Opinion
Case No. 21-cv-04537-JSW
2022-02-14
Gayle Meryl Blatt, David S. Casey, Jr., Patricia Camille Guerra, Casey Gerry Schenk Francavilla Blatt & Penfield LLP, San Diego, CA, Karen Hanson Riebel, Pro Hac Vice, Kate M. Baxter-Kauf, Pro Hac Vice, Lockridge Grindal Nauen PLLP, Minneapolis, MN, for Plaintiffs Michael Greenstein, Cynthia Nelson. Gayle Meryl Blatt, Casey Gerry Schenk Francavilla Blatt & Penfield LLP, San Diego, CA, for Plaintiff Sinkwan Au. Francis Xavier Nolan, IV, Pro Hac Vice, Eversheds Sutherland (US) LLP, New York, NY, Ian Scott Shelton, Eversheds Sutherland (US) LLP, Sacramento, CA, Jim L. Silliman, Pro Hac Vice, Eversheds Sutherland (US) LLP, Houston, TX, Michael Bahar, Pro Hac Vice, Eversheds Sutherland (US) LLP, Washington, DC, for Defendant.
Gayle Meryl Blatt, David S. Casey, Jr., Patricia Camille Guerra, Casey Gerry Schenk Francavilla Blatt & Penfield LLP, San Diego, CA, Karen Hanson Riebel, Pro Hac Vice, Kate M. Baxter-Kauf, Pro Hac Vice, Lockridge Grindal Nauen PLLP, Minneapolis, MN, for Plaintiffs Michael Greenstein, Cynthia Nelson.
Gayle Meryl Blatt, Casey Gerry Schenk Francavilla Blatt & Penfield LLP, San Diego, CA, for Plaintiff Sinkwan Au.
Francis Xavier Nolan, IV, Pro Hac Vice, Eversheds Sutherland (US) LLP, New York, NY, Ian Scott Shelton, Eversheds Sutherland (US) LLP, Sacramento, CA, Jim L. Silliman, Pro Hac Vice, Eversheds Sutherland (US) LLP, Houston, TX, Michael Bahar, Pro Hac Vice, Eversheds Sutherland (US) LLP, Washington, DC, for Defendant.
ORDER GRANTING MOTION TO DISMISS CORRECTED FIRST AMENDED CLASS ACTION COMPLAINT
Re: Dkt. No. 31
JEFFREY S. WHITE, United States District Judge Now before the Court for consideration is the motion to dismiss Plaintiff's corrected first amended complaint ("FAC"), filed by Defendant Noblr Reciprocal Exchange ("Noblr" or "Defendant"). The Court has considered the parties’ papers, relevant legal authority, and the record in the case, and it finds this matter suitable for disposition without oral argument. See N.D. Civ. L-R 7-1(b). The Court HEREBY GRANTS the motion to dismiss with leave to amend.
BACKGROUND
Noblr is an insurance company that provides online insurance quotes to members of the public in exchange for personal data. (Dkt. No. 16, FAC ¶ 2.) To generate an instant quote on Noblr's system, the user submits personal data (name and date of birth) into the system and Noblr matches that data with "related information automatically pulled from a third-party" to generate a quote. (Id. ¶ 23.) Plaintiffs and the Class Members allege that they received a letter from Noblr, dated May 14, 2021, that informed Plaintiffs that their personal information ("PI") may have been compromised. (Id. ) The letter, titled "Notice of Data Security Incident Involving Your Personal Data," ("Notice"), included a report that disclosed the details of the "Unauthorized Data Disclosure." (Id. ¶¶ 22, 23.) The Notice stated that on January 21, 2021, Noblr's web team noticed "unusual quote activity" on its webpage and commenced an internal investigation. (Id. ¶ 23.) The investigation discovered that the hackers had submitted multiple names and birth dates into the Noblr system during the instant quote process and in the final policy application to access Plaintiffs’ driver's license numbers. (Id. ) These driver's license numbers were "inadvertently included in the page source code." (Id. )
On January 25, 2021, Noblr's security team started blocking suspicious IP addresses. (Id. ) Two days later, on January 27, 2021, Noblr changed its instant quote system to conceal consumers’ driver license numbers in the page source code and final application after the Noblr discovered the attackers could obtain consumers’ driver's license numbers. (Id. ) The Notice stated that the "name, driver's license number, and address" of each Plaintiff may have been accessed by the attackers. (Id. ) Furthermore, the Notice asserted that Noblr not only blocked suspicious IP addresses, but revised its rate limit thresholds, altered the instant quote system code, and changed protocols to prevent further data breaches. (Id. ) Finally, although Plaintiffs had no prior relationship with Noblr and had never requested a quote for insurance from Noblr, the Notice informed that Plaintiffs were victims of their Unauthorized Data Disclosure. (Id. ¶ 24.)
As a result of the Unauthorized Data Disclosure, Plaintiffs allege that they and the Class Members face an imminent threat of future harm in the form of identity theft and fraud. (Id. ¶ 25.) Plaintiffs assert that "PI of consumers remains of high value to criminals" and point to multiple news sources that highlight the pervasive danger of stolen identity credentials on the dark web. (Id. ¶ 31.) Notably, Plaintiffs emphasize that driver's license numbers are a veritable "gold mine" for bad actors who set up email scams such as phishing for insurance information or fraudulently applying for unemployment benefits. (Id. ¶ 35.) Additionally, Plaintiffs allege that they have had to spend considerable time and resources mitigating the effects of the Unauthorized Data Disclosure. (Id. ¶ 79.)
Besides the threat of future harm, Plaintiffs claim that Noblr had notice of the sensitivity of the PI and failed to protect it adequately according to Federal Trade Commission requirements. (Id. ¶ 44.) While Noblr claimed to protect PI through encryption and reasonable industry standards, Plaintiffs allege that the weakness in Noblr's system compromised the security of Plaintiffs’ and Class Members’ PI. As a result, Plaintiffs claim the Unauthorized Data Disclosure was a direct result of Noblr's negligence in failing to protect PI through reasonable and appropriate measures. (Id. )
Due to the Unauthorized Data Disclosure, Plaintiffs Greenstein, Nelson, and Au allege that they have suffered both economic and non-economic damages, and actual injury in the form of: (a) damages to and diminution in the value of their PI—a form of intangible property; (b) loss of their privacy; and (c) imminent and impending injury resulting from an increased danger of fraud and identity theft. (Id. ¶¶ 53, 59, 66.) Plaintiffs also argue that their stolen driver's license numbers are highly sensitive PI that could be used for unemployment applications and other cybercrimes resulting in future harm. (Id. ¶¶ 26, 27). Each named Plaintiff claims that they incurred injury from increased effort and time spent monitoring their credit reports. (Id. ¶¶ 51, 57, 64.) Plaintiff Au in particular claims that her PI "was fraudulently used to apply for unemployment benefits in New York." (Id. ¶ 62.) Additionally, Plaintiff Au claims that a result of the breach, she purchased a "family plan credit monitoring for her and her husband for which she pays a monthly fee." (Id. ¶ 64.)
The Plaintiffs and the Class Members bring the following causes of action: (1) violations of the Drivers’ Privacy Protection Act ("DPPA"), 18 U.S.C. section 2724 ; (2) negligence; (3) violation of California's Unfair Competition Law, California Business & Professions Code section 17200, et seq. ("UCL"); and (4) declaratory and injunctive relief.
In their motion to dismiss, Defendant makes three distinct challenges to Plaintiffs’ Article III standing. First, Defendant alleges that Plaintiffs fail to plausibly plead a concrete injury-in-fact. Second, Defendant contends that Plaintiffs fail to plead a traceable injury. Finally, Defendant argues Plaintiffs are not entitled to injunctive relief because Plaintiffs have failed to show that a favorable ruling would redress their grievances.
The Court will address other facts as necessary in the analysis.
ANALYSIS
A. Legal Standards on the Motion to Dismiss for Lack of Subject Matter Jurisdiction.
The Court evaluates challenges to Article III standing under Federal Rule of Civil Procedure 12(b)(1). Maya v. Centex Corp. , 658 F.3d 1060, 1067 (9th Cir. 2011) (motion to dismiss for lack of standing governed by Rule 12(b)(1) ). Where, as here, a defendant makes a facial attack on jurisdiction, the factual allegations of the complaint are taken as true. Fed'n of African Am. Contractors v. City of Oakland , 96 F.3d 1204, 1207 (9th Cir. 1996). Plaintiffs are then entitled to have those facts construed in the light most favorable to them. Id.
The "irreducible constitutional minimum" of standing consists of three elements: an injury-in-fact, causation, and redressability. Spokeo v. Robins , 578 U.S. 330, 136 S. Ct. 1540, 1547, 194 L.Ed.2d 635 (2016) (citing Lujan v. Defs. of Wildlife , 504 U.S. 555, 560-61, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) ). Plaintiffs must prove each element with the same manner and degree of evidence required at each stage of the litigation. Lujan , 504 U.S. at 561, 112 S.Ct. 2130. "At the pleading stage, general factual allegations of injury resulting from the defendant's conduct may suffice, for on a motion to dismiss we ‘presum[e] that general allegations embrace those specific facts that are necessary to support the claim.’ " Id. at 561, 112 S.Ct. 2130 (quoting Lujan v. Nat'l Wildlife Fed'n , 497 U.S. 871, 889, 110 S.Ct. 3177, 111 L.Ed.2d 695 (1990) ). Because Plaintiffs are the parties invoking federal jurisdiction, they "bear[ ] the burden of establishing these elements." Id.
In a class action, standing exists where at least one named plaintiff meets these requirements. Ollier v. Sweetwater Union High Sch. Dist. , 768 F.3d 843, 865 (9th Cir. 2014). To demonstrate standing, the "named plaintiffs who represent a class must allege and show they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent." Lewis v. Casey , 518 U.S. 343, 347, 116 S.Ct. 2174, 135 L.Ed.2d 606 (1996) (internal quotation marks omitted). At least one named plaintiff must have standing with respect to each claim that the class representatives seek to bring. In re Ditropan XL Antitrust Litig. , 529 F. Supp. 2d 1098, 1107 (N.D. Cal. 2007).
In the context of requests for injunctive relief, the standing inquiry requires plaintiffs to "demonstrate that [they have] suffered or [are] threatened with a ‘concrete and particularized’ legal harm, coupled with a ‘sufficient likelihood that [they] will again be wronged in a similar way.’ " Bates v. United Parcel Service, Inc. , 511 F.3d 974, 985 (9th Cir. 2007) (quoting Lujan , 504 U.S. at 560, 112 S.Ct. 2130, and City of Los Angeles v. Lyons , 461 U.S. 95, 111, 103 S.Ct. 1660, 75 L.Ed.2d 675 (1983) ). The latter inquiry turns on whether the plaintiff has a "real and immediate threat of repeated injury." Id. The threat of future injury cannot be "conjectural or hypothetical" but must be "certainly impending" to constitute an injury in fact for injunctive relief purposes. In re Zappos.com, Inc. (Zappos) , 888 F.3d 1020, 1026 (9th Cir. 2018).
According to Noblr, Plaintiffs have not suffered an injury in fact because Plaintiffs allege only vague and unspecified harms, such as the loss of privacy and a future risk of identity theft and fraud. Moreover, Noblr argues that Plaintiffs’ other allegations of injury are speculative. Plaintiffs, by contrast, argue that all Plaintiffs suffered concrete harms from the Unauthorized Data Disclosure, and that several courts have found these harms sufficient to establish injury in fact in similar data breach cases.
Specifically, Plaintiffs contend that all Plaintiffs have suffered harm in the form of (1) risk of future identity theft; and (2) loss of value of their PI. In addition, Plaintiff Au argues she experienced additional injuries such as out of pocket expenses for a professional credit monitoring system. She also claims a fraudulent employment benefits application filed in New York demonstrates a strong risk of identity theft. For the reasons discussed below, the Court agrees with Noblr in that Plaintiffs have failed to adequately allege injury in fact. The Court first addresses the injury that all Plaintiffs allege that they have suffered: the risk of future harm.
1. There is No Cognizable Threat of Future Harm.
Noblr argues that Plaintiffs have failed to allege a cognizable threat of future harm. First, Noblr argues that Plaintiffs have only alleged that a future harm is possible instead of showing that the future harm is "certainly impending." Zappos , 888 F.3d at 1026 (quoting Clapper v. Amnesty Int'l USA , 568 U.S. 398, 409, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013) ). Plaintiffs rely on multiple cases finding a sufficient a risk of future harm resulting from a data breach of personal information, such as Krottner and Zappos. However, in each of those cases, plaintiffs’ Article III standing turned on whether the degree of sensitive information presented an imminent and credible risk of harm.
a. The type of PI does not pose an imminent risk of harm.
The Ninth Circuit identifies types of future harm in data breach cases based on the types of personal information compromised. In Krottner , the court distinguished data breaches which constitute a "real and immediate harm" from those that pose a "conjectural or hypothetical" harm. Krottner v. Starbucks Corp. , 628 F.3d 1139, 1143 (9th Cir. 2010). Starbucks employees’ names, addresses, and social security numbers were disclosed after a thief stole a laptop containing highly sensitive PI. Id. at 1140. The Ninth Circuit determined there was an actual injury because they had "alleged a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data." Id. at 1143. Therefore, the injury-in-fact requirement will be satisfied when highly sensitive personal data, such as social security numbers and credit card numbers, are inappropriately revealed to the public and increase the risk of immediate future harm to the plaintiff.
Likewise, the In re Adobe court found that plaintiffs demonstrated an immediate harm after "hackers deliberately targeted Adobe's servers and spent several weeks collecting names, usernames, passwords, emails addresses, phone numbers, mailing addresses, credit card numbers and expiration dates." In re Adobe Sys., Inc. Priv. Litig. , 66 F. Supp. 3d 1197, 1214 (N.D. Cal. 2014). The court found that the risk of injury was "immediate and very real" because it was clear that the hackers "intend[ed] to misuse the personal information stolen" and that they had the ability to do so. Id. at 1214-15.
In Zappos , the Ninth Circuit clarified its ruling in Krottner by focusing on the sensitivity of data. 888 F.3d at 1026. The court found that the "names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit-card and debit-card information of more than 23 million Zappos customers" constituted a substantial risk of future harm because it provided the hackers with a clear ability to commit fraud or identity theft. Id. at 1028. The Zappos court further noted that the sensitivity of data was "sufficiently similar to that in Krottner ," and therefore the dispositive factor in establishing standing. Id. at 1027. The Zappos court reasoned that the "sensitivity of the personal information, combined with its theft, led us to conclude that the plaintiffs had adequately alleged an injury in fact supporting standing." Id.
Conversely, driver's license numbers do not provide hackers with a clear ability to commit fraud and are considered not as sensitive as social security numbers. Antman v. Uber Techs., Inc. (Antman II ), No. 15-CV-01175-LB, 2018 WL 2151231, at *10 (N.D. Cal. May 10, 2018). In Antman I , the court determined that Mr. Antman's name, driver's license, combined with his bank account and routing information, were not sensitive enough to constitute an "immediate, credible risk of harm." Id. at *11. As the court observed in Antman II , "[it] is not plausible that a person could apply for a credit card without a social security number." Id. at *10 (quoting Antman v. Uber Techs., Inc. (Antman I ), No. 3:15-CV-01175-LB, 2015 WL 6123054, at *11 (N.D. Cal. Oct. 19, 2015) ).
Here, the disclosure of personal information is much more limited than that in Krottner and In re Adobe. Additionally, unlike the plaintiffs in Krottner and Zappos , here, the Plaintiffs do not demonstrate that the PI obtained in the Unauthorized Data Disclosure establishes a credible risk of imminent harm. The Unauthorized Data Disclosure did not reveal social security or credit card information. Plaintiffs only allege that Noblr exposed the names, addresses, and driver's license numbers of the Class Members. (FAC ¶ 23.) The PI disclosed in the Unauthorized Data Disclosure is insufficient to open a new account in Plaintiffs’ names or to gain access to personal accounts likely to have more sensitive information. To find a credible risk of future identity, this Court would need to speculate as to whether a third-party, with Plaintiffs’ names, addresses, and driver's license numbers, could commit extensive identity theft.
Here, the type of PI disclosed in the Unauthorized Data Disclosure fails to rise above the threshold established in Antman II. The Court questions whether attackers would be able to use that limited information to set up credit or debit accounts without the addition of more, highly sensitive personal information such as social security numbers. The PI disclosed in the Unauthorized Data Disclosure did not include bank account numbers or routing information present in Antman. Because the low sensitivity of names and driver's license numbers does not rise to the type of PI in Antman II , Plaintiffs cannot rely on the sensitivity of their PI to establish a credible and imminent threat of future harm.
To guard against future harm, Plaintiff Greenstein argues he spent time and effort researching his options and monitoring his credit. (FAC ¶ 51.) Similarly, Plaintiff Nelson alleges she also spent considerable time reviewing her credit, notifying her financial advisors, and filing a police report. (Id. ¶ 62.) Plaintiffs claim these attempts to secure their PI was necessary to mitigate a general risk of future identify theft and fraud. (Id. ) The Class Members similarly allege that they are at risk for actual identity theft and fraud. However, despite their extensive monitoring, Class Members, and neither Plaintiff Greenstein or Nelson cannot identify one instance where their PI was used for nefarious purposes or otherwise.
In contrast, Plaintiff Au claims actual injury her data was "fraudulently used to apply for unemployment benefits in New York." (Id. ) However, Plaintiff Au fails to demonstrate whether the application was successful or harmed her in any way. Plaintiff Au also argues that her purchase of the ID Shield family plan credit monitoring service constitutes an actual injury. (Id. ¶ 64.) However, Plaintiff Au has not explained why this service was necessary and she appears to be the only plaintiff to have purchased a credit monitoring service. In addition, neither the professional credit monitoring system, nor the rest of the named Plaintiffs and Class Members have detected any form of actual fraud or identity theft that was successfully executed.
In contrast to In re Adobe , where it was apparent that the third-party had the ability to engage in future identify theft, here, the Court would have to hypothesize various possibilities of future harm in order to find that Plaintiffs face a risk of imminent identity theft based on the limited amount of PI. 66 F. Supp. 3d at 1215. Accordingly, because the exposed PI was limited only to Plaintiffs’ names, address, and driver's license numbers, the Court finds that Plaintiffs have not sufficiently alleged the credible threat of future identity theft needed to plead injury in fact.
b. Plaintiffs’ PI has not lost value.
Plaintiffs allege damages in the form of diminution of value of their PI. Courts have accepted diminution in value as evidence of injury in fact under state contract law. In re Facebook Priv. Litig. , 572 F. App'x 494, 494 (9th Cir. 2014). However, to successfully demonstrate injury in fact by diminution in value of PI, Plaintiffs must "establish both the existence of a market for her personal information and an impairment of her ability to participate in that market." Svenson v. Google Inc. (Svenson ), No. 13-CV-04080-BLF, 2016 WL 8943301, at *9 (N.D. Cal. Dec. 21, 2016) (citing In re Google, Inc. Privacy Pol'y Litig. , No. 5:12-CV-001382-PSG, 2015 WL 4317479, at *4 (N.D. Cal. July 15, 2015) ). Further, the In re Facebook court held that a hypothetical loss of value was insufficient to confer standing. In re Facebook, Inc., Consumer Priv. User Profile Litig. (In re Facebook ), 402 F. Supp. 3d 767, 784 (N.D. Cal. 2019). Instead, to establish standing, plaintiffs must show that the loss of value is not arbitrary or hypothetical. Additionally, plaintiffs must demonstrate the value of their PI by showing that "the same information, when not disclosed, has independent economic value to an individual user." Id. The plaintiffs in In re Facebook did not "plausibly allege that they intended to sell their non-disclosed personal information to someone else ... [n]or [did] they plausibly allege that someone else would have bought it as a stand-alone product." Id.
Furthermore, Plaintiffs cannot rely on a loss of privacy to demonstrate diminution in value. See Svenson , 2016 WL 8943301, at *17 (finding that in an exchange of privacy protections, the asserted loss of those privacy protections does not constitute a loss of money or property); see also Razuki v. Caliber Home Loans, Inc. , No. 17-CV-1718-LAB (WVG), 2018 WL 6018361, at *1 (S.D. Cal. Nov. 15, 2018) (denying damages for plaintiff's negligence claim where plaintiff's "claim alleging diminution of value of his personal data fails to allege enough facts to establish how his personal information is less valuable as a result of the breach.")
Although Plaintiffs rely on news sources that warn of the danger of driver's license numbers on the dark web, Plaintiffs do not show how the Unauthorized Data Disclosure caused their names, addresses, and driver's license numbers to be less valuable than before the breach. Moreover, Plaintiffs do not allege they had plans to sell their names, addresses, or driver's license numbers. The Unauthorized Data Breach does not prevent Plaintiffs from selling such information in the future. While Plaintiffs claim that a market exists for driver's license numbers and other sensitive information on the "dark web," markets for individual data generally value more sensitive and important data than limited information such as names and driver's license numbers. Plaintiffs’ PI has suffered no tangible, monetary, or property loss. As a result, Plaintiffs’ allegations of diminished value of personal information are insufficient to establish injury for Article III purposes.
c. Plaintiffs’ mitigation costs are insufficient to establish standing.
Plaintiffs allege that their time and effort spent monitoring their credit reports constitutes a cognizable injury in fact. While courts have found that credit monitoring may be "compensable where evidence shows that the need for future monitoring is a reasonably certain consequence of the defendant's breach of duty ... the monitoring must be ‘reasonable and necessary.’ " Corona v. Sony Pictures Entm't, Inc. , No. 14-cv-09600 RGK EX, 2015 WL 3916744, at *4 (C.D. Cal. June 15, 2015) (citing Potter v. Firestone Tire & Rubber Co. , 6 Cal.4th 965, 1006-07, 25 Cal.Rptr.2d 550, 863 P.2d 795 (1993) ). In Antman II , the court determined that "the mitigation expenses do not qualify as injury; the risk of identity theft must be real before mitigation can establish injury in fact." Antman II , 2018 WL 2151231, at *22–23.
The Ninth Circuit recognizes that "mitigation expenses do not qualify as injury; the risk of identity theft must first be real and imminent, and not speculative, before mitigation costs establish injury in fact." Krottner , 628 F.3d at 1143. In addition, Plaintiffs must show that the mitigation costs were reasonable and necessary. See Holly v. Alta Newport Hosp., Inc. , No. 2:19-cv-07496-ODW (MRWx), ––– F.Supp.3d ––––, ––––, 2020 WL 1853308, at *6 (C.D. Cal. Apr. 10, 2020) (conclusory allegations concerning mitigation were not sufficient where plaintiff did not present any supporting facts or allege how any credit monitoring was reasonable and necessary). In In re Adobe , the court found the financial costs incurred on data monitoring services to mitigate the data breach's harm was a cognizable injury. 66 F. Supp. 3d at 1217. However, the court noted that "in order for costs incurred in an effort to mitigate the risk of future harm to constitute injury-in-fact, the future harm being mitigated must itself be imminent." Id.
Plaintiffs’ effort and costs attempting to mitigate harm from the breach do not confer standing. The Court does not consider the risk of identity theft and fraud to be real and imminent based on the type of data obtained in the Unauthorized Data Disclosure. Plaintiffs’ claims of harm are speculative in predicting that the PI will lead to identity theft without more sensitive information such as social security or routing numbers. Although Plaintiff Au claims that the fraudulent unemployment application demonstrates that the PI can be used for identity theft and fraud, she does not allege that the application, identity theft, or fraud was successful and resulted in injury. In fact, the attempted fraudulent application demonstrates that the limited PI disclosed in the breach is insufficient even for unemployment benefits, much less banking or credit card accounts. Therefore, Plaintiffs’ mitigation expenses cannot establish an injury in the absence of a real and imminent risk of harm.
Plaintiffs Greenstein, Nelson, and Au allege that they spent time researching and monitoring their credit information. (FAC ¶¶ 51, 57, 64.) However, Plaintiffs do not allege that their credit was harmed despite their close monitoring. Furthermore, Plaintiffs offer no factual allegations in support of the alleged credit monitoring services, nor do they sufficiently allege that such services were reasonable and necessary. Although Plaintiff Au has alleged out of pocket expenses allegedly spent on credit monitoring services, she has not provided any reason as to why this subscription service was reasonable and necessary. Thus, in the absence of an imminent risk of harm, Plaintiffs cannot manufacture standing through costs incurred in monitoring their credit.
2. No Real Injury Can Be Traced to Noblr's Conduct.
Plaintiffs argue that Noblr's actions and conduct caused them a substantial risk of harm. Plaintiffs must "[show] that the defendant's actual action has caused the substantial risk of harm." Clapper , 568 U.S. at 414, 133 S.Ct. 1138. In Clapper , the Supreme Court found there was no substantial risk because plaintiffs’ theory of injury and causal connection was too inferential and speculative to "satisfy the ‘fairly traceable’ requirement. Id. at 413, 133 S.Ct. 1138. By contrast, the plaintiffs in Krottner did not rely on speculation or inferences to demonstrate a clear causal connection. The thief in Krottner stole a laptop that contained all the information required for the identity theft plaintiffs suffered. 628 F.3d at 1142. Article III requires "a causal connection between the injury and the conduct complained of—the injury has to be ‘fairly ... trace[able] to the challenged action of the defendant, and not ... th[e] result [of] the independent action of some third party not before the court.’ " Lujan , 504 U.S. at 560-61, 112 S.Ct. 2130 (quoting Simon v. E. Ky. Welfare Rights Org. , 426 U.S. 26, 41-42, 96 S.Ct. 1917, 48 L.Ed.2d 450 (1976) ) (ellipses in original).
Plaintiffs cannot establish that Noblr's conduct caused them an injury in fact. Now or in the future, it would be difficult to trace any future identity theft or fraud to Noblr's specific Unauthorized Data Disclosure. Information is widely available on the internet and later data breaches could reveal more personal information. Moreover, Plaintiffs do not acknowledge that it would be difficult to commit fraud or identity theft with names, addresses, and driver's license numbers alone. See Antman II , 2018 WL 2151231, at *9 (concluding that "[w]ithout a hack of information such as social security numbers, account numbers, or credit card numbers, there is no obvious, credible risk of identity theft that risks real, immediate injury"). Therefore, any supplemental, highly sensitive information used to commit future acts of identity theft or fraud could not be specifically traced back to the data exposed by the Unauthorized Data Disclosure.
Furthermore, Plaintiff Au cannot trace the data used for the fraudulent application to the Unauthorized Data Disclosure. The application was filed sometime in January 2021, but Plaintiff Au does not argue that this was after Noblr discovered the data breach. Additionally, Plaintiff Au fails to allege a specific connection between the breach and the type of data used in the application. Even if the Unauthorized Data Disclosure occurred months earlier, Plaintiff Au has not sufficiently showed that the fraudulent application was a result of the Unauthorized Data Disclosure itself. In fact, since Noblr's instant quote feature used information that was already available online, it is possible that the data used for the fraudulent application could have been obtained from a third-party or unrelated data breach.
Plaintiffs further allege that Noblr's delay in identifying and reporting the breach caused them additional harm. (FAC ¶ 39.) Delay of notification is insufficient to establish injury-in-fact. In re Adobe , 66 F. Supp. 3d at 1218. In In re Adobe , the court determined that that Plaintiff had failed to allege injury in fact because Plaintiff had not traced any injury from the delayed notification. Id. at 1217. Moreover, the court in Antman II determined that "delay alone is not enough." Antman II , 2018 WL 2151231 at *23 (citing Remijas v. Neiman Marcus Grp., LLC , 794 F.3d 688, 695 (7th Cir. 2015) ) ("delay in notification," on its own, "is not a cognizable injury" that confers Article III standing on a plaintiff) (citing Price v. Starbucks Corp. , 192 Cal. App. 4th 1136, 1143, 122 Cal.Rptr.3d 174 (2011) ); In re Adobe , 66 F. Supp. 3d at 1217-18 (concluding that the plaintiffs had not established Article III standing based on the defendant's alleged failure to reasonably notify them of the data breach because the plaintiffs did "not allege that they suffered any incremental harm as a result of the delay").
However, much like the plaintiffs in In re Adobe , Plaintiffs have not alleged any specific injury traceable to Noblr because Plaintiffs do not allege that they suffered any incremental harm because of the delay. 66 F. Supp. 3d at 1217. Accordingly, because Plaintiffs do not trace any harm from Noblr's delayed notification, and cannot show a nexus between the alleged harm flowing from the delayed notification and Noblr's actions, Plaintiffs have failed to adequately alleged causation.
3. Plaintiffs’ Alleged Harm Will Not be Redressed By a Favorable Decision.
Plaintiffs argue that a favorable judicial decision will redress the harm caused by the Unauthorized Data Disclosure. "[I]t must be ‘likely,’ as opposed to merely ‘speculative,’ that the injury will be redressed by a favorable decision." Lujan , 504 U.S. at 560-61, 112 S.Ct. 2130 (internal quotations and citations omitted). Plaintiffs allege: (1) Noblr used unsafe and insecure methods of safeguarding Plaintiffs’ PI, (FAC ¶¶ 42-43, 48); (2) Noblr had access to Plaintiffs’ PI, (Id. ¶¶ 18-22); (3) attackers could target Plaintiffs’ PI, including their driver's licenses numbers and addresses (Id. ¶¶ 20-24); and (4) attackers’ access to driver's license information creates a strong risk of identity theft and fraud (Id. ¶ 25). Finally, Plaintiffs contend that Plaintiff Au's fraudulent unemployment benefits application supports the strong risk of identity theft and fraud. As discussed above, Plaintiff Au cannot demonstrate that the data disclosed in the Unauthorized Data Disclosure was the basis for the fraudulent application. In addition, Plaintiff Au does not allege she experienced any actual injury because of that application or any employment benefits that may have been fraudulently obtained.
Plaintiffs next argue that the Unauthorized Data Disclosure resulted in a strong risk or high likelihood of identity theft and fraud. Besides failing to demonstrate a strong risk of future identity theft, Plaintiffs also fail to explain how unknown harm will occur. For instance, Plaintiffs never explain how names, addresses, and driver's license numbers, without more sensitive information, can be used successfully to commit identity theft. It would be inappropriate for this Court to not only speculate about future harm, but whether a future decision would redress hypothetical harm.
Although Plaintiffs request injunctive relief, that relief would have little impact on the PI that was disclosed by the Unauthorized Data Disclosure. Injunctive or declaratory relief would not be able to redress any future harm of identity theft or fraud because it could not compel the hackers or Noblr to return the PI to Plaintiffs. Additionally, declaratory relief would not motivate Noblr to change its practices. Noblr already took immediate action to remedy its unintentional disclosure by changing its policies and masking driver's license numbers in the page source code. (Id. ¶ 23.)
CONCLUSION
For the foregoing reasons, Defendant's motion to dismiss is GRANTED with leave to amend. The Court grants leave to amend because it is unclear whether amendment would be futile. See Knevelbaard Dairies v. Kraft Foods, Inc. , 232 F.3d 979, 983 (9th Cir. 2000) ("An order granting such a motion must be accompanied by leave to amend unless amendment would be futile"). Because the Court dismisses this case due to lack of Article III standing, the Court DENIES as moot Defendant's motion to dismiss for failure to state a claim. Plaintiffs may file an amended complaint addressing the deficiencies identified herein within twenty-one days of the date of this order.