Zappos Data Breach Litigation Dismissed for Lack of Standing

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

June 4 — In a ruling following the majority of courts that have rejected data breach cases alleging merely potential harm, the U.S. District Court for the District of Nevada held June 1 that Zappos.com Inc. customers failed to show concrete injury from a 2012 hacking breach to support standing.

Judge Robert C. Jones said none of the named customers of the online shoe and clothing retailer alleged injuries—an increased threat of identity theft and fraud, the decreased value of their personal information and mitigation costs—that sufficed to establish standing.

The court recognized that federal courts have been divided on what constitutes an adequate injury in fact for standing in a data breach case. Following the U.S. Supreme Court's 2013 ruling in Clapper v. Amnesty Int'l, 133 S. Ct. 1138 (2013), most courts dealing with data breach cases “have held that absent allegations of actual identity theft or other fraud, the increased risk of such harm alone is insufficient to satisfy Article III standing,” the district court said.

But a handful of courts have continued to follow Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), in which the U.S. Court of Appeals for the Ninth Circuit concluded that the possibility of future injury might confer standing where a “credible threat of harm” is “real and immediate”.

The court here, however, said that “Clapper doesn't necessarily overrule Krottner” because it requires “the same immediacy of harm.”

Settlement With States 

On Jan. 15, 2012, Zappos announced that it would notify 24 million customers of a hacking incident involving its computer servers, which resulted in the release of customer names; e-mail, billing, and shipping addresses; phone numbers; the last four digits of credit card numbers; and account numbers and passwords.

Within a week, attorneys general from the nine states had opened an enforcement investigation into the hacking breach. The first of several putative consumer class actions was filed the day after Zappos revealed the breach.

In January, Zappos and nine states announced a no-fault assurance of voluntary compliance settlement of the enforcement actions.

Increased Threat of Future Harm 

The court granted the retailer's motion to dismiss but gave the plaintiffs leave to amend their complaints for a third time.

Although the majority of district courts in data breach cases have concluded that an increased threat of future harm doesn't establish standing, a couple of courts in the Ninth Circuit have held the opposite, the court said, citing In re Adobe Sys., Inc. Privacy Litig., No. 5:13-cv-05226-LHK, 2014 BL 252019 (N.D. Cal. Sept. 4, 2014), and In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942 (S.D. Cal. 2014) .

Unlike the plaintiffs in the Adobe and Sony cases, the court here said that none of the named plaintiffs alleged that they “detected any irregularity whatsoever in regards to unauthorized purchases or other manifestations that their personal information has been misused.”

In addition, the passage of time militated against their claims. “Even if Plaintiffs' risk of identity theft and fraud was substantial and immediate in 2012, the passage of time without a single report from Plaintiffs that they in fact suffered the harm they fear must mean something,” the court said.

Moreover, any future harm would be based on the actions of a third party, making such an allegation even more speculative, the court said.

Other Alleged Injuries 

Nor did the plaintiffs' purchase of credit monitoring services constitute an injury in fact, the court said. Under Clapper, the court said, a cost “incurred to prevent future harm is not enough to confer standing.”

Concerning the plaintiffs' allegation that the value of their personal information decreased, the court said they failed to allege how their personal information became less valuable following the breach.

Blood Hurst & O'Reardon LLP; Levin Papantonio Thomas Mitchell Rafferty & Proctor PA; Barnow and Associates PC; The Coffman Law Firm; Finkelstein, Blankinship, Frei-Pearson & Garber LLP; Glancy Binkow & Goldberg LLP; and the O'Mara Law Firm PC represented the named plaintiffs and the proposed class. Morris Law Group and Stroock & Stroock & Lavan LLP represented Zappos.

Full text of the court's opinion is available at http://www.bloomberglaw.com/public/document/In_re_Zapposcom_Inc_Customer_Data_Sec_Breach_Litig_No_312cv00325R.