Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
June 4 — In a ruling following the majority of courts that have rejected data breach cases alleging merely potential harm, the U.S. District Court for the District of Nevada held June 1 that Zappos.com Inc. customers failed to show concrete injury from a 2012 hacking breach to support standing.
Judge Robert C. Jones said none of the named customers of the online shoe and clothing retailer alleged injuries—an increased threat of identity theft and fraud, the decreased value of their personal information and mitigation costs—that sufficed to establish standing.
The court recognized that federal courts have been divided on what constitutes an adequate injury in fact for standing in a data breach case. Following the U.S. Supreme Court's 2013 ruling in Clapper v. Amnesty Int'l, 133 S. Ct. 1138 (2013), most courts dealing with data breach cases “have held that absent allegations of actual identity theft or other fraud, the increased risk of such harm alone is insufficient to satisfy Article III standing,” the district court said.
But a handful of courts have continued to follow Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), in which the U.S. Court of Appeals for the Ninth Circuit concluded that the possibility of future injury might confer standing where a “credible threat of harm” is “real and immediate”.
The court here, however, said that “Clapper doesn't necessarily overrule Krottner” because it requires “the same immediacy of harm.”
On Jan. 15, 2012, Zappos announced that it would notify 24 million customers of a hacking incident involving its computer servers, which resulted in the release of customer names; e-mail, billing, and shipping addresses; phone numbers; the last four digits of credit card numbers; and account numbers and passwords.
Within a week, attorneys general from the nine states had opened an enforcement investigation into the hacking breach. The first of several putative consumer class actions was filed the day after Zappos revealed the breach.
In January, Zappos and nine states announced a no-fault assurance of voluntary compliance settlement of the enforcement actions.
The court granted the retailer's motion to dismiss but gave the plaintiffs leave to amend their complaints for a third time.
Although the majority of district courts in data breach cases have concluded that an increased threat of future harm doesn't establish standing, a couple of courts in the Ninth Circuit have held the opposite, the court said, citing In re Adobe Sys., Inc. Privacy Litig., No. 5:13-cv-05226-LHK, 2014 BL 252019 (N.D. Cal. Sept. 4, 2014), and In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942 (S.D. Cal. 2014) .
Unlike the plaintiffs in the Adobe and Sony cases, the court here said that none of the named plaintiffs alleged that they “detected any irregularity whatsoever in regards to unauthorized purchases or other manifestations that their personal information has been misused.”
In addition, the passage of time militated against their claims. “Even if Plaintiffs' risk of identity theft and fraud was substantial and immediate in 2012, the passage of time without a single report from Plaintiffs that they in fact suffered the harm they fear must mean something,” the court said.
Moreover, any future harm would be based on the actions of a third party, making such an allegation even more speculative, the court said.
Nor did the plaintiffs' purchase of credit monitoring services constitute an injury in fact, the court said. Under Clapper, the court said, a cost “incurred to prevent future harm is not enough to confer standing.”
Concerning the plaintiffs' allegation that the value of their personal information decreased, the court said they failed to allege how their personal information became less valuable following the breach.
Blood Hurst & O'Reardon LLP; Levin Papantonio Thomas Mitchell Rafferty & Proctor PA; Barnow and Associates PC; The Coffman Law Firm; Finkelstein, Blankinship, Frei-Pearson & Garber LLP; Glancy Binkow & Goldberg LLP; and the O'Mara Law Firm PC represented the named plaintiffs and the proposed class. Morris Law Group and Stroock & Stroock & Lavan LLP represented Zappos.
Full text of the court's opinion is available at http://www.bloomberglaw.com/public/document/In_re_Zapposcom_Inc_Customer_Data_Sec_Breach_Litig_No_312cv00325R.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)