Choose Jeffrey White of the Northern District of California just lately dismissed a putative class motion lawsuit through which plaintiffs claimed they confronted an imminent menace of way forward for hurt within the type of identification theft and fraud as a result of their private data, particularly their driver’s license numbers, could have been compromised in a knowledge breach. In doing so, the court docket decided that driver’s license numbers “should not as delicate as social safety numbers,” and that they don’t rise to the extent of delicate private data “wanted to determine a reputable and imminent menace of future hurt” for Article III standing. Greenstein et al v. Noblr Reciprocal Alternate, No. 4:2021cv04537 (N.D. Cal. 2022).
Noblr is one among a rising variety of knowledge breach-related circumstances through which courts should decide whether or not the theft or publicity of particular sorts (and combos) of private knowledge establishes a reputable menace of actual and instant hurt enough to confer standing. In making this dedication, courts contemplate whether or not that sort (or mixture) of information is kind of more likely to topic plaintiffs to danger of identification theft or fraud in addition to the power of the patron to take motion to scale back or get rid of the danger of hurt attributable to the theft.
There are a number of opinions on this space, however, for instance, courts have usually discovered the theft or publicity of social safety numbers to be extra more likely to topic plaintiffs to a reputable menace of imminent hurt, than theft of credit score or debit card data, as a result of a social safety quantity derives its worth in that it’s “immutable” and can be utilized to commit identification theft and open new accounts with out the necessity for a lot extra data. Driver’s license numbers, nonetheless, seem like handled in another way. Whereas driver’s license numbers, like social safety numbers, are tough to vary and derive worth from their immutability, plaintiffs haven’t all the time been capable of persuade courts that with out extra there’s a credible danger of identification theft or fraud that dangers imminent damage.
Just like the Noblr court docket, different federal courts in California have distinguished driver’s license numbers from social safety numbers and dismissed claims at an early stage when restricted private data within the type of a driver’s license quantity is alleged to have been uncovered. For instance, in In re Uber Applied sciences., Inc., Information Sec. Breach Litigation, a Central District of California court docket in 2019 dismissed a proposed data-breach class motion, with go away to amend, as a result of the plaintiff failed to elucidate how a hack of primary contact data and driver’s license numbers, not like social safety numbers, create a reputable menace of fraud or identification theft enough to allege damage in truth. Equally, in Antman v. Uber Applied sciences, Inc., a Northern District of California court docket held that the theft of Uber drivers’ names and driver’s license numbers, even mixed with checking account and routing numbers, with out extra (like social safety numbers), did “not plausibly quantity to a reputable menace of identification theft that dangers actual, instant damage.”
Nevertheless, not all Courts inside the Ninth Circuit have subscribed to this reasoning: A District of Nevada court docket, in Stallone v. Farmers Group, Inc., decided {that a} knowledge breach that compromised plaintiff’s driver’s license quantity and handle was enough to determine a reputable danger of instant hurt the place the breach was a part of a concerted marketing campaign by hackers to “pharm” and accumulate the personally identifiable data of plaintiff and different victims, and the data would doubtless be used to fraudulently apply for unemployment advantages, domesticate a fraudulent artificial identification, or acquire entry to sufferer’s financial institution accounts and different private data.
In sum, whereas opinions from California federal courts recommend they’re turning into much less sympathetic to future, unrealized hurt stemming from knowledge breaches, particularly the place social safety numbers aren’t concerned, different courts nonetheless appear prepared to seek out the theft of much less delicate data, comparable to driver’s license numbers, enough to confer standing. That is very true when the plaintiff is ready to persuade the court docket that the uncovered data can be utilized for identification theft, to rack up fraudulent expenses, or acquire entry to extra private data.
We might be watching this area for additional developments, because the Ninth Circuit will doubtless have to weigh in on this situation to make sure that the circuit makes use of a single, unified method. Additionally it is essential to notice that these evolving court docket choices deal with standing and hurt related to knowledge breaches. These choices don’t get rid of an organization’s privateness and cybersecurity compliance obligations, together with the necessities to offer privateness notices, to be clear and correct relating to the corporate’s assortment, use, disclosure and storage of private data and an organization’s requirement to answer client requests underneath sure state privateness legal guidelines such because the California Shopper Privateness Act of 2018.
