In re Christie's Data Breach Litigation
Filing
55
MEMORANDUM OPINION AND ORDER: In light of the foregoing, and mindful of the fact that the Court may consider materials outside the pleadings in assessing whether Plaintiffs have standing, see, e.g., Tandon v. Captain's Cove Marina of Bridgepor t, Inc., 752 F.3d 239, 243 (2d Cir. 2014), Plaintiffs shall, no later than February 4, 2025, either file (1) a declaration addressing the potential for fraud or identity theft resulting from the information exposed in the 2024 data breach, includin g but not limited to drivers'license numbers and passport numbers; or (2) a supplemental brief, not to exceed five pages, addressing why such a declaration should not be required. Defendant may file a response, in the form of a supplemental brief not to exceed five pages, by February 7, 2025.SO ORDERED. ( Brief due by 2/4/2025., Responses to Brief due by 2/7/2025) (Signed by Judge Jesse M. Furman on 1/28/2025) (vfr)
UNITED STATES DISTRICT COURT
SOUTHERN DISTRICT OF NEW YORK
---------------------------------------------------------------------- X
:
IN RE CHRISTIE’S DATA BREACH LITIGATION,
:
:
This Document Relates To:
:
All Member Cases
:
:
---------------------------------------------------------------------- X
24-CV-4221 (JMF)
MEMORANDUM OPINION
AND ORDER
JESSE M. FURMAN, United States District Judge:
In this case, familiarity with which is presumed, a group of consumers filed a class action
alleging that their personal information — including drivers’ license numbers and passport numbers
— was disclosed in a 2024 hacking incident targeting Defendant Christie’s Inc.’s computer systems.
See ECF No. 43, ¶¶ 22-24. On December 13, 2024, the parties filed a motion for preliminary
approval of a class action settlement. See ECF No. 49. On December 18, 2024, the Court issued an
order directing the parties to file supplemental briefs addressing, among other things, whether
Plaintiffs have standing. See ECF Nos. 50, 45. The parties subsequently filed briefs arguing that
the Court should approve the settlement. See ECF Nos. 51-54.
Upon review of the parties’ filings and relevant cases, the Court is inclined to believe that
Plaintiffs’ standing may turn on whether they satisfy the third factor in McMorris v. Carlos Lopez &
Associates, LLC, 995 F.3d 295 (2d Cir. 2021), namely “whether the type of data that has been
exposed is sensitive such that there is a high risk of identity theft or fraud,” id. at 303. Specifically,
courts appear to be divided on the question of whether the exposure of drivers’ license numbers
satisfies this inquiry. Compare, e.g., Rand v. Travelers Indem. Co., 637 F. Supp. 3d 55 (S.D.N.Y.
2022) (agreeing that “a driver’s license number . . . can be used to” commit various types of fraud),
with Cantinieri v. Verisk Analytics, Inc., No. 21-CV-6911 (NJC) (JMW), 2024 WL 5202579, at *17
(E.D.N.Y. Dec. 23, 2024) (concluding plaintiff “ha[d] not established that the disclosure of her
driver's license number . . . would be likely to subject [her] to a perpetual risk of identity theft or
fraud”). In many instances, however, the answer appears to turn on whether there are allegations in
the record that (1) fraudulent activity has already resulted from the exposure of drivers’ license
numbers or (2) fraudulent activity could result from the combined exposure of drivers’ license
numbers with the other exposed information. See, e.g., In re USAA Data Sec. Litig., 621 F. Supp.
3d 454, 466–67 (S.D.N.Y. 2022) (distinguishing cases that “did not involve well-pleaded
allegations of actual proof of identity theft as a result of the disclosure” of DLNs); Cantinieri, 2024
WL 5202579, at *17 (distinguishing In re USAA Data Securities Litigation because the complaint
“lack[ed] allegations that the disclosure of a driver's license number, name, address, and birthdate,
[could] provide an opening for fraud” (internal quotations marks omitted)); see also Stallone v.
Farmers Grp., Inc., No. 221-CV-01659 (GMN) (VCF), 2022 WL 10091489, at *5 (D. Nev. Oct. 15,
2022) (“Plaintiff cites to multiple experts for the proposition that the PII stolen can, and will likely,
be used to [commit fraud].”).
In light of the foregoing, and mindful of the fact that the Court may consider materials
outside the pleadings in assessing whether Plaintiffs have standing, see, e.g., Tandon v. Captain's
Cove Marina of Bridgeport, Inc., 752 F.3d 239, 243 (2d Cir. 2014), Plaintiffs shall, no later than
February 4, 2025, either file (1) a declaration addressing the potential for fraud or identity theft
resulting from the information exposed in the 2024 data breach, including but not limited to drivers’
license numbers and passport numbers; or (2) a supplemental brief, not to exceed five pages,
addressing why such a declaration should not be required. Defendant may file a response, in the
form of a supplemental brief not to exceed five pages, by February 7, 2025.
SO ORDERED.
Dated: January 28, 2025
New York, New York
__________________________________
JESSE M. FURMAN
United States District Judge
2
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?