NOT FOR PUBLICATION FILED UNITED STATES COURT OF APPEALS AUG 21 2024 MOLLY C. DWYER, CLERK U.S. COURT OF APPEALS FOR THE NINTH CIRCUIT
MICHAEL GREENSTEIN; CYNTHIA No. 22-17023 NELSON; SINKWAN AU, individually and on behalf of themselves and all other persons D.C. No. similarly situated, 4:21-cv-04537-JSW
Plaintiffs-Appellants, MEMORANDUM* v.
Noblr Reciprocal Exchange, a Colorado corporation,
Defendant-Appellee.
Appeal from the United States District Court for the Northern District of California Jeffrey S. White, Senior District Judge, Presiding
Argued and Submitted February 14, 2024 San Francisco, California
Before: MILLER, BADE, and VANDYKE, Circuit Judges.
Plaintiffs-Appellants Michael Greenstein, Cynthia Nelson, and Sinkwan Au
filed this putative class action against Defendant-Appellee Noblr Reciprocal
Exchange after their driver’s license numbers were targeted in a cyberattack. The
* This disposition is not appropriate for publication and is not precedent except as provided by Ninth Circuit Rule 36-3. attackers, whose identities remain anonymous, conducted the attack by manipulating
Noblr’s online insurance quote system to gain access to an unknown number of
victims’ driver’s license numbers. Greenstein and Nelson have not alleged any
misuse of their driver’s license numbers after the attack, while Au has alleged that
her driver’s license number was used in an unsuccessful application for New York
unemployment benefits shortly thereafter. Plaintiffs allege negligence and
violations of federal and state consumer protection law, 18 U.S.C. § 2724 (“DPPA”),
Cal. Bus. & Prof. Code § 17200 et seq. (“UCL”). They seek damages as well as
declaratory and injunctive relief.
After Noblr filed its first motion to dismiss, the district court dismissed
Plaintiffs’ claims on standing grounds with leave to amend. Plaintiffs amended their
class complaint in response, and Noblr again moved to dismiss. The district court
again dismissed Plaintiffs’ claims for lack of standing, this time with prejudice. “We
review a district court’s dismissal under Rule 12(b)(1) for lack of standing de novo,”
Unified Data Servs., LLC v. Fed. Trade Comm’n, 39 F.4th 1200, 1209 (9th Cir.
2022), and we affirm.
To establish standing, a plaintiff must allege an injury in fact that is fairly
traceable to the defendant and likely redressable by a favorable judicial decision.
Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016). The injury must be “concrete,
particularized, and actual or imminent.” TransUnion LLC v. Ramirez, 594 US. 413,
2 423 (2021). “On appeal from a motion to dismiss, a plaintiff need only show that
the facts alleged, if proven, would confer standing.” Krottner v. Starbucks Corp.,
628 F.3d 1139, 1141 (9th Cir. 2010).
Plaintiffs argue they have satisfied their burden to plead an injury in fact by
alleging an increased risk of future identity theft stemming from the cyberattack.
Under Krottner, plaintiffs “whose personal information has been stolen but not
misused” can establish injury if they “face[] a credible threat of harm, and that harm
is both real and immediate, not conjectural or hypothetical.” Id. at 1143 (internal
quotation marks and citations omitted). Put another way, “the sensitivity of the
personal information, combined with its theft,” can establish an injury when it
creates “a substantial risk that the [] hackers will commit identity fraud or identity
theft” in the future. In re Zappos.com, Inc., 888 F.3d 1020, 1027, 1029 (9th Cir.
2018).
Here, however, Plaintiffs cannot rely on the future risk of identity theft to
establish an actual or imminent injury because unlike the plaintiffs in Krottner and
Zappos, they have not adequately alleged their driver’s license numbers were among
those stolen in the attack on Noblr’s quote system. Their allegations rely heavily on
a notice Noblr sent to 97,633 individuals—including Plaintiffs—several months
after the attack. But the description of the attack provided in the Notice, which
accounts for the bulk of the factual allegations included in the complaint, is
3 ultimately insufficient to establish that Plaintiffs’ driver’s license numbers were
stolen.
While the Notice does confirm that “the attackers were able to access driver’s
license numbers,” it stops short of confirming that any individual recipient of the
Notice had his or her driver’s license number stolen. It does not confirm which or
how many driver’s license numbers were accessed, nor does it confirm whether the
driver’s license numbers of all 97,633 recipients of the Notice were taken from
Noblr’s website. Instead, in explaining “[w]hat [i]nformation [w]as [i]nvolved,” the
Notice states only that each recipient’s “name, driver’s license number, and address
may have been accessed.” (emphasis added). After reading the Notice, all that a
reasonable reader would know for certain is that Noblr suffered a cyberattack, some
driver’s license numbers were taken as a result, and his own driver’s license number
may (or may not) have been among those stolen. Aside from the factual allegations
pulled from the Notice, Plaintiffs provide no additional allegations that might
provide a credible basis to conclude their driver’s license numbers were taken.1
1 Plaintiffs’ contention that their driver’s license numbers were published in Noblr’s website’s source code and publicly available to steal en masse, for example, is contradicted by the version of events included in the Notice, which explains that the attack was conducted by manipulating the online quote system on an individual, query-by-query basis that would have required the hackers to already have other personal information about the victims in their possession. See Sprewell v. Golden State Warriors, 266 F.3d 979, 988 (9th Cir. 2001) (explaining that the court need not accept as true allegations that are contradicted).
4 Plaintiffs’ allegations reflect the uncertainty associated with the version of
events contained in the Notice. For example, Plaintiffs assert that “at least 97,633
people were affected” by the cyberattack, but they do not explain in what manner
each person was “affected.” Likewise, throughout the complaint Plaintiffs allege
that Noblr “exposed” their driver’s license numbers to third parties, but an “exposed”
driver’s license number is different from a “stolen” one. In similar fashion, Plaintiffs
state that their “driver’s license number[s] and address[es] may have been accessed,”
and frame the “actual injury” they suffered as stemming “from having [their] PI
exposed”—not from having it stolen. (emphasis added).
It is true that elsewhere in the complaint, Plaintiffs include at least some
affirmative allegations that their driver’s license numbers were stolen. But these
Free access — add to your briefcase to read the full text and ask questions with AI
NOT FOR PUBLICATION FILED UNITED STATES COURT OF APPEALS AUG 21 2024 MOLLY C. DWYER, CLERK U.S. COURT OF APPEALS FOR THE NINTH CIRCUIT
MICHAEL GREENSTEIN; CYNTHIA No. 22-17023 NELSON; SINKWAN AU, individually and on behalf of themselves and all other persons D.C. No. similarly situated, 4:21-cv-04537-JSW
Plaintiffs-Appellants, MEMORANDUM* v.
Noblr Reciprocal Exchange, a Colorado corporation,
Defendant-Appellee.
Appeal from the United States District Court for the Northern District of California Jeffrey S. White, Senior District Judge, Presiding
Argued and Submitted February 14, 2024 San Francisco, California
Before: MILLER, BADE, and VANDYKE, Circuit Judges.
Plaintiffs-Appellants Michael Greenstein, Cynthia Nelson, and Sinkwan Au
filed this putative class action against Defendant-Appellee Noblr Reciprocal
Exchange after their driver’s license numbers were targeted in a cyberattack. The
* This disposition is not appropriate for publication and is not precedent except as provided by Ninth Circuit Rule 36-3. attackers, whose identities remain anonymous, conducted the attack by manipulating
Noblr’s online insurance quote system to gain access to an unknown number of
victims’ driver’s license numbers. Greenstein and Nelson have not alleged any
misuse of their driver’s license numbers after the attack, while Au has alleged that
her driver’s license number was used in an unsuccessful application for New York
unemployment benefits shortly thereafter. Plaintiffs allege negligence and
violations of federal and state consumer protection law, 18 U.S.C. § 2724 (“DPPA”),
Cal. Bus. & Prof. Code § 17200 et seq. (“UCL”). They seek damages as well as
declaratory and injunctive relief.
After Noblr filed its first motion to dismiss, the district court dismissed
Plaintiffs’ claims on standing grounds with leave to amend. Plaintiffs amended their
class complaint in response, and Noblr again moved to dismiss. The district court
again dismissed Plaintiffs’ claims for lack of standing, this time with prejudice. “We
review a district court’s dismissal under Rule 12(b)(1) for lack of standing de novo,”
Unified Data Servs., LLC v. Fed. Trade Comm’n, 39 F.4th 1200, 1209 (9th Cir.
2022), and we affirm.
To establish standing, a plaintiff must allege an injury in fact that is fairly
traceable to the defendant and likely redressable by a favorable judicial decision.
Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016). The injury must be “concrete,
particularized, and actual or imminent.” TransUnion LLC v. Ramirez, 594 US. 413,
2 423 (2021). “On appeal from a motion to dismiss, a plaintiff need only show that
the facts alleged, if proven, would confer standing.” Krottner v. Starbucks Corp.,
628 F.3d 1139, 1141 (9th Cir. 2010).
Plaintiffs argue they have satisfied their burden to plead an injury in fact by
alleging an increased risk of future identity theft stemming from the cyberattack.
Under Krottner, plaintiffs “whose personal information has been stolen but not
misused” can establish injury if they “face[] a credible threat of harm, and that harm
is both real and immediate, not conjectural or hypothetical.” Id. at 1143 (internal
quotation marks and citations omitted). Put another way, “the sensitivity of the
personal information, combined with its theft,” can establish an injury when it
creates “a substantial risk that the [] hackers will commit identity fraud or identity
theft” in the future. In re Zappos.com, Inc., 888 F.3d 1020, 1027, 1029 (9th Cir.
2018).
Here, however, Plaintiffs cannot rely on the future risk of identity theft to
establish an actual or imminent injury because unlike the plaintiffs in Krottner and
Zappos, they have not adequately alleged their driver’s license numbers were among
those stolen in the attack on Noblr’s quote system. Their allegations rely heavily on
a notice Noblr sent to 97,633 individuals—including Plaintiffs—several months
after the attack. But the description of the attack provided in the Notice, which
accounts for the bulk of the factual allegations included in the complaint, is
3 ultimately insufficient to establish that Plaintiffs’ driver’s license numbers were
stolen.
While the Notice does confirm that “the attackers were able to access driver’s
license numbers,” it stops short of confirming that any individual recipient of the
Notice had his or her driver’s license number stolen. It does not confirm which or
how many driver’s license numbers were accessed, nor does it confirm whether the
driver’s license numbers of all 97,633 recipients of the Notice were taken from
Noblr’s website. Instead, in explaining “[w]hat [i]nformation [w]as [i]nvolved,” the
Notice states only that each recipient’s “name, driver’s license number, and address
may have been accessed.” (emphasis added). After reading the Notice, all that a
reasonable reader would know for certain is that Noblr suffered a cyberattack, some
driver’s license numbers were taken as a result, and his own driver’s license number
may (or may not) have been among those stolen. Aside from the factual allegations
pulled from the Notice, Plaintiffs provide no additional allegations that might
provide a credible basis to conclude their driver’s license numbers were taken.1
1 Plaintiffs’ contention that their driver’s license numbers were published in Noblr’s website’s source code and publicly available to steal en masse, for example, is contradicted by the version of events included in the Notice, which explains that the attack was conducted by manipulating the online quote system on an individual, query-by-query basis that would have required the hackers to already have other personal information about the victims in their possession. See Sprewell v. Golden State Warriors, 266 F.3d 979, 988 (9th Cir. 2001) (explaining that the court need not accept as true allegations that are contradicted).
4 Plaintiffs’ allegations reflect the uncertainty associated with the version of
events contained in the Notice. For example, Plaintiffs assert that “at least 97,633
people were affected” by the cyberattack, but they do not explain in what manner
each person was “affected.” Likewise, throughout the complaint Plaintiffs allege
that Noblr “exposed” their driver’s license numbers to third parties, but an “exposed”
driver’s license number is different from a “stolen” one. In similar fashion, Plaintiffs
state that their “driver’s license number[s] and address[es] may have been accessed,”
and frame the “actual injury” they suffered as stemming “from having [their] PI
exposed”—not from having it stolen. (emphasis added).
It is true that elsewhere in the complaint, Plaintiffs include at least some
affirmative allegations that their driver’s license numbers were stolen. But these
allegations are conclusory and unsupported by their heavy reliance on the facts
contained in the Notice. Au, for example, alleges explicitly that “her driver’s license
number was stolen shortly before she experienced [the] fraudulent unemployment
claim.” And all three Plaintiffs allege that “the thieves … exfiltrate[d] individuals’
PI” and that “Plaintiffs[’] … PI was taken.” These definitive conclusions are
unwarranted in light of the uncertain version of events on which Plaintiffs have built
their complaint. “[T]he court [is not] required to accept as true allegations that are
merely conclusory, unwarranted deductions of fact, or unreasonable inferences.”
Khoja v. Orexigen Therapeutics, Inc., 899 F.3d 988, 1008 (9th Cir. 2018).
5 Where, as here, Plaintiffs have not sufficiently alleged that their personal
information was actually stolen, they cannot rely on the increased risk such a theft
might have posed had it occurred. In Krottner, our court noted that we would “find
the threat far less credible” if the plaintiffs’ “allegations [were] more conjectural or
hypothetical—for example, if no laptop had been stolen, and Plaintiffs had sued
based on the risk that it would be stolen at some point in the future.” 628 F.3d at
1143. This case presents the kind of “far less credible” allegations envisioned by
Krottner. Plaintiffs’ standing argument, which is ultimately premised on a
“speculative chain of possibilities” about the potential consequences stemming from
the manipulation of Noblr’s online quote system, does not satisfy their burden of
pleading an actual or imminent injury. Clapper v. Amnesty Int’l USA, 568 U.S. 398,
414 (2013).
Because Plaintiffs have not established a sufficient risk of future harm, their
argument that they have alleged separate concrete harms stemming from that risk
also fails. Only when the risk of future harm is not speculative can the cost of
mitigation efforts form a basis for standing. Having alleged only a speculative risk
of harm, Plaintiffs “cannot manufacture standing merely by inflicting harm on
themselves based on their fears of hypothetical future harm that is not certainly
impending.” Clapper, 568 U.S. at 416.
6 Nor does the DPPA provide a basis for standing. Although Congress can
“elevat[e] to the status of legally cognizable injuries concrete, de facto injuries that
were previously inadequate in law,” Lujan v. Defs. of Wildlife, 504 U.S. 555, 578
(1992), plaintiffs seeking to establish standing for such statutory harms must
“identif[y] a close historical or common-law analogue for their asserted injury,”
TransUnion LLC, 594 U.S. at 424. Plaintiffs seek to analogize their claims under
the DPPA to the common law torts of intrusion upon seclusion, invasion of privacy,
and public disclosure of private facts. But the disclosure of driver’s license numbers
is neither “highly offensive,” Hernandez v. Hillsides, Inc., 211 P.3d 1063, 1072 (Cal.
2009) (intrusion upon seclusion), “an egregious breach of the social norms,” id. at
1073 (quoting Hill v. Nat’l Collegiate Athletic Ass’n, 865 P.2d 633, 655 (Cal. 1994))
(invasion of privacy), nor “offensive and objectionable to the reasonable person,”
Shulman v. Grp. W Prods., Inc., 955 P.2d 469, 478 (Cal. 1998) (quoting Diaz v.
Oakland Trib., Inc., 188 Cal. Rptr. 762, 768 (Ct. App. 1983)) (public disclosure of
private facts).
Even assuming Plaintiff Au sufficiently pled injury by alleging that her
driver’s license number was used in the fraudulent application for unemployment
benefits in New York, Au has failed to establish that such injury is “‘fairly traceable’
to the conduct being challenged.” Zappos, 888 F.3d at 1029.
7 First, the unknown third parties who conducted the attack would have needed
to possess other information about Au—including her name and date of birth—
before the attack to steal her driver’s license number from Noblr’s website. Second,
under New York law, a Social Security number is required to apply for
unemployment benefits.2 N.Y. Comp. Codes R. & Regs. tit. 12, § 473.1(f) (“Each
claimant shall furnish his/her Social Security account number as a condition of
eligibility for benefits.”). Finally, Au’s Social Security number did in fact become
linked with the fraudulent application.
Taken together, these facts are strong evidence that the attackers already
possessed personal information about Au before the Noblr cyberattack and gained
additional personal information required to complete the application in cyberattacks
unrelated to the incident involving Noblr’s quote system. Given that multiple attacks
must have occurred, Au alleges no credible basis for why the attack on Noblr’s
system was the source of the information used in the application for benefits. This
case is therefore unlike Zappos, where the most the defendant could say was that
some other data breach “might [also] have caused the plaintiffs’ private information
2 The parties dispute the propriety of Noblr’s request that this court take judicial notice of the benefits application requirements as displayed on the New York State Department of Labor website. But given that the Social Security number requirement is confirmed by regulation, the court need not refer to the website to conclude that at least some personal information other than a driver’s license number is required to apply. Noblr’s request for judicial notice is therefore denied as moot.
8 to be exposed.” 888 F.3d at 1029 (alteration in original). Au has failed to prove that
her injuries stem from “the challenged action of the defendant, and not … the
independent action of some third party not before the court.” Lujan, 504 U.S. at
560–61 (internal quotation marks omitted).
Finally, because Plaintiffs have not requested any further leave to amend, we
decline to remand for further amendment of the complaint.
AFFIRMED.