Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

Standing to Sue: Is Theft of Drivers’ License Numbers Sufficient to Allege Imminent Threat of Future Harm?

By Ryan Blaney, Margaret A. Dale, Nolan Goldberg & Amy Gordon on December 16, 2022
Email this postTweet this postLike this postShare this post on LinkedIn

Judge Jeffrey White of the Northern District of California recently dismissed a putative class action lawsuit in which plaintiffs claimed they faced an imminent threat of future of harm in the form of identity theft and fraud because their personal information, specifically their driver’s license numbers, may have been compromised in a data breach.  In doing so, the court determined that driver’s license numbers “are not as sensitive as social security numbers,” and that they don’t rise to the level of sensitive personal information “needed to establish a credible and imminent threat of future harm” for Article III standing. Greenstein et al v. Noblr Reciprocal Exchange, No. 4:2021cv04537 (N.D. Cal. 2022).

Noblr is one of a growing number of data breach-related cases in which courts must determine whether the theft or exposure of specific types (and combinations) of personal data establishes a credible threat of real and immediate harm sufficient to confer standing.  In making this determination, courts consider whether that type (or combination) of data is more or less likely to subject plaintiffs to risk of identity theft or fraud as well as the ability of the consumer to take action to reduce or eliminate the risk of harm caused by the theft.

There are a variety of opinions in this area, but, as an example, courts have generally found the theft or exposure of social security numbers to be more likely to subject plaintiffs to a credible threat of imminent harm, than theft of credit or debit card information, because a social security number derives its value in that it is “immutable” and can be used to commit identity theft and open new accounts without the need for much additional information.  Driver’s license numbers, however, appear to be treated differently.  While driver’s license numbers, like social security numbers, are difficult to change and derive value from their immutability, plaintiffs have not always been able to convince courts that without more there is a credible risk of identity theft or fraud that risks imminent injury.

Similar to the Noblr court, other federal courts in California have distinguished driver’s license numbers from social security numbers and dismissed claims at an early stage when limited personal information in the form of a driver’s license number is alleged to have been exposed. For example, in In re Uber Technologies., Inc., Data Sec. Breach Litigation, a Central District of California court in 2019 dismissed a proposed data-breach class action, with leave to amend, because the plaintiff failed to explain how a hack of basic contact information and driver’s license numbers, unlike social security numbers, create a credible threat of fraud or identity theft sufficient to allege injury in fact.  Similarly, in Antman v. Uber Technologies, Inc., a Northern District of California court held that the theft of Uber drivers’ names and driver’s license numbers, even combined with bank account and routing numbers, without more (like social security numbers), did “not plausibly amount to a credible threat of identity theft that risks real, immediate injury.”

However, not all Courts within the Ninth Circuit have subscribed to this reasoning:  A District of Nevada court, in Stallone v. Farmers Group, Inc., determined that a data breach that compromised plaintiff’s driver’s license number and address was sufficient to establish a credible risk of immediate harm where the breach was part of a concerted campaign by hackers to “pharm” and accumulate the personally identifiable information of plaintiff and other victims, and the information would likely be used to fraudulently apply for unemployment benefits, cultivate a fraudulent synthetic identity, or gain access to victim’s bank accounts and other personal information.

In sum, while opinions from California federal courts suggest they are becoming less sympathetic to future, unrealized harm stemming from data breaches, especially where social security numbers aren’t involved, other courts still seem willing to find the theft of less sensitive information, such as driver’s license numbers, sufficient to confer standing.  This is especially true when the plaintiff is able to convince the court that the exposed information can be used for identity theft, to rack up fraudulent charges, or gain access to additional personal information.

We will be watching this space for further developments, as the Ninth Circuit will likely need to weigh in on this issue to ensure that the circuit uses a single, unified approach. It is also important to note that these evolving court decisions focus on standing and harm associated with data breaches.  These decisions do not eliminate a company’s privacy and cybersecurity compliance obligations, including the requirements to provide privacy notices, to be transparent and accurate regarding the company’s collection, use, disclosure and storage of personal information and a company’s requirement to respond to consumer requests under certain state privacy laws such as the California Consumer Privacy Act of 2018.

Photo of Ryan Blaney Ryan Blaney

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a…

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a range of matters, including health care fraud and abuse, third party reimbursement, data breach issues, data privacy and security, and FDA regulatory matters. He has substantial experience in pharmaceutical lifecycle management and competition issues, including the Hatch- Waxman Act and Biosimilars Price Competition and Innovations Act.

Ryan serves information technology companies, public and private health care companies, hospitals and physician organizations, manufacturers, medical device companies, and health plans. He guides venture capital groups, private equity funds, investment banks, and other investors on health care regulatory issues in connection with financing, mergers and acquisitions, and restructuring.

Ryan’s work is greatly informed by his experience as a teacher. Prior to attending law school, Ryan earned a master’s degree in education and taught at an under-resourced Catholic middle school. He is known for his ability to communicate clearly and to coordinate large teams working on complex matters. Outside of his health law practice, Ryan has been repeatedly recognized for his public service and pro bono work. He has successfully handled numerous education-related cases, helped establish three nonprofit organizations and defended qualified recipients of disability benefits.

Read more about Ryan BlaneyEmail
Show more Show less
Photo of Margaret A. Dale Margaret A. Dale

Margaret Dale is a versatile first-chair litigator who handles different types of complex business disputes for a wide variety of clients across many industries.

While her practice is diverse, she regularly handles privacy and data security matters, including regulatory investigations and class action…

Margaret Dale is a versatile first-chair litigator who handles different types of complex business disputes for a wide variety of clients across many industries.

While her practice is diverse, she regularly handles privacy and data security matters, including regulatory investigations and class action lawsuits stemming from data breaches. She also focuses on intellectual property, where she represents individual artists and arts-related organizations and museums. With respect to securities and corporate governance, Margaret handles SEC enforcement proceedings, shareholder and partnership disputes, stock option, warrant and preferred stock matters, escrow fights and Delaware 220 actions, as well as regulatory and internal investigations.

Read more about Margaret A. DaleEmail
Show more Show less
Photo of Nolan Goldberg Nolan Goldberg

Nolan M. Goldberg is a partner in the Litigation Department, co-head of the Data Privacy and Cybersecurity Litigation Group, and a member of the Patent Law Group. His practice focuses on technology-centric litigation, arbitration (including international arbitrations), investigations and counseling, covering a range…

Nolan M. Goldberg is a partner in the Litigation Department, co-head of the Data Privacy and Cybersecurity Litigation Group, and a member of the Patent Law Group. His practice focuses on technology-centric litigation, arbitration (including international arbitrations), investigations and counseling, covering a range of types of disputes, including cybersecurity, intellectual property, and commercial.  Nolan’s understanding of technology allows him to develop defenses and strategies that might otherwise be overlooked or less effective and enhances the “story telling” that is critical to bringing a dispute to a successful conclusion.

Nolan is a registered patent attorney before the U.S. Patent & Trademark Office; and an International Association of Privacy Professionals (IAPP) Certified Information Privacy Professional, United States (US CIPP) and Certified Information Privacy Technologist (US CIPT).

Cybersecurity

Nolan’s electrical engineering background, coupled with a litigation and risk management-centric focus, allows him to assist companies in all phases of incident response. Nolan often acts as a bridge between the technical and legal response teams (both inside and outside forensic consultants). Nolan uses this deep familiarity with the company and its systems to defend the company in litigations, arbitrations and regulatory investigations, including before the Federal Communications Commission (FCC); Federal Trade Commission (FTC) and before various State’s Attorneys General, including Multi-State investigations.

Nolan has worked on incidents that range from simple phishing attacks on e-mail accounts by cyber-criminals to intrusions by (formerly) trusted inside employees to complex technical breaches of hosted systems by state-sponsored advanced persistent threats (APTs). These incidents have involved both client systems, and systems of a vendor of a client that hosted its data.

It is often the case (both in response to an incident and for other reasons) that a company will want to undertake an assessment of its security posture, but has concerns about the discoverability of any such analysis.  Accordingly, Nolan also frequently assists companies’ scope and conduct privileged security assessments, including “dual purpose” assessments where privileged analysis are also used for ordinary-course purposes.

Commercial Disputes

Nolan also assists companies with commercial disputes, particularly in cases where there is a technology component, including disputes arising from hosted software agreements; outsourcing and managed services agreements; software and technology development agreements and the dissolution of joint ventures.  When these disputes cannot be amicably resolved, Nolan has litigated them in State and Federal Court and in arbitrations, including international arbitrations.

Intellectual Property

Nolan’s work has included numerous patent and trade secret litigations and negotiations, primarily in cases involving computer and network-related technologies. In particular, the litigations have involved at least the following technologies: hosted software; telecommunications, computer networking; network and computer-related security hardware and software; microprocessors, voice-over Internet protocol (“VoIP”); bar code scanners  financial business methods and software, including securities settlement, fail management and trade execution and reporting software; data compression; handheld computers; pharmaceuticals; cardiac electro-stimulatory devices and prosthetics.

Nolan also has experience prosecuting patent applications before the U.S. Patent and Trademark Office in encryption, CMOS, HDTV, virtual private networks (“VPN”), e-commerce, XML/XSL, financial instruments, semiconductor electronics, medical device technology, inventory control and analysis, cellular communications, Check 21 and business methods. Nolan also has conducted numerous freedom-to-operate searches, written opinions, and counseled clients in the areas of bar code scanners, imaging, book publishing, computer networking, business methods, Power Over Ethernet (“PoE”), and digital content distribution.

He has assisted in evaluating patents for inclusion in patent pools involving large consumer electronics and entertainment companies concerning CD and DVD technology.

Computer Forensics and Electronic Discovery

Nolan is often called upon to develop e-discovery strategies to be used in all types of litigations, with a particular focus on selecting appropriate tools, developing proportionate discovery plans, cross border electronic discovery, managing the overall burden and cost of the electronic discovery process, and obtaining often overlooked electronic evidence, including computer forensics. He also assists clients to develop and implement information management programs to reduce expense and risk, meet compliance obligations, and tame e-discovery burdens.

Thought Leadership

Nolan has authored numerous articles and given numerous presentations on emerging issues and trends in both technology and law, and has often been called upon to comment on various media outlets including Business Week, IPlaw360, IT Business Edge, CIO.com, Forbes, and The National Law Journal.

Prior to practicing law, Nolan was a computer specialist at Underwriters Laboratories (UL).

Read more about Nolan GoldbergEmail
Show more Show less
Photo of Amy Gordon Amy Gordon

Amy Gordon is an associate in the Litigation Department.

Read more about Amy GordonEmail
  • Posted in:
    Featured Posts, Privacy & Data Security
  • Blog:
    Proskauer on Privacy
  • Organization:
    Proskauer Rose LLP
  • Article: View Original Source
LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • Innocelf Knowledge
  • Labor & Employment Blog
  • Morea Law Blog
  • Privacy World
  • Known Trends
Copyright © 2023, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo