Uber Dodges Driver’s Suit Over 2014 Data Breach

     SAN FRANCISCO (CN) – A class action claiming Uber failed to safeguard its drivers’ private data will not survive the ride-hail’s motion to dismiss, a federal magistrate judge said Thursday.
     Former Uber driver Sasha Antman sued Uber in January, claiming a data breach compromised his personal information and led to an attempted identity theft.
     The May 2014 breach gave an unknown entity access to the personal data of about 50,000 drivers, according to a February 2015 statement by Uber.
     During a hearing Thursday, U.S. Magistrate Judge Laurel Beeler said she was leaning toward granting Uber’s motion to dismiss due to lack of standing, but that she would also give the plaintiff leave to amend his complaint.
     “I think you have to plausibly plead a harm,” Beeler said. “The concern is you haven’t. You can try again.”
     Uber attorney Michael Wong argued Antman failed to show a causal relationship between the data breach that leaked driver names and driver’s license numbers and an act of credit card fraud.
     An unknown person used the plaintiff’s personal information to apply for a Capital One credit card in June 2014, according to the complaint.
     But Uber claims the plaintiff failed to show a “plausible link” between the data breach and the attempted identity theft, since no evidence exists that hackers obtained more than driver names and license numbers.
     “Driver’s license numbers may be valuable,” said Wong. “There may be a black market for it, but if they’re alleging their driver’s licenses ended up on a black market that would be a different issue.”
     Antman’s attorney Theodore Maya countered the full scope of the breach remains unknown and that hackers could have hijacked his client’s Social Security number and used it to apply for an unauthorized credit card.
     “It seems like we’re making a lot of assumptions as to what the facts are,” said Maya. “There are no facts showing the data breach was as limited as Uber says it was.”
     Maya added that counterfeit driver’s licenses tend to sell for more money on the black market than do credit card numbers and that a driver’s license is an important part of a person’s identity.
     “The idea that no cognizable injury exists under Article III – the court would have to submit that driver’s license information is worthless, and that’s not the case,” said Maya.
     Although more details may still come out about the data breach, Wong argued the plaintiff bears the burden of proving he has standing to bring the case.
     “They’re relying on a tentative chain of speculative arguments,” said Wong.
     Beeler also questioned Maya on why his client was seeking nationwide class certification, since both claims against Uber are based on violations of California law.
     “We would make the argument that the defendant can be submitted for national liability and California-only is our fallback position,” said Maya.
     Beeler said she would grant Uber’s motion to dismiss but would also give Antman a second chance to submit a new complaint that includes plausible claims of injury.
     “Plaintiffs need to plausibly plead their claim and if they don’t, they don’t get to stick around,” said Beeler.
     The judge said she would likely issue a written ruling on the motion to dismiss next week.

%d bloggers like this: