Opinion
21-cv-04537-JSW
12-05-2022
ORDER GRANTING MOTION TO DISMISS SECOND AMENDED CLASS ACTION COMPLAINT
RE: DKT. NO. 42
JEFFREY S. WHITE UNITED STATES DISTRICT JUDGE
Now before the Court for consideration is the motion to dismiss Plaintiffs' second amended complaint (“SAC”) filed by Defendant Noblr Reciprocal Exchange (“Noblr” or “Defendant”). The Court has considered the parties' papers, relevant legal authority, and the record in the case, and it finds this matter suitable for disposition without oral argument. See N.D. Civ. L-R 7-1(b). The Court HEREBY GRANTS the motion to dismiss with leave to amend.
BACKGROUND
The Court recited the factual background underlying this dispute in its Order granting Defendant's motion to dismiss the corrected first amended class complaint. See Greenstein v. Noblr Reciprocal Exch., 585 F.Supp.3d 1220, 1224-25 (N.D. Cal. 2022). In brief, Plaintiffs and the Class Members allege that they received a letter from Noblr, dated May 14, 2021, that informed Plaintiffs that their personal information (“PI”) may have been compromised, including Plaintiffs' driver's license numbers, name, and address. Plaintiffs allege that they and the Class Members face an imminent threat of future harm in the form of identity theft and fraud, and that they have suffered both economic and non-economic damages, and actual injury. Plaintiffs also argue that their stolen driver's license numbers are highly sensitive PI that can result in future harm. Each named Plaintiff claims that they incurred injury from increased effort and time spent monitoring their credit reports.
The Plaintiffs and the Class Members bring the following causes of action: (1) violations of the Drivers' Privacy Protection Act (“DPPA”), 18 U.S.C. section 2724; (2) negligence; (3) violation of California's Unfair Competition Law, California Business & Professions Code section 17200, et seq. (“UCL”); and (4) declaratory and injunctive relief.
In dismissing the First Amended Complaint (“FAC”), the Court determined that the exposed PI (names, address, and driver's license numbers) was not sufficient to allege a credible threat of future identity theft. The Court also determined that Plaintiffs have suffered no tangible, monetary, or property loss. Further, the Court held that in the absence of an imminent risk of harm, Plaintiffs could not rely on costs incurred in monitoring their credit to establish standing. The Court also found that the Plaintiffs could not show a nexus between the alleged harm flowing from the delayed notification and Noblr's actions, and so Plaintiffs had failed to adequately allege causation. Finally, the Court determined that Plaintiffs' alleged harm would not be redressed by a favorable decision.
The Court will address other facts as necessary in the analysis.
ANALYSIS
A. Legal Standards on the Motion to Dismiss for Lack of Subject Matter Jurisdiction.
The Court evaluates challenges to Article III standing under Federal Rule of Civil Procedure 12(b)(1). Maya v. Centex Corp., 658 F.3d 1060, 1067 (9th Cir. 2011) (motion to dismiss for lack of standing governed by Rule 12(b)(1)). Where, as here, a defendant makes a facial attack on jurisdiction, the factual allegations of the complaint are taken as true. Fed'n of African Am. Contractors v. City of Oakland, 96 F.3d 1204, 1207 (9th Cir. 1996). Plaintiffs are then entitled to have those facts construed in the light most favorable to them. Id.
The “irreducible constitutional minimum” of standing consists of three elements: an injuryin-fact, causation, and redressability. Spokeo v. Robins, 136 S.Ct. 1540, 1547 (2016) (citing Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992)). Plaintiffs must prove each element with the same manner and degree of evidence required at each stage of the litigation. Lujan, 504 U.S. at 561. “At the pleading stage, general factual allegations of injury resulting from the defendant's conduct may suffice, for on a motion to dismiss we ‘presum[e] that general allegations embrace those specific facts that are necessary to support the claim.'” Id. at 561 (quoting Lujan v. Nat'l Wildlife Fed'n, 497 U.S. 871, 889 (1990)). Because Plaintiffs are the parties invoking federal jurisdiction, they “bear[] the burden of establishing these elements.” Id.
In a class action, standing exists where at least one named plaintiff meets these requirements. Ollier v. Sweetwater Union High Sch. Dist., 768 F.3d 843, 865 (9th Cir. 2014). To demonstrate standing, the “named plaintiffs who represent a class must allege and show they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.” Lewis v. Casey, 518 U.S. 343, 347 (1996) (internal quotation marks omitted). At least one named plaintiff must have standing with respect to each claim that the class representatives seek to bring. In re Ditropan XL Antitrust Litig., 529 F.Supp.2d 1098, 1107 (N.D. Cal. 2007).
In the context of requests for injunctive relief, the standing inquiry requires plaintiffs to “demonstrate that [they have] suffered or [are] threatened with a ‘concrete and particularized' legal harm, coupled with a ‘sufficient likelihood that [they] will again be wronged in a similar way.'” Bates v. United Parcel Service, Inc., 511 F.3d 974, 985 (9th Cir. 2007) (quoting Lujan, 504 U.S. at 560, and City of Los Angeles v. Lyons, 461 U.S. 95, 111 (1983)). The latter inquiry turns on whether the plaintiff has a “real and immediate threat of repeated injury.” Id. The threat of future injury cannot be “conjectural or hypothetical” but must be “certainly impending” to constitute an injury in fact for injunctive relief purposes. In re Zappos.com, Inc. (Zappos), 888 F.3d 1020, 1026 (9th Cir. 2018).
B. Plaintiffs' Fail to Correct the Deficiencies from their First Amended Complaint.
According to Noblr, Plaintiffs have not alleged any new facts that would alter the Court's findings regarding the earlier iteration of the complaint. Plaintiffs argue that their amended complaint makes clear that theft of driver's license information is sufficient to post imminent risk of harm. As will be discussed below, the Court agrees with Noblr.
1. There Continues to be No Cognizable Threat of Future Harm.
a. The type of PI does not pose an imminent risk of harm.
Instead of providing any new facts regarding the type of data that was exposed, Plaintiffs' most recent complaint provides only new arguments as to why driver's license data should be considered sensitive PI for standing purposes. While the Court acknowledges that it is a close call, the Court continues to hold that driver's license numbers are not as sensitive as social security numbers, and that they do not rise to the level of sensitive PI needed to establish a credible and imminent threat of future harm. The Court continues to believe that it would have to hypothesize various possibilities of future harm in order to find that Plaintiffs face a risk of imminent identity theft based on the limited amount of PI. See In re Adobe Systems Inc. Privacy Litig., 66 F.Supp.3d 1197, 1214-15 (N.D. Cal. 2014) (holding that plaintiffs had demonstrated an immediate harm and the risk of injury “immediate and very real” after “hackers deliberately targeted Adobe's servers and spent several weeks collecting names, usernames, passwords, email addresses, phone numbers, mailing addresses, credit card numbers and expiration dates”); cf Stallone v. Farmers Group, Inc., 2022 WL 10091489, at *5 (D. Nev. Oct. 15, 2022) (holding that driver's license data, like social security numbers, derives its value in large part from its immutability). Accordingly, because the exposed PI was limited only to Plaintiffs' names, addresses, and driver's license numbers, the Court finds that Plaintiffs have not sufficiently alleged the credible threat of future identity theft needed to plead injury in fact.
b. Plaintiffs' PI has not lost value.
Similar to the type of PI argument, Plaintiffs do not allege any new facts to address the Court's prior holding. Because there continues to be no real and imminent threat of identity theft, Plaintiffs' alleged mitigation measures continue not to confer standing. Further, Plaintiff Au's claim that she suffered actual injury because her information was used to fraudulently apply for unemployment benefits continues to be insufficient. The Court still holds that the attempted fraudulent application demonstrates that the limited PI disclosed in the breach is insufficient even for unemployment benefits, much less banking or credit card accounts. Further, Plaintiffs have not provided any new facts to “establish both the existence of a market for her personal information and an impairment of her ability to participate in that market.” Svenson v. Google Inc. (Svenson), No. 13-CV-04080-BLF, 2016 WL 8943301, at *9 (N.D. Cal. Dec. 21, 2016) (citing In re Google, Inc. Privacy Pol'y Litig., No. 5:12-CV-001382-PSG, 2015 WL 4317479, at *4 (N.D. Cal. July 15, 2015)). Therefore, Plaintiffs' allegations of diminished value of personal information continue to be insufficient to establish injury for Article III purposes. See Agans v. Uber Technologies, 2019 WL 6522843, at *3-4 (C.D. Cal. Aug. 19, 2019) (holding that a bare “contention that [a plaintiff] suffered a loss of value of [his] private information, without any more details is too abstract and speculative to support [A]rticle III standing.”) (internal citations omitted).
c. Plaintiffs' mitigation costs are insufficient to establish standing.
Plaintiffs repeat their allegations that the time and effort they have spent monitoring their credit reports constitutes a cognizable injury in fact. While courts have found that credit monitoring may be “compensable where evidence shows that the need for future monitoring is a reasonably certain consequence of the defendant's breach of duty . . . the monitoring must be ‘reasonable and necessary.'” Corona v. Sony Pictures Entm't, Inc., No. 14-cv-09600 RGK EX, 2015 WL 3916744, at *4 (C.D. Cal. June 15, 2015) (citing Potter v. Firestone Tire & Rubber Co., 6 Cal.4th 965, 1006-07 (1993)). In Antman II, the court determined that “the mitigation expenses do not qualify as injury; the risk of identity theft must be real before mitigation can establish injury in fact.” Antman v. Uber Technologies, Inc. (“Antman II'), 2018 WL 2151231, at *22-23 (N.D. Cal. May 10, 2018); see also Webb v. Injured Workers Pharm., LLC, 2022 LEXIS 189196, at *4 (D. Mass. Oct. 17, 2022) (holding that Plaintiffs cannot manufacture harm by alleging only that they spent considerable time and effort monitoring their accounts).
The Ninth Circuit recognizes that “mitigation expenses do not qualify as injury; the risk of identity theft must first be real and imminent, and not speculative, before mitigation costs establish injury in fact.” Krottner v. Starbucks, Corp., 628 F.3d 1139, 1143 (9th Cir. 2010). In addition, Plaintiffs must show that the mitigation costs were reasonable and necessary. See Holly v. Alta Newport Hosp., Inc., 2020 WL 1853308, at *6 (C.D. Cal. Apr. 10, 2020) (conclusory allegations concerning mitigation were not sufficient where plaintiff did not present any supporting facts or allege how any credit monitoring was reasonable and necessary). In In re Adobe, the court found the financial costs incurred on data monitoring services to mitigate the data breach's harm was a cognizable injury. 66 F.Supp.3d at 1217. However, the court noted that “in order for costs incurred in an effort to mitigate the risk of future harm to constitute injury-in-fact, the future harm being mitigated must itself be imminent.” Id.
Plaintiffs' effort and costs attempting to mitigate harm from the breach do not confer them standing. The Court does not consider the risk of identity theft and fraud to be real and imminent based on the type of data obtained in the Unauthorized Data Disclosure. Plaintiffs' claims of harm are speculative in predicting that the PI will lead to identity theft without more sensitive information such as social security or routing numbers. Although Plaintiff Au once again claims that the fraudulent unemployment application demonstrates that the PI can be used for identity theft and fraud, she does not allege that the application, identity theft, or fraud was successful and resulted in her suffering any injury. In fact, the attempted fraudulent application demonstrates that the limited PI disclosed in the breach is insufficient even for unemployment benefits, much less banking or credit card accounts. Therefore, Plaintiffs' mitigation expenses cannot establish an injury in the absence of a real and imminent risk of harm.
Plaintiffs Greenstein, Nelson, and Au also allege that they spent time researching and monitoring their credit information. (SAC ¶¶ 80, 86, 94.) However, Plaintiffs do not allege that their credit was harmed despite their close monitoring. Furthermore, Plaintiffs offer no factual allegations in support of the alleged credit monitoring services, nor do they sufficiently allege that such services were reasonable and necessary. Although Plaintiff Au has alleged out of pocket expenses allegedly spent on credit monitoring services, she has not provided any reason regarding why this subscription service was reasonable and necessary. Thus, in the absence of an imminent risk of harm, Plaintiffs cannot manufacture standing through costs incurred in monitoring their credit.
2. No Real Injury Can Be Traced to Noblr's Conduct.
Plaintiffs continue to argue that Noblr's actions and conduct caused them a substantial risk of harm. Plaintiffs must “[show] that the defendant's actual action has caused the substantial risk of harm.” Clapper v. Amnesty International USA, 568 U.S. 398, 414 (2013). In Clapper, the Supreme Court found there was no substantial risk because plaintiffs' theory of injury and causal connection was too inferential and speculative to “satisfy the ‘fairly traceable' requirement. Id. at 413.
By contrast, the plaintiffs in Krottner did not rely on speculation or inferences to demonstrate a clear causal connection. The thief in Krottner stole a laptop that contained all the information required for the identity theft plaintiffs suffered. 628 F.3d at 1142. Article III requires “a causal connection between the injury and the conduct complained of-the injury has to be ‘fairly . . . trace[able] to the challenged action of the defendant, and not . . . th[e] result [of] the independent action of some third party not before the court.'” Lujan, 504 U.S. at 560-61 (quoting Simon v. E. Ky. Welfare Rights Org., 426 U.S. 26, 41-42 (1976) (ellipses in original)).
Plaintiffs still cannot establish that Noblr's conduct caused them an injury in fact. Now or in the future, it would be difficult to trace any future identity theft or fraud to Noblr's specific Unauthorized Data Disclosure. Plaintiffs in fact concede that “[i]n most cases, stolen data is rarely attributed to the source when it is sold,” and that “stolen data is often obfuscated, parsed, and sold in pieces [and] also often combined with other stolen data, further making attribution to the source very difficult. (SAC ¶ 96.) Information is widely available on the internet and later data breaches could reveal more personal information. Moreover, Plaintiffs do not acknowledge that it would be difficult to commit fraud or identity theft with names, addresses, and driver's license numbers alone. See Antman II, 2018 WL 2151232, at *22 (concluding that “[w]ithout a hack of information such as social security numbers, account numbers, or credit card numbers, there is no obvious, credible risk of identity theft that risks real, immediate injury”). Therefore, any supplemental, highly sensitive information used to commit future acts of identity theft or fraud could not be specifically traced back to the data exposed by the Unauthorized Data Disclosure.
Furthermore, although Plaintiff Au argues close temporal proximity, she cannot trace the data used for the fraudulent application to the Unauthorized Data Disclosure. Additionally, Plaintiff Au fails to allege a specific connection between the breach and the type of data used in the application. Even if the Unauthorized Data Disclosure occurred shortly before, Plaintiff Au still has not sufficiently showed that the fraudulent application was a result of the Unauthorized Data Disclosure itself. In fact, since Noblr's instant quote feature used information that was already available online, it is possible that the data used for the fraudulent application could have been obtained from a third-party or unrelated data breach.
Plaintiffs further allege that Noblr's delay in identifying and reporting the breach caused them additional harm. (SAC ¶ 51.) Delay of notification is insufficient to establish injury-in-fact. In re Adobe, 66 F.Supp.3d at 1218. In In re Adobe, the court determined that that Plaintiff had failed to allege injury in fact because Plaintiff had not traced any injury from the delayed notification. Id. at 1217. Moreover, the court in Antman II determined that “delay alone is not enough.” Antman II, 2018 WL 2151232, at *23 (citing Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 695 (7th Cir. 2015) (“delay in notification,” on its own, “is not a cognizable injury” that confers Article III standing on a plaintiff) (citing Price v. Starbucks Corp., 192 Cal.App.4th 1136, 1143 (2011)); In re Adobe, 66 F.Supp.3d at 1217-18 (concluding that the plaintiffs had not established Article III standing based on the defendant's alleged failure to reasonably notify them of the data breach because the plaintiffs did “not allege that they suffered any incremental harm as a result of the delay”).
Similar to the plaintiffs in In re Adobe, Plaintiffs have not alleged any specific injury traceable to Noblr because Plaintiffs do not allege that they suffered any incremental harm because of the delay. 66 F.Supp.3d at 1217. Plaintiffs have supplemented their complaint to add that the four-month delay prevented the police from detection or the Plaintiffs from beginning remedial action. (SAC ¶ 51.) However, the Court finds that Plaintiffs still have not traced any specific harm from Noblr's delayed notification and cannot show a nexus between the alleged harm flowing from the delayed notification and Noblr's actions. Accordingly, Plaintiffs have failed to adequately alleged causation.
3. Plaintiffs' Alleged Harm Will Not be Redressed By a Favorable Decision.
Plaintiffs argue that a favorable judicial decision will redress the harm caused by the Unauthorized Data Disclosure. “[I]t must be ‘likely,' as opposed to merely ‘speculative,' that the injury will be redressed by a favorable decision.” Lujan, 504 U.S. at 560-61 (internal quotations and citations omitted). Plaintiffs allege: (1) Noblr used unsafe and insecure methods of safeguarding Plaintiffs' PI, (SAC ¶¶ 55-56, 64); (2) Noblr had access to Plaintiffs' PI, (Id. ¶¶ 1822); (3) attackers could target Plaintiffs' PI, including their driver's licenses numbers and addresses, (Id. ¶¶ 21-27); and (4) attackers' access to driver's license information creates a strong risk of identity theft and fraud (Id. ¶ 27). Finally, Plaintiffs contend that Plaintiff Au's fraudulent unemployment benefits application supports the strong risk of identity theft and fraud.
As discussed above, Plaintiff Au cannot demonstrate that the data disclosed in the Unauthorized Data Disclosure was the basis for the fraudulent application. In addition, Plaintiff Au does not allege she experienced any cognizable injury because of that application or any employment benefits that may have been fraudulently obtained. The addition of facts regarding the darkweb and the diminution of the value of her PI does not change the Court's previous analysis.
Plaintiffs next argue that the Unauthorized Data Disclosure resulted in a strong risk or high likelihood of identity theft and fraud. Besides failing to demonstrate a strong risk of future identity theft, Plaintiffs also fail to explain how unknown future harm will occur. For instance, Plaintiffs do not explain how names, addresses, and driver's license numbers, without more sensitive information, can be used successfully to commit identity theft. It remains inappropriate for this Court to not only speculate about future harm, but whether a future decision would redress hypothetical harm.
Although Plaintiffs request injunctive relief, that relief would have little impact on the PI that was disclosed by the Unauthorized Data Disclosure. Injunctive or declaratory relief would not be able to redress any future harm of identity theft or fraud because it could not compel the hackers or Noblr to return the PI to Plaintiffs. Additionally, declaratory relief would not motivate Noblr to change its practices. Noblr already took immediate action to remedy its unintentional disclosure by changing its policies and masking driver's license numbers in the page source code. (SAC ¶ 25.)
CONCLUSION
For the foregoing reasons, Defendant's motion to dismiss is GRANTED. Because the Court has previously given Plaintiffs leave to amend, the Court finds dismissal with prejudice is appropriate. See Allen v. City of Beverly Hills, 911 F.2d 367, 373 (9th Cir. 1990). The Court shall issue a separate judgment and the Clerk is instructed to close the file.
IT IS SO ORDERED. .