The online car service Uber recently convinced a California based federal court to dismiss a proposed class action filed on behalf of a nationwide class of Uber drivers. The drivers sought to hold Uber liable for damages allegedly arising from a data breach which disclosed the drivers' personal information. And while Uber is no doubt happy for the dismissal, the court didn’t buy Uber’s argument in its entirety. And that could make for some interesting developments down the road.
Although the hacking activity began in May of 2014, Uber didn’t discover the data breach until September 2014. For some reason, it waited until February 27, 2015 to disclose what it knew. Uber did so in a press release that stated in part:
In late 2014, we identified a one-time access of an Uber database by an unauthorized third party. A small percentage of current and former Uber driver partner names and driver's license numbers were contained in the database. Immediately upon discovery we changed the access protocols for the database, removing the possibility of unauthorized access. We are notifying impacted drivers, but we have not received any reports of actual misuse of information as a result of this incident. Uber takes seriously our responsibility to safeguard personal information, and we are sorry for any inconvenience this incident may cause. In addition, today we filed a lawsuit that will enable us to gather information to help identify and prosecute this unauthorized third party.
Uber provided a free one year membership in Experian's ProtectMyID Alert program to any affected drivers. That was apparently not enough to stave off a lawsuit.
A driver named Sasha Antman alleged that in June 2014, an unknown and unauthorized person used Antman’s private information to apply for a credit card with Capital One. That application appears on Antman’s credit report. According to Mr. Antman, he and his fellow class members 2 “now face years of constant surveillance of their financial and personal records, monitoring, and loss of rights. The Class is incurring and will continue to incur such damages in addition to any fraudulent credit and debit card charges incurred by them and the resulting loss of use of their credit and access to funds, whether or not such charges are ultimately reimbursed by the credit card companies.”
Uber filed a motion to dismiss on a fairly basic ground – Mr. Antman suffered no “injury in fact.” According to Uber, Antman’s identity had not been stolen, and he’d not lost any money. According to Uber, Antman alleged a “threat” of harm, but no actual harm. And for purposes of standing, a plaintiff must have suffered a real injury. Courts aren’t in the business of deciding hypothetical lawsuits.
The court, however, didn’t buy this argument. In the court’s view, “a credible threat of immediate identity theft based on stolen data” is sufficient to meet the actual harm requirement. It is different from more speculative claims of general anxiety about identity theft. Here, the fact that someone actually had applied for a card using Antman’s information meant the threat was more than speculative.
But that didn’t end the inquiry. In the unique facts presented here, Antman couldn’t establish a relationship between the Uber data breach and the threat. According to the court, Mr. Antman “alleged only the theft of names and driver's licenses. Without a hack of information such as social security numbers, account numbers, or credit card numbers, there is no obvious, credible risk of identity theft that risks real, immediate injury.” In other words, while the identity theft threat may have been “immediate,” it wasn’t credible because the thief couldn’t have pulled it off with the information stolen from Uber. As a result, Uber wins in a close call.
Deeming a threat of harm the equivalent of actual harm is an important ruling in the data privacy world. In the past, courts have thrown out cases where the plaintiff failed to demonstrate actual financial loss. Uber dodged the bullet only because the hack wasn’t as extensive as it might have been. But companies that store personal information which could actually facilitate an identity theft should take note. It may be a little easier for plaintiffs to proceed than it used to be.