Uber Dodges Class Action Over Driver ID Theft

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Oct. 20 — Uber Technologies Inc. Oct. 19 dodged a class action lawsuit filed by a former driver accusing the company of failing to implement and maintain reasonable security procedures, thereby allowing hackers to steal more than 50,000 drivers' personal information.

Dismissing the first amended class action complaint without prejudice, Judge Laurel Beeler of the U.S. District Court for the Northern District of California held that the plaintiff's allegations of theft of only names and driver's license numbers are insufficient to confer standing.

The court recounted that plaintiff Sasha Antman previously worked as an Uber driver until September 2013. In May 2014, an unknown hacker breached into Uber's computer systems and downloaded filed containing its drivers' private information. On June 2, 2014, the plaintiff alleged, an unknown person used his private information to apply for a credit card, which now appears on his credit report. However, it wasn't until March 2015 that Antman received a notification from Uber informing him that his private information was disclosed during the data breach.

No Credible Risk of Identify Theft

In the class action complaint, Antman alleged that due to the data breach, he and other class members now face “years of constant surveillance of their financial and personal records.” Moving to dismiss the complaint, Uber argued that Antman failed to sufficiently plead injury in fact or show a causal connection.

The plaintiff doesn't allege any fraudulent credit charges or loss of use or credit, the court said. Therefore, the alleged harm consists of unauthorized application for a credit card and ongoing monitoring.

Under the controlling case in the Ninth Circuit—Krottner v. Starbucks Corp., 628 F.3d 1139( 9th Cir. 2010)—the court said, “if the risk of identify theft is credible, real, and immediate, it is injury in fact that confers standing.”

Based on this standard, the plaintiff's allegations aren't sufficient, the court here concluded. “Without a hack of information such as social security numbers, account numbers, or credit card numbers,” the court said, “there is no obvious, credible risk of identify theft that risks real, immediate injury.” Mitigation expenses, such as spending time checking credit reports, don't qualify as injury, the court added, saying that the risk of identity theft must first be “real and imminent, and not speculative.”

The court also said that the plaintiff failed to plausibly allege that Uber's actions caused his injury.

Ahdoot & Wolfson PC represented the plaintiff. Gibson, Dunn & Crutcher LLP represented Uber.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com