Robinhood seeks to dismiss complaint about data breach
A lawsuit concerning a data security incident that affected millions of Robinhood clients continues at the California Northern District Court.
On April 19, 2023, Robinhood Markets, Inc., Robinhood Crypto, LLC, Robinhood Financial LLC, and Robinhood Securities, LLC filed a motion to dismiss the second amended complaint (SAC) in this lawsuit.
On November 8, 2021, Robinhood announced that on November 3, “an unauthorized third party obtained access to a limited amount of personal information for a portion of its customers.” That information comprised “a list of email addresses for approximately five million people, and full names for a different group of approximately two million people,” and “for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code was exposed, with a subset of approximately 10 customers having more extensive account details revealed.”
As Robinhood made clear, “no Social Security numbers, bank account numbers, or debit card numbers were exposed.” On November 16, Robinhood updated its November 8 announcement to state that other limited information may have been disclosed in the incident for certain customers.
Shortly after, three putative class actions were filed between November 10 and December 1, 2021 by twenty-five named plaintiffs who claim to have “entered into contracts” with Robinhood. Those three cases have since been consolidated, and an amended consolidated complaint was filed on May 31, 2022.
Robinhood seeks to dismiss the SAC because (1) Plaintiffs lack Article III standing, (2) each claim fails under Rule 12(b)(6), and (3) Plaintiffs are not entitled to equitable relief.
Robinhood argues that the SAC fails to establish subject matter jurisdiction because it is missing allegations regarding the types of PII compromised as to each Plaintiff, let alone any plausible allegations that sufficiently sensitive personal information was exposed in the incident.
Also, according to Robinhood, the plaintiffs cannot establish standing as a factual matter. Courts have dismissed data security cases based on declarations explaining the universe of personal information at issue.
Eighteen months after the data security incident at the heart of this case, and after multiple iterations of their complaint, Plaintiffs still do not, and cannot, plausibly allege that any of their sensitive information has been compromised, Robinhood says. Nor do Plaintiffs plausibly allege that any of the supposed injuries they claim are related to the incident, the defendant argues. The complaint accordingly fails on its face to plead Article III standing.
Moreover, Robinhood says, despite being the second chance to adequately plead their claims, Plaintiffs’ complaint is still replete with fundamental legal deficiencies that doom all their causes of action.
The complaint should be dismissed, the company concludes.