Privacy & Information Security Law Blog

The United States District Court for the Northern District of California recently dismissed―without prejudice―a former Uber driver’s class action complaint. The driver, Sasha Antman, was one of roughly 50,000 drivers whose personal information was exposed during a May 2014 data breach. Uber contended the accessed files contained only the affected individuals’ names and drivers’ license numbers.

In the complaint, Antman alleged that the breach resulted in, among other injuries, an unauthorized attempt to open a credit card and ongoing monitoring expenses. He did not, however, allege any fraudulent credit charges or loss of use of credit. Antman brought claims under California law for: (1) unfair competition and (2) the failure to implement and maintain reasonable security procedures. Uber moved to dismiss under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). Below are highlights from the District Court’s ruling.

Lack of Standing under 12(b)(1)

The District Court found that the complaint failed to establish standing under both the “injury-in-fact” and “causal connection” inquiries. Although the court reaffirmed that the Ninth Circuit’s Krottner v. Starbucks decision remained controlling post-Clapper, it nevertheless rejected Antman’s injury-in-fact argument. Specifically, without the exposure of Social Security numbers (“SSN”), financial account numbers or credit card numbers, the court indicated “there is no obvious, credible risk of identity theft that risks real, immediate injury.” Likewise, the court believed that no causal connection existed because Antman did not allege that his SSN, which was required for the unauthorized credit application in question, was breached.

Failure to State a Claim under 12(b)(6)

Additionally, the court found that Antman failed to show a cognizable injury necessary to survive Uber’s 12(b)(6) motion based on statutory standing due to the lack of a causal relationship between the breach and the unauthorized credit card application. Further, while Antman alleged that he was a California resident when he was an Uber driver, he did not allege he was a California resident at the time of the breach. Given the standing rulings, the court declined to opine on the timing of his residency.

Antman will have 28 days to amend his complaint.