Uber suffered a data breach in 2014 resulting in the compromise of more than 50,000 drivers’ personal information, including back account and social security numbers. Drivers brought a class action suit in federal court in the U.S. District Court for the Northern District of California. On May 10, a judge tossed the suit for a third time for lack of standing because the two named plaintiffs failed to allege that they suffered an injury in fact.
The first named plaintiff alleged only that hackers stole his driver’s license information and bank account number and the second named plaintiff alleged only the theft of his driver’s license information. The court held that these allegations do not establish a material risk of identity theft. Further, the court concluded that the class action could not proceed since neither of the named plaintiffs could establish standing, despite the allegations of harm of the unnamed class members. Fortunately for Uber, the court granted the motion to dismiss with prejudice, preventing the plaintiffs from filing a fourth amended complaint.
If defending a class action data breach suit, this decision is a reminder of the importance of analyzing the specific claims of the named plaintiffs and seeking dismissal of the entire action if the named plaintiffs cannot meet standing requirements.
We have been tracking the issue of standing in data breach litigation cases. Click here to see our earlier posts about standing.