Judge Jeffrey White of the Northern District of California recently dismissed a putative class action lawsuit in which plaintiffs claimed they faced an imminent threat of future of harm in the form of identity theft and fraud because their personal information, specifically their driver’s license numbers, may have been compromised in a data breach.  In doing so, the court determined that driver’s license numbers “are not as sensitive as social security numbers,” and that they don’t rise to the level of sensitive personal information “needed to establish a credible and imminent threat of future harm” for Article III standing. Greenstein et al v. Noblr Reciprocal Exchange, No. 4:2021cv04537 (N.D. Cal. 2022).

Noblr is one of a growing number of data breach-related cases in which courts must determine whether the theft or exposure of specific types (and combinations) of personal data establishes a credible threat of real and immediate harm sufficient to confer standing.  In making this determination, courts consider whether that type (or combination) of data is more or less likely to subject plaintiffs to risk of identity theft or fraud as well as the ability of the consumer to take action to reduce or eliminate the risk of harm caused by the theft.

There are a variety of opinions in this area, but, as an example, courts have generally found the theft or exposure of social security numbers to be more likely to subject plaintiffs to a credible threat of imminent harm, than theft of credit or debit card information, because a social security number derives its value in that it is “immutable” and can be used to commit identity theft and open new accounts without the need for much additional information.  Driver’s license numbers, however, appear to be treated differently.  While driver’s license numbers, like social security numbers, are difficult to change and derive value from their immutability, plaintiffs have not always been able to convince courts that without more there is a credible risk of identity theft or fraud that risks imminent injury.

Similar to the Noblr court, other federal courts in California have distinguished driver’s license numbers from social security numbers and dismissed claims at an early stage when limited personal information in the form of a driver’s license number is alleged to have been exposed. For example, in In re Uber Technologies., Inc., Data Sec. Breach Litigation, a Central District of California court in 2019 dismissed a proposed data-breach class action, with leave to amend, because the plaintiff failed to explain how a hack of basic contact information and driver’s license numbers, unlike social security numbers, create a credible threat of fraud or identity theft sufficient to allege injury in fact.  Similarly, in Antman v. Uber Technologies, Inc., a Northern District of California court held that the theft of Uber drivers’ names and driver’s license numbers, even combined with bank account and routing numbers, without more (like social security numbers), did “not plausibly amount to a credible threat of identity theft that risks real, immediate injury.”

However, not all Courts within the Ninth Circuit have subscribed to this reasoning:  A District of Nevada court, in Stallone v. Farmers Group, Inc., determined that a data breach that compromised plaintiff’s driver’s license number and address was sufficient to establish a credible risk of immediate harm where the breach was part of a concerted campaign by hackers to “pharm” and accumulate the personally identifiable information of plaintiff and other victims, and the information would likely be used to fraudulently apply for unemployment benefits, cultivate a fraudulent synthetic identity, or gain access to victim’s bank accounts and other personal information.

In sum, while opinions from California federal courts suggest they are becoming less sympathetic to future, unrealized harm stemming from data breaches, especially where social security numbers aren’t involved, other courts still seem willing to find the theft of less sensitive information, such as driver’s license numbers, sufficient to confer standing.  This is especially true when the plaintiff is able to convince the court that the exposed information can be used for identity theft, to rack up fraudulent charges, or gain access to additional personal information.

We will be watching this space for further developments, as the Ninth Circuit will likely need to weigh in on this issue to ensure that the circuit uses a single, unified approach. It is also important to note that these evolving court decisions focus on standing and harm associated with data breaches.  These decisions do not eliminate a company’s privacy and cybersecurity compliance obligations, including the requirements to provide privacy notices, to be transparent and accurate regarding the company’s collection, use, disclosure and storage of personal information and a company’s requirement to respond to consumer requests under certain state privacy laws such as the California Consumer Privacy Act of 2018.

Photo of Margaret A. Dale Margaret A. Dale

Margaret Dale is a trial lawyer and first-chair litigator handling complex business disputes across a wide variety of industries, including: consumer products, media and entertainment, financial services, telecommunications and technology, and higher education. She is a former vice-chair of the Litigation Department, and…

Margaret Dale is a trial lawyer and first-chair litigator handling complex business disputes across a wide variety of industries, including: consumer products, media and entertainment, financial services, telecommunications and technology, and higher education. She is a former vice-chair of the Litigation Department, and heads the Department’s Data Privacy and Cybersecurity Practice Group. Margaret has been recognized since 2017 in Benchmark Litigation’s Top 250 Women in Litigation.

Margaret’s practice covers the spectrum of complex commercial disputes, including privacy and data security matters, as well as disputes involving M&A, intellectual property, bankruptcy and insolvency, securities, corporate governance, and asset management.

Margaret regularly counsels clients before litigation commences to assess risk, adopt strategies to minimize or deflect disputes, and resolve matters without going to court.

Margaret is a frequent writer, including authoring a regular column on corporate and securities law in the New York Law Journal. She also serves as the lead editor of Proskauer’s blog on commercial litigation, Minding Your BusinessShe also authored the chapter titled “Privileges” in the treatise Commercial Litigation in New York State Courts (Haig, 5th ed.), as well as the chapter titled “Data Breach Litigation” in PLI’s Proskauer on Privacy.

Margaret maintains an active pro bono practice advocating on issues relating to women, children and veterans. She serves on the Board of Directors of CFR (Center for Family Representation), VLA (Volunteer Lawyers for the Arts), JALBC (Judges and Lawyers Breast Cancer Alert), and the City Bar Fund.

Photo of Nolan Goldberg Nolan Goldberg

Nolan M. Goldberg is a partner in the Litigation Department, co-head of the Data Privacy and Cybersecurity Litigation Group, and a member of the Patent Law Group. His practice focuses on technology-centric litigation, arbitration (including international arbitrations), investigations and counseling, covering a range…

Nolan M. Goldberg is a partner in the Litigation Department, co-head of the Data Privacy and Cybersecurity Litigation Group, and a member of the Patent Law Group. His practice focuses on technology-centric litigation, arbitration (including international arbitrations), investigations and counseling, covering a range of types of disputes, including cybersecurity, intellectual property, and commercial.  Nolan’s understanding of technology allows him to develop defenses and strategies that might otherwise be overlooked or less effective and enhances the “story telling” that is critical to bringing a dispute to a successful conclusion.

Nolan is a registered patent attorney before the U.S. Patent & Trademark Office; and an International Association of Privacy Professionals (IAPP) Certified Information Privacy Professional, United States (US CIPP) and Certified Information Privacy Technologist (US CIPT).

Cybersecurity

Nolan’s electrical engineering background, coupled with a litigation and risk management-centric focus, allows him to assist companies in all phases of incident response. Nolan often acts as a bridge between the technical and legal response teams (both inside and outside forensic consultants). Nolan uses this deep familiarity with the company and its systems to defend the company in litigations, arbitrations and regulatory investigations, including before the Federal Communications Commission (FCC); Federal Trade Commission (FTC) and before various State’s Attorneys General, including Multi-State investigations.

Nolan has worked on incidents that range from simple phishing attacks on e-mail accounts by cyber-criminals to intrusions by (formerly) trusted inside employees to complex technical breaches of hosted systems by state-sponsored advanced persistent threats (APTs). These incidents have involved both client systems, and systems of a vendor of a client that hosted its data.

It is often the case (both in response to an incident and for other reasons) that a company will want to undertake an assessment of its security posture, but has concerns about the discoverability of any such analysis.  Accordingly, Nolan also frequently assists companies’ scope and conduct privileged security assessments, including “dual purpose” assessments where privileged analysis are also used for ordinary-course purposes.

Commercial Disputes

Nolan also assists companies with commercial disputes, particularly in cases where there is a technology component, including disputes arising from hosted software agreements; outsourcing and managed services agreements; software and technology development agreements and the dissolution of joint ventures.  When these disputes cannot be amicably resolved, Nolan has litigated them in State and Federal Court and in arbitrations, including international arbitrations.

Intellectual Property

Nolan’s work has included numerous patent and trade secret litigations and negotiations, primarily in cases involving computer and network-related technologies. In particular, the litigations have involved at least the following technologies: hosted software; telecommunications, computer networking; network and computer-related security hardware and software; microprocessors, voice-over Internet protocol (“VoIP”); bar code scanners  financial business methods and software, including securities settlement, fail management and trade execution and reporting software; data compression; handheld computers; pharmaceuticals; cardiac electro-stimulatory devices and prosthetics.

Nolan also has experience prosecuting patent applications before the U.S. Patent and Trademark Office in encryption, CMOS, HDTV, virtual private networks (“VPN”), e-commerce, XML/XSL, financial instruments, semiconductor electronics, medical device technology, inventory control and analysis, cellular communications, Check 21 and business methods. Nolan also has conducted numerous freedom-to-operate searches, written opinions, and counseled clients in the areas of bar code scanners, imaging, book publishing, computer networking, business methods, Power Over Ethernet (“PoE”), and digital content distribution.

He has assisted in evaluating patents for inclusion in patent pools involving large consumer electronics and entertainment companies concerning CD and DVD technology.

Computer Forensics and Electronic Discovery

Nolan is often called upon to develop e-discovery strategies to be used in all types of litigations, with a particular focus on selecting appropriate tools, developing proportionate discovery plans, cross border electronic discovery, managing the overall burden and cost of the electronic discovery process, and obtaining often overlooked electronic evidence, including computer forensics. He also assists clients to develop and implement information management programs to reduce expense and risk, meet compliance obligations, and tame e-discovery burdens.

Thought Leadership

Nolan has authored numerous articles and given numerous presentations on emerging issues and trends in both technology and law, and has often been called upon to comment on various media outlets including Business Week, IPlaw360, IT Business Edge, CIO.com, Forbes, and The National Law Journal.

Prior to practicing law, Nolan was a computer specialist at Underwriters Laboratories (UL).

Photo of Amy Gordon Amy Gordon

Amy Gordon is an associate in the Litigation Department and a member of the Mass Torts & Product Liability group. Amy’s practice focuses on a wide range of complex civil and commercial litigation matters, including product liability defense, class action defense, privacy and…

Amy Gordon is an associate in the Litigation Department and a member of the Mass Torts & Product Liability group. Amy’s practice focuses on a wide range of complex civil and commercial litigation matters, including product liability defense, class action defense, privacy and data security, and telecommunications disputes. She is also a member of the litigation team representing the Financial Oversight and Management Board in the Commonwealth of Puerto Rico’s bankruptcy proceedings.

In addition, Amy advises clients across industries on economic sanctions and asset forfeiture related issues.

Amy earned her J.D. from the University of Texas School of Law, where she was a Cybersecurity Graduate Fellow and served as Chief Notes Editor for The Review of Litigation. During law school, Amy interned for the Honorable Nicholas G. Garaufis in the United States District Court for the Eastern District of New York.