[00:00:00] Speaker 00:
I'm here on behalf of plaintiffs Greenstein Nelson and ah and the class this court should reverse the district courts denial of article three jurisdiction for two basic reasons first this is a data disclosure case in which one of the named plaintiffs suffered the exact kind of identity theft unemployment fraud in the exact way predicted one month

[00:00:22] Speaker 00:
After the disclosure, after the exact kind of information identified, driver's license numbers and names was disclosed by Nobler.

[00:00:30] Speaker 00:
She then suffered additional identity theft, having her information on the dark web and has also paid out-of-pocket costs for credit monitoring, not to mention having expended time and effort and still feeling the effects.

[00:00:43] Speaker 00:
Second, even if this court disagrees with that conclusion,

[00:00:46] Speaker 00:
Congress enacted the Drivers Privacy Protection Act, a privacy statute, which elevates the privacy harm suffered by the plaintiffs, even absent the Article III analysis above, to a cognizable injury that provides an independent basis for standing, and which the district courts failed to even assess, much less determine.

[00:01:09] Speaker 00:
I'm happy to start on either claim, but I think the statutory standing claim is a fairly simple one that's been made even more clear by recent Ninth Circuit jurisprudence, which is to say that TransUnion holds that to establish whether a plaintiff

[00:01:25] Speaker 00:
has standing for violation of a statute.

[00:01:29] Speaker 00:
A court assesses whether the alleged injury that the plaintiff alleges bears a close relationship to a harm traditionally recognized as providing a basis for lawsuits in American courts.

[00:01:39] Speaker 00:
As an initial matter, this complaint alleges both a negligence claim and also a driver's privacy protection act claim, and the Article III analysis is somewhat different for both of them because of the way that the situation happened.

[00:01:54] Speaker 00:
Here, we allege that Nobler engaged in an improper disclosure of plaintiff's information in a variety of different ways.

[00:02:03] Speaker 03:
Can I ask you, so your class is defined in the complaint as all persons in the United States whose PI was compromised in the unauthorized data disclosure.

[00:02:18] Speaker 03:
Seemed like the complaint was carefully avoiding saying that all of those people actually had their information disclosed and So maybe some of them it was potentially disclosed because of this vulnerability But are you saying that everyone in the class actually had their information?

[00:02:38] Speaker 00:
disclosed to a third party so the Drivers Privacy Protection Act criminalizes the improper and provides a private right of action and

[00:02:48] Speaker 00:
for the improper use disclosure redisclosure sale and resale of the information so I think the purpose of the term compromise is to say that the improper use of that information would also constitute a violation but I think there are

[00:03:04] Speaker 00:
I think there are a couple of ways that we say that all of the information was disclosed.

[00:03:08] Speaker 00:
The first is in the configuration of the online quoting tool that was the subject of the compromise, right?

[00:03:15] Speaker 00:
That third-party hackers got that information and disclosed it, but they got it because Nobler set up an automatic auto-population tool that meant

[00:03:27] Speaker 00:
that when a query was sent that Nobler sent back the information from a DMV record, that's a disclosure by them.

[00:03:35] Speaker 03:
Right, but somebody had to actually make a query to get the information from the website, right?

[00:03:43] Speaker 03:
That's true.

[00:03:44] Speaker 03:
And are you saying that everyone in the class was subject to such a query, or just that they might have been?

[00:03:51] Speaker 00:
And that is our understanding from the notice is that the 97,000 people who received notice of that information all had that kind of a query and then had information disclosed back.

[00:04:00] Speaker 01:
So I've read the notice, too, and it's not clear to me that that's what the notice says.

[00:04:07] Speaker 01:
It's not clear where that 97,000 number comes from, something that, at least in the record, something on the main

[00:04:16] Speaker 01:
the state of Maine's website or something like that.

[00:04:20] Speaker 01:
And so I assume they got that number from Nobler, but it's not clear to me what that number actually represents.

[00:04:27] Speaker 01:
Since you have to do a query, and it's not clear to me in the record, was there 97,000 queries done?

[00:04:41] Speaker 01:
to where this information would be returned, or is there 97,000 potential people that a query that would have been available if a query had been done?

[00:04:51] Speaker 01:
I don't know that.

[00:04:52] Speaker 01:
It's not clear to me from what Noble or disclosed.

[00:04:55] Speaker 01:
And then you combine that with the fact that your complaint uses words like compromised and stuff.

[00:05:02] Speaker 01:
It's not clear to me that factually that there actually was 97,000 plus or minus people that

[00:05:12] Speaker 01:
the class here that actually had their stuff given to hackers.

[00:05:18] Speaker 00:
So I think that you take the allegations of the complaint in the light most favorable to the plaintiffs and our interpretation of that determination is that it was 97,000 people.

[00:05:27] Speaker 00:
I also think that that's consistent with the information given out by the New York Department of Financial Services that we reference in paragraph 48 of the complaint.

[00:05:38] Speaker 00:
that says that in January, between December and March of 2020 and March of 2021, a series of near identical this kind of compromises happened and that that is the mechanism through which those occurred.

[00:05:54] Speaker 00:
I also think that in this case, there was one additional piece of information that is not present in several of the other litigate, of the other cases and compromises that are sort of a similar industry-wide

[00:06:07] Speaker 00:
situation that occurred at the time which is that no blur says in its notice and and our understanding of the situation that we describe in the mid 70s paragraphs of the complaint is that no blur put the entire DMP record of of of folks on in the source code on its website which is public like that's just public information if you want to see that information on a website if you're on a

[00:06:32] Speaker 00:
Google Chrome website you press control you if you're in a different browser you press f11.

[00:06:37] Speaker 01:
It's literally in So my understanding of that and it's kind of related to the it's not it's not just like you go to nobler's website back back then not now but like and you hit ctrl Q and 97,000 people's driver's licenses are in that instead it would be in their

[00:06:57] Speaker 01:
when you did a query, right?

[00:06:59] Speaker 00:
Like, it's not... That is not our understanding of the situation, and that is not what it's alleged in a complaint.

[00:07:04] Speaker 00:
The complaint alleges that the information was public, and all of this is a factual dispute that would be borne out by discovery and further information into it, but the complaint alleges that that information was public.

[00:07:18] Speaker 00:
There is a long discussion of it in the 70s paragraphs of the complaint that discusses the ways in which Nobler's website was configured.

[00:07:26] Speaker 01:
That's why I think you're getting these questions, is because I'm trying to make sure that the complaint actually does say that, and if it does say that, that there's a factual basis for that.

[00:07:37] Speaker 01:
We take the facts in the light most favorable to your side, obviously, but you can't just be pure speculation.

[00:07:45] Speaker 01:
Yes, we understand.

[00:07:46] Speaker 01:
And so I'm trying to figure out what the basis for that allegation is.

[00:07:50] Speaker 01:
And my understanding would be that, again,

[00:07:54] Speaker 01:
it wasn't that they were just storing these driver's license numbers in the source code that you could see as long as you knew to hit control Q, but that it would come, that as soon as you did a query for somebody, that when it would have you, when it would feed it back to you, it would also, in addition to having it actually on the page, it would also in the source code tell you that number.

[00:08:22] Speaker 00:
I don't think that's what we allege, but either way, I think that that gives rise to standing under either a statutory standing basis or under the traditional Article 3 analysis of injury and fact, traceability, redressability.

[00:08:37] Speaker 00:
Either way, the argument is that nobler, is that we have alleged at least a bear violation of the Drivers Privacy Protection Act and that that is a privacy harm of having driver's license numbers disclosed or used improperly.

[00:08:53] Speaker 00:
That is a traditional privacy harm at common law that is exactly analogous in the same way that both the Facebook internet tracking litigation from 2020 and then also the recent case from October

[00:09:05] Speaker 00:
the Jones versus Ford Motor Company says is the exact kind of statute that Congress has elevated and that it is a question for Congress about whether or not it is to elevate that harm to being subject to a statutory cause of action.

[00:09:20] Speaker 03:
But the DPPA violation requires

[00:09:24] Speaker 03:
It requires disclosure, which requires that someone actually see it, right?

[00:09:29] Speaker 00:
It doesn't.

[00:09:30] Speaker 00:
Because an improper use is also criminalized under the statute.

[00:09:36] Speaker 00:
So our allegation is that the entire, none of which is really questioned at the motion to dismiss stage, right?

[00:09:44] Speaker 00:
Because it's just the allegations and the complaint.

[00:09:45] Speaker 00:
is our allegation is that the entire way that Nobler configured its system is an improper use of motor vehicle records because they did not provide any sort of verification that the person requesting the information was the right information, that they were doing it for sales purposes rather than

[00:10:08] Speaker 00:
rather than underwriting purposes.

[00:10:11] Speaker 03:
If somebody has a collection of driver's license information and they put it on a system and they've configured the system very poorly, they don't require a password or whatever, and it sits there for a while, but through lock, nobody ever looks at it, and then they realize, oh my goodness, we had this vulnerability, and then they fix it.

[00:10:33] Speaker 03:
You think that violated the DPPA?

[00:10:35] Speaker 00:
I think that it probably does violate the DPPA.

[00:10:38] Speaker 00:
I think the question of whether that would rise to the level of Article III standing is a separate question.

[00:10:43] Speaker 00:
But I think, but the DPPA is a remedial statute that is designed to overarchingly limit the way it is that people use motor vehicle records.

[00:10:53] Speaker 00:
And the Supreme Court has been very clear, that's Marrakech.

[00:10:57] Speaker 00:
that it is a statute that is supposed to be construed against parties that have motor vehicle records and in favor of restrictions of use.

[00:11:08] Speaker 03:
Right, but if it were really, I mean, it sounds like you're reading it as sort of a code of IT security best practices, which is kind of an odd thing given that Congress said nothing about what those practices are.

[00:11:22] Speaker 03:
They just left it up to courts to figure out.

[00:11:27] Speaker 00:
I don't think that's precisely what I'm saying.

[00:11:29] Speaker 00:
I think what I'm saying is that the Drivers Privacy Protection Act has a statutory scheme that criminalizes and provides a private cause of action for the improper use

[00:11:41] Speaker 00:
disclosure, redisclosure, sale, resale of motor vehicle records information.

[00:11:46] Speaker 00:
And then it provides a list of proper uses of that information.

[00:11:49] Speaker 00:
There are 12 to 14 of them, right?

[00:11:52] Speaker 00:
The one that presumably covers most of Nobler's conduct is six, which deals with insurance underwriting, right?

[00:11:57] Speaker 00:
And it says that any party, not just state DMVs, not just any party that has the information down the entire chain, both has to keep track of why it is that it's using that information.

[00:12:11] Speaker 00:
You have to have a record that says every time you disclose a driver's license number, every time you use a drive, every party has to do that.

[00:12:18] Speaker 00:
And then that any time that that information is improper, that it's an improper use, that there's a private cause of action.

[00:12:25] Speaker 00:
The our understanding is that there are a series of affirmative defenses about a proper use of that claim right like that that's a thing that nobler will be permitted to make that claim on both a class widened and

[00:12:36] Speaker 00:
meet perhaps an individual basis going forward, but that when you're construing that claim on a motion to dismiss, that the elements of the claim do not require anything of the sort to talk about what they could have done.

[00:12:52] Speaker 00:
And I think that the courts in USAA and the court in Travelers

[00:12:58] Speaker 00:
both talked about how the way that that statute is written means that the act of giving out the driver's license number, right, regardless of what query it was from, was a voluntary act on the part of the insurance company that gives rise to a claim.

[00:13:13] Speaker 03:
Just to go back to the set of questions that we started with, setting aside what your complaint currently says, suppose that we thought that you really need to allege an actual disclosure in the sense that there is some third person who saw the information of the plaintiffs.

[00:13:33] Speaker 03:
If you were allowed leave to amend the complaint,

[00:13:37] Speaker 03:
Could you clearly allege that everybody in your class had his or her information seen by some third-party party?

[00:13:43] Speaker 00:
Yes, because it was stolen by third parties.

[00:13:45] Speaker 00:
I mean, because it was accessed by third parties as part of a hack for the purpose of taking the information.

[00:13:51] Speaker 00:
So yes, we can allege that.

[00:13:53] Speaker 03:
Do you want to reserve the rest of your time?

[00:13:55] Speaker 00:
Yes, and I would reserve the rest of my time if that's all right.

[00:13:57] Speaker 00:
Thanks.

[00:14:03] Speaker 02:
Good morning.

[00:14:05] Speaker 02:
May it please the court, Frank Nolan for Nobler, the appellee.

[00:14:10] Speaker 02:
This court should affirm the lower court's two dismissal orders, just as the Seventh Circuit affirmed dismissal of a virtually identical case just months ago in Basale v. Midvale.

[00:14:20] Speaker 02:
And there are three key holdings that the Seventh Circuit made in Basale.

[00:14:24] Speaker 02:
All three of them apply here.

[00:14:25] Speaker 02:
And I'd like to address each of those key holdings as they apply to the plaintiff's allegations in the underlying complaint.

[00:14:33] Speaker 02:
So number one, the plaintiffs didn't allege actual harm.

[00:14:37] Speaker 02:
That's fairly traceable to Nobler.

[00:14:39] Speaker 02:
Number two, the plaintiffs didn't allege an imminent risk of harm.

[00:14:43] Speaker 02:
And number three, as we just heard about, the plaintiffs lack statutory standing under the DPPA.

[00:14:50] Speaker 02:
So to begin with, there's no actual injury alleged that's fairly traceable to Nobler.

[00:14:55] Speaker 02:
So there are three plaintiffs here.

[00:14:57] Speaker 02:
Plaintiff Greenstein and Plaintiff Nelson, they don't even attempt to allege any actual harm whatsoever.

[00:15:04] Speaker 02:
So Plaintiff Au alleges only that a third party, a non-third party, attempted to complete a New York State unemployment benefits application in her name.

[00:15:16] Speaker 02:
That's it.

[00:15:18] Speaker 02:
an unsuccessful unemployment benefits application is not identity fraud and plaintiffs don't sufficiently alleged how the application caused her harm but it's also not traceable to nobler plaintiffs don't alleged that

[00:15:31] Speaker 02:
Plaintiff Ow's driver's license number was used in the fraudulent application.

[00:15:35] Speaker 02:
And that's key because that's the one piece of data that was possibly exposed in the underlying attacks.

[00:15:40] Speaker 02:
There's no but for causation.

[00:15:43] Speaker 02:
The plaintiff's reply.

[00:15:44] Speaker 01:
You say possibly exposed.

[00:15:45] Speaker 01:
So if you don't mind to go back to what a lot of the questioning was counsel.

[00:15:50] Speaker 01:
When I read your notice and when you read the complaint, it's not clear to me

[00:15:59] Speaker 01:
kind of what happened here.

[00:16:00] Speaker 01:
It's not clear to me, or at least what's alleged to have happened here, which is what matters, I guess.

[00:16:04] Speaker 01:
It's not clear, it seems to be, one of two things could have happened.

[00:16:07] Speaker 01:
One was that there was the potential to expose 97,000 people where if you entered the correct information either manually or if you're a hacker and you have some sort of script that runs, you could, and that it would

[00:16:23] Speaker 01:
it would spit back at you the person's driver's license, either expressly on the page or in some way that you could access it through the metadata that was behind the page.

[00:16:35] Speaker 01:
So that's one scenario.

[00:16:37] Speaker 01:
The other scenario is that we know that 97,000 people's driver's license was actually provided.

[00:16:46] Speaker 01:
And it's not clear to me from the complaint and from the, and the complaint seems to be just based on your notice letter, right?

[00:16:56] Speaker 01:
So that's what, that is one of the other of those things.

[00:16:59] Speaker 01:
And it seems to matter because Starbucks case and Zappos case is, those were cases where there actually was disclosure.

[00:17:09] Speaker 01:
Like the data was actually, the data was actually gotten by nefarious people.

[00:17:16] Speaker 01:
Then once that's happened, our courts basically said, well, that's enough for standing because if bad people get your data, you have some harm.

[00:17:28] Speaker 01:
But it would be a further step removed from that in this case if we don't even know who they got the data for and who they didn't.

[00:17:37] Speaker 01:
In other words, there's 97,000 people that they may have gotten the data for, to use the word which is in your notice letter that they may have.

[00:17:45] Speaker 01:
but we don't know whether they got it or not.

[00:17:48] Speaker 01:
I'm trying to figure out, and I guess in some ways it doesn't matter what you tell us this morning because it matters what's in the complaint, but is it that they got 97,000 people's data or that there was 97,000 people at risk of them getting their data before you closed the loophole, so to speak?

[00:18:11] Speaker 02:
So let me take that piece by piece.

[00:18:13] Speaker 02:
So we are bound by what's in the complaint.

[00:18:17] Speaker 02:
And the complaint pastes the notice into itself at ER 21.

[00:18:24] Speaker 02:
And as you just referenced, it says what information was involved under the heading there.

[00:18:29] Speaker 02:
And it says, may have been accessed.

[00:18:33] Speaker 02:
We know that 97,000 notices went out.

[00:18:36] Speaker 02:
We know that that 97,000 people's information may have been exploited because that appeared in the source code.

[00:18:46] Speaker 02:
That's what we know.

[00:18:47] Speaker 01:
You referenced... That's where the 97,000 comes from is that's how many people... It's sort of like as if there was a sign out there and 97,000 people's stuff was on the sign, but we have no idea.

[00:19:00] Speaker 01:
But it's different than

[00:19:02] Speaker 01:
the bad guys took the sign and walked off with it, which is what happened in the Starbucks case.

[00:19:08] Speaker 01:
There was a laptop and it was stolen and it had this stuff on it.

[00:19:12] Speaker 01:
And same thing I think happened in Zappos.

[00:19:14] Speaker 01:
It wasn't just that this stuff was available for nefarious actors to get, it actually was gotten by nefarious actors.

[00:19:20] Speaker 01:
I'm trying to figure out if this case is like those cases or if it's just a case where it was available.

[00:19:26] Speaker 02:
It appears that it was just available, but there's also another distinction here.

[00:19:30] Speaker 02:
You mentioned Zappos, and this is another reason that there's no standing here, but there was standing in Zappos, is because there was evidence of some of those named plaintiffs having their information that was stolen.

[00:19:42] Speaker 02:
used for identity theft.

[00:19:45] Speaker 02:
And that's where the fairly traceable flaw comes in here.

[00:19:49] Speaker 02:
So the plaintiffs argue in their reply brief that the driver's license number was, quote, a key part of the application, close quote.

[00:20:00] Speaker 02:
And they cite to paragraphs four and 91.

[00:20:02] Speaker 01:
You know, with the unemployment application for OWL, or AU, however you say your name.

[00:20:07] Speaker 02:
Yeah, yeah, plaintiff, I believe it's OWL.

[00:20:09] Speaker 02:
They cite to paragraphs 4 and 91, which is at ER 16 and 42, but those paragraphs don't say that the driver's license number was used in the application.

[00:20:20] Speaker 02:
They simply say that the quote, that plaintiff has quote, data was used.

[00:20:24] Speaker 02:
And the fact is,

[00:20:26] Speaker 02:
The plaintiffs don't know whether this application for unemployment's benefit in New York State, which is the only thing that's alleged in the complaint, even requires driver's license numbers or whether the application requires other additional and totally separate information.

[00:20:43] Speaker 02:
And we know that because the plaintiffs' counsel here also represented the plaintiffs' counsel in the Bay Sal case.

[00:20:50] Speaker 02:
During oral argument in the Beisau case, plaintiff's counsel conceded that they don't know what role, if any, a driver's license number plays in the application.

[00:20:58] Speaker 02:
And because plaintiffs don't allege that the application could have been completed using that piece of data that was potentially stolen here,

[00:21:07] Speaker 02:
They fail to allege that the application is traceable to the breach, and they fail to allege that the application would be traceable to Nobler, as Article 3 requires.

[00:21:17] Speaker 02:
So there's no actual injury fairly traceable.

[00:21:20] Speaker 01:
Can I ask you a follow-up, too?

[00:21:23] Speaker 01:
I think it's related to a question that Judge Miller asked your public counsel.

[00:21:29] Speaker 01:
If we were to conclude that the complaint, this current complaint

[00:21:34] Speaker 01:
does not actually, is different than, say, Starbucks or Krotner or Zappos because it doesn't actually allege that the information for the class was disclosed as opposed to that the information was available for someone to get, right?

[00:21:50] Speaker 01:
So that distinction that I was talking about.

[00:21:53] Speaker 01:
Could they, could the plaintiffs, could the plaintiffs amend, and they were not granted leave to amend again, but if there were granted leave to amend, could they amend

[00:22:04] Speaker 01:
consistent with rule 11 and such, to say that yes, all 97,000 people, we know that their information was gotten or was disclosed, was taken by these hackers.

[00:22:20] Speaker 01:
I mean, we do know that they were trying to get some, right?

[00:22:22] Speaker 01:
That's what caused your client to figure this out, that this was going on.

[00:22:27] Speaker 01:
But could they have,

[00:22:31] Speaker 01:
a basis to make that allegation?

[00:22:34] Speaker 02:
Not based on what I know.

[00:22:36] Speaker 02:
Not based on what's, I mean, they're still going to be bound by the notice and still going to be bound by what Nobler has provided to regulators that's posted.

[00:22:46] Speaker 02:
So for example, the state of Maine, that information is all incorporated within the complaint.

[00:22:50] Speaker 02:
There's nothing else that they would allege.

[00:22:51] Speaker 02:
But say they were just to say, even on information and belief that all this information was stolen, even if they were to just take a flyer,

[00:22:58] Speaker 02:
the complaint would still fail because there's still no Article 3 standing because there's no actual injury that's traceable, there's no imminent risk of harm, and there's no statutory standing under the DPPA, even if they could say that all this information was in the hands of somebody.

[00:23:14] Speaker 03:
So can you explain that last part?

[00:23:17] Speaker 03:
Because if they said that it had been—I think their theory is if they could show or allege that it's all been disclosed to someone, that would state a violation of the DPPA.

[00:23:30] Speaker 03:
And at least the Fourth Circuit has said that the DPPA is close enough to traditional privacy torts that a violation of it establishes Article III standing.

[00:23:44] Speaker 03:
So what's wrong with that line of argument?

[00:23:47] Speaker 02:
Yeah, a couple of things.

[00:23:48] Speaker 02:
And I believe you're referring to the Gary case.

[00:23:53] Speaker 02:
So TransUnion and Spokeo require

[00:23:55] Speaker 02:
that where there's no actual damages like here, that there has to be a close historical or common law analog.

[00:24:02] Speaker 02:
And in plaintiff's briefing, they argue that there are three potential intentional torts that this would be analogous to.

[00:24:12] Speaker 02:
Intrusion upon seclusion, public disclosure of private facts, or invasion of privacy.

[00:24:19] Speaker 02:
Now, there's two problems with that.

[00:24:20] Speaker 02:
Number one, those torts all require conduct that would be highly offensive to a reasonable person.

[00:24:27] Speaker 02:
So that's the first problem.

[00:24:28] Speaker 02:
The possible exposure of driver's license numbers does not meet that standard in kind or degree.

[00:24:33] Speaker 02:
Even plaintiff's counsel conceded that a violation of the DPPA may not mean that they're standing under the DPPA.

[00:24:39] Speaker 02:
Drivers license numbers are printed on a document that everybody in the country above the age of 17 carries around in their pocket.

[00:24:48] Speaker 02:
They freely show it to complete strangers.

[00:24:50] Speaker 02:
I just showed it downstairs to the security guard.

[00:24:53] Speaker 02:
I showed it when I flew here to the TSA agent, to the hotel receptionist when I checked into my hotel.

[00:24:59] Speaker 02:
Everybody does that.

[00:25:00] Speaker 02:
It's not sensitive information that would be highly offensive to a reasonable person to disclose.

[00:25:05] Speaker 02:
This is not a credit report or

[00:25:09] Speaker 02:
a medical record that may contain something offensive or very deeply personal.

[00:25:16] Speaker 02:
It's not a social security number or biometric information, which is immutable.

[00:25:20] Speaker 02:
You can go change a driver's license number.

[00:25:22] Speaker 02:
So disclosure of this information would not be highly offensive to a reasonable person.

[00:25:27] Speaker 02:
And that's what those common law torts that they're comparing it to require.

[00:25:32] Speaker 02:
But there's a second problem with the article, with the DPPA standing argument.

[00:25:36] Speaker 02:
And that's because this is not what the DPPA intended to prevent.

[00:25:40] Speaker 02:
And the 4th Circuit case in Gary is a perfect example of that.

[00:25:43] Speaker 02:
They found standing because there was addresses there.

[00:25:46] Speaker 02:
Nobody would argue that addresses are deeply personal, private information.

[00:25:51] Speaker 02:
But the plaintiffs looked, in that case, plaintiffs' personal injury lawyers accessed addresses of

[00:25:59] Speaker 02:
of traffic accident victims from the DMV records and then sent those people solicitations for their personal injury plaintiff's services.

[00:26:08] Speaker 02:
That was, the court found, an intrusion upon seclusion.

[00:26:11] Speaker 02:
That was a common law claim that the DPPA was analogous to.

[00:26:16] Speaker 02:
Congress enacted the DPPA trying to prevent against that kind of harm.

[00:26:22] Speaker 02:
So for example, if you look at the records, the legislative history,

[00:26:27] Speaker 02:
stalking, taking addresses from individuals and stalking them, that kind of harm.

[00:26:34] Speaker 02:
It wasn't the disclosure.

[00:26:35] Speaker 02:
This is not like the Washington Privacy Act or a number of other acts where they found that the disclosure is enough.

[00:26:43] Speaker 02:
Even the DPPA recognizes in its own

[00:26:46] Speaker 02:
language that there's different levels of sensitivity to information.

[00:26:51] Speaker 02:
And they put driver's license numbers at a less sensitive categorization compared to, say, social security numbers.

[00:26:59] Speaker 03:
Can you address the argument that under trans-union, the court seemed to recognize there that a risk of future harm by itself doesn't necessarily establish standing, but if the risk of harm is causing some present injury, then it might.

[00:27:17] Speaker 03:
And here the complaint has allegations that

[00:27:19] Speaker 03:
Because of the risk of harm, there's emotional distress and there's also some expenses for credit monitoring and a number of precautions that plaintiffs took because they feared this risk of harm.

[00:27:34] Speaker 03:
Why isn't that a sufficient present injury arising from the risk to support standing?

[00:27:40] Speaker 02:
only one plaintiff, Plaintiff Au, alleges that she purchased credit monitoring, but as the lower court properly held, you can't manufacture standing.

[00:27:49] Speaker 02:
You can't check a credit report or do anything harmful to a credit rating with just a driver's license number, so it's not reasonable to go and take that kind of, to incur those kind of mitigation costs.

[00:28:02] Speaker 02:
So that is not a basis for standing here.

[00:28:08] Speaker 02:
To the extent that there's any question as to whether there's imminent risk of harm to any of the three plaintiffs, there's two points there.

[00:28:16] Speaker 02:
Number one, most of their argument relies on, well, Plaintiff Au had her identity stolen through the application.

[00:28:23] Speaker 02:
That's, as I just talked about, it's not enough.

[00:28:26] Speaker 02:
The other allegations here are all generalized allegations as to what you can do with this information.

[00:28:32] Speaker 02:
So for example, and those generalized allegations don't have any connection to what happened here, what's likely to happen here.

[00:28:38] Speaker 02:
So for example, paragraph 35, which is at ER 25 and 26,

[00:28:43] Speaker 02:
There's a handful of allegations about the harm that can come to somebody if their driver's licenses are stolen.

[00:28:50] Speaker 02:
It's not what happened here.

[00:28:51] Speaker 02:
Driver's license numbers, driver's license, two different things.

[00:28:54] Speaker 02:
Another example is at ER 29, paragraph 43 of the complaint, where plaintiffs allege that driver's license numbers are connected to vehicle registrations and insurance policies.

[00:29:05] Speaker 02:
But plaintiffs don't plausibly allege that thieves can access those things using a driver's license number or that there's an imminent risk of having it, of it happening to plaintiff.

[00:29:16] Speaker 02:
There's really not much you can do with the driver's license number.

[00:29:18] Speaker 02:
And in order to imagine this harm, you have to make a number of inferential leaps that you can't do when you're looking at whether there's Article III standing.

[00:29:32] Speaker 03:
Thank you very much.

[00:29:33] Speaker 03:
Thank you.

[00:29:42] Speaker 00:
Thank you.

[00:29:43] Speaker 00:
To start with, I wanted to address the concept that the notice uses the phrase may have instead of did have.

[00:29:51] Speaker 00:
My understanding is that every data breach notice that's ever been given out uses the phrase may have, including I don't know about the laptop one in Starbucks, but the Zappos one did for sure.

[00:30:01] Speaker 00:
the, that's just, that's because the defendants use that language rather than, and they wrote their own notice.

[00:30:07] Speaker 00:
I think the important part of the Zappos holding and the Starbucks holding is that it's a combination of the information having been disclosed and then that it was targeted, or that it was sensitive information and that it was targeted by criminals.

[00:30:22] Speaker 00:
And in this case, we know that it was targeted by criminals.

[00:30:24] Speaker 00:
This isn't an accidental attempted intrusion, right?

[00:30:28] Speaker 00:
Like it was a coordinated attack,

[00:30:30] Speaker 00:
that was done on a variety of different parts of the insurance industry for a period of time for the purpose of unemployment benefits fraud.

[00:30:38] Speaker 00:
And I think that that is a reasonable counter to the factual claims that the defendants are making here about whether or not you can use a driver's license number in order to achieve a harm, which is that one,

[00:30:53] Speaker 00:
The those are all from twenty twenty three we know that this was a was a covert related unemployment problem where that input where the New York DMV in the California DMV had.

[00:31:03] Speaker 00:
or Department of Labor had decreased the requirements in order to get as many people unemployment benefits as possible.

[00:31:09] Speaker 00:
And what they're doing now is just not relevant to that, in addition to the fact that it's new on appeal and not part of the rest of the record.

[00:31:16] Speaker 03:
Could you very briefly address the Seventh Circuit's decision in Basel?

[00:31:20] Speaker 03:
Do you think it's factually distinguishable in some way, or do you just disagree with it?

[00:31:23] Speaker 00:
I do.

[00:31:23] Speaker 00:
So I think Basel is factually distinct, legally distinct, and also incorrectly decided.

[00:31:31] Speaker 00:
So I think it's factually distinct in two different ways.

[00:31:35] Speaker 00:
One of them is that there was no source code allegation in the Basel complaint.

[00:31:41] Speaker 00:
The second is that there is not a follow on allegation that the information of at least one plaintiff was found on the dark web a year later.

[00:31:50] Speaker 00:
after the unemployment benefits application had happened, which is a type of allegation that two separate circuit courts, the third circuit in Clemens and then the 11th circuit in the Brinker decision, determined was sufficient to state a claim for Article III standing even without any other

[00:32:09] Speaker 00:
fraud, and then third, that in this case, there are out-of-pocket expenses for monitoring that were incurred that were not at issue in Basel.

[00:32:19] Speaker 00:
So I think that's factually distinguishable.

[00:32:21] Speaker 03:
Thank you.

[00:32:21] Speaker 00:
Yeah, thank you.

[00:32:23] Speaker 03:
Any other questions?

[00:32:24] Speaker 03:
All right.

[00:32:25] Speaker 03:
We thank both counsel for their arguments.

[00:32:26] Speaker 03:
The case is submitted, and we will now take a brief recess.