Robinhood pushes for dismissal of lawsuit about November 2021 hack
Robinhood has sought to rebuff a complaint about the November 2021 security incident that affected millions of its customers. On August 26, 2022, Robinhood filed a document with the California Northern District Court, in support of its motion to dismiss the case.
Let’s recall that, on or about November 3, 2021, hackers gained access to the Personally Identifiable Information (PII) of over 7 million Robinhood customers, including full names, email addresses, dates of birth, zip codes and other PII.
The traders suing Robinhood allege that their personal information accessed by the hackers is currently up for sale on the dark web for criminals to access and abuse. As a result of the Data Breach, Robinhood’s customers have been victims of identity theft, fraud, unlawful account access, unauthorized financial transactions, fraudulent government filings, locked out of their accounts, difficulty and/or inability to regain account access, and face a lifetime risk of such activities.
This Data Breach is not the first time hackers compromised Robinhood’s data security. It was previously sued over a separate data breach in early 2021. In that case, under similar circumstances, the plaintiffs alleged Robinhood failed to maintain industry standard data security measures, resulting in the exposure of over 2,000 individuals’ PII in the fall of 2020.
Shortly after the Data Breach in this action, the traders began noticing fraudulent charges to their accounts, identity theft, such as a fraudulent car lease and a fraudulent application for unemployment benefits, among other forms of theft as a result of the Data Breach. Because of these harms, the plaintiffs filed suit beginning on November 10, 2022. The Court consolidated several complaints on April 28, 2022.
Robinhood argues that the plaintiffs’ responses are deficient. First, Robinhood says, only six out of twenty-five named plaintiffs allege suspicious activities, which according to the company, is inadequate.
Second, Robinhood notes that the Complaint at most suggests that plaintiffs’ names or email addresses were disclosed. According to the company, the plaintiffs have not credibly alleged injury-in-fact directly traceable to the Security Incident, let alone any alleged misconduct by Robinhood, and thus cannot satisfy their burden of showing standing. Instead, they point to privacy issues that under the caselaw have no plausible connection to the limited information allegedly exposed in the Security Incident, especially now that information is widely available on the internet and other data breaches could reveal more personal information.
According to Robinhood, the mere fact that some of the alleged activities occurred some time after the incident does not help Plaintiffs when they fail to allege a specific connection between the breach and the type of data used in the application.
In conclusion, Robinhood says that the Complaint should be dismissed.