Ninth Circuit affirms dismissal of data breach class action complaint against Eversheds Sutherland client

In January 2021, unknown hackers manipulated Noblr’s online quote tool in an apparent attempt to obtain consumers’ driver’s license numbers (DLNs). Three individuals who received breach notifications from Noblr filed a class action complaint in the Northern District of California in 2021 alleging that Noblr failed to implement reasonable security measures, leading to the exposure of their DLNs and other information. The plaintiffs asserted claims for negligence and violation of the Driver’s Privacy Protection Act (DPPA) and sought injunctive and declaratory relief under California’s Unfair Competition Law. The DPPA claim allows for recovery of up to $2,500 per violation. 

Noblr filed a combined Rule 12(b)(1) and (b)(6) motion to dismiss the plaintiffs’ first complaint in 2021. The district court granted the Rule 12(b)(1) motion for lack of Article III standing, finding that the plaintiffs failed to allege an actual or imminent injury fairly traceable to Noblr’s conduct. The plaintiffs amended their complaint and the district court granted Noblr’s second motion to dismiss on the same grounds as the first motion. 

The plaintiffs appealed to the US Circuit Court of Appeals for the Ninth Circuit. 

Appeal to the Ninth Circuit
 
In addition to restating their arguments at the district court level, on appeal the plaintiffs argued that the district court failed to address their argument that the DPPA provides an independent basis for Article III standing. Oral argument was held on February 14, 2024. The Ninth Circuit affirmed dismissal of the complaint on August 21, 2024. 

The court made three key holdings. First, it found the plaintiffs did not allege an actual injury or imminent risk of injury. Second, the court held that a purported violation of the DPPA does not confer standing on its own. A key focal point of Noblr’s oral argument was that the disclosure of driver’s license numbers is not as offensive or objectionable as the conduct contemplated by common law tort claims. The Ninth Circuit agreed, and rejected the plaintiffs’ argument that their DPPA claim was analogous to the torts of intrusion upon seclusion, invasion of privacy, or public disclosure of private facts. 

Third, the Ninth Circuit held that even if the plaintiffs had alleged an actual or imminent injury, such injury was not fairly traceable to Noblr’s conduct. The plaintiffs have no further opportunity to amend. 
 
In that key holding, the Ninth Circuit noted the inherent flaw in many data breach complaints: it is nearly impossible to conclude that a person’s data was stolen in a particular attack when data theft has become so commonplace. As a result, the plaintiffs could not trace past or future identity theft to the specific theft of information from Noblr’s system.

 
The plaintiffs have no further opportunity to amend, bringing to an end the three and a half year-long litigation.

Noblr was represented in the litigation by Eversheds Sutherland attorneys Frank Nolan, Jim Silliman, and Amy Albanese. 

__________


If you have any questions about this Legal Briefing, please feel free to contact any of the attorneys listed or the Eversheds Sutherland attorney with whom you regularly work.