one named plaintiff must have standing with respect to each claim that class representatives seek to bring.
Further, in the context of injunctive relief applications, the continuing inquiry requires plaintiffs to “demonstrate that [they have] suffered or [are] threatened with “concrete and specific” legal harm, coupled with a “sufficient likelihood that [they] will again be harmed in the same way.’ (quote omitted). This requires the plaintiff to have a “real and immediate threat of repeated harm” that is “certainly imminent” to constitute factual harm for the purposes of an injunction. (quote omitted).
The defendant requested the dismissal for lack of standing to act. The Court, after reviewing relevant Ninth Circuit case law and other federal precedents, ultimately accepted and dismissed the complaint. In reaching this decision, the Court first noted that in the Ninth Circuit, courts have distinguished the risk of harm to individuals from a data event based on the types of information disclosed. In the case of driver’s license numbers, other federal courts have ruled that “driver’s license numbers do not clearly enable hackers to commit fraud” and are considered less sensitive than other categories of information. and data.
And in any event, the Court held, the plaintiffs did not make a credible claim to be at risk of identity theft in the future. Indeed, according to the Court, “the plaintiffs only allege that Noblr exposed the names, addresses and driver’s license numbers of the members of the group”, which is “insufficient to open a new account in the name of the plaintiffs or to access personal accounts. likely to have more sensitive information. While a named plaintiff alleged that a fraudulent application for unemployment benefits had been submitted under her name, the Court noted that this plaintiff “did not[ed] to demonstrate whether the request succeeded or harmed him in any way,” nor had he explained why the additional purchase of credit monitoring services was necessary.
Finally, although the plaintiffs also sought to establish Article III standing by claiming that their IP had diminished in value, the Court noted that “to successfully demonstrate factual harm by diminishing value of the PI, plaintiffs must “establish both the existence of a market for personal information and an impairment of one’s ability to participate in that market. “On this basis also, the complaint failed. The Court explained that:
Plaintiffs cannot cite a breach of privacy to demonstrate a diminished value. Although the plaintiffs rely on news sources that warn of the danger of driver’s license numbers on the dark web, The plaintiffs do not show how the [Data Event] makes their names, addresses and driver’s license numbers less valuable than before the breach. Moreover, the plaintiffs do not allege that they intended to sell their names, addresses or driver’s license numbers. the [Data Event] does not prevent applicants from selling this information in the future. While plaintiffs claim there is a market for driver’s license numbers and other sensitive information on the “dark web”, individual data markets generally value more sensitive and important data than limited information such as names and driver’s license numbers. Plaintiffs’ PI suffered no tangible, monetary or material loss. As a result, Plaintiffs’ claims of diminished value of personal information are insufficient to establish harm for the purposes of Article III.
(emphasis added) (quotes omitted). Based on this reasoning, the Court held that the complaint should be dismissed because the plaintiffs had failed to establish standing under Article III. However, the Court granted the plaintiffs another chance to overcome the shortcomings highlighted in its decision with leave to vary. Of course, it remains to be seen whether plaintiffs are able to establish their standing with an amended complaint. Don’t worry, CPW will be there to keep you up to date.
© Copyright 2022 Squire Patton Boggs (USA) LLPNational Law Review, Volume XII, Number 56