Stevens v. Zappos.com., Inc. (In re Zappos.com., Inc.)
888 F.3d 1020 (2018)
Premium Feature
Subscribe to Lexplug to listen to the Case Podcast.
Rule of Law:
A substantial risk of future identity theft following a data breach where sensitive personal identifying information (PII) has been stolen constitutes a credible threat of real and immediate harm sufficient to establish Article III standing, even without immediate evidence of actual misuse, particularly outside of a national security context.
Facts:
- In January 2012, hackers breached the servers of online retailer Zappos.com, Inc. (Zappos).
- The hackers stole personal identifying information (PII) of more than 24 million Zappos customers, including names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and full credit card numbers.
- On January 16, 2012, Zappos sent an email to its customers, notifying them of the PII theft.
- Zappos recommended that customers reset their Zappos.com account passwords and change passwords on any other website where they used the same or similar password.
- Several Zappos customers filed putative class actions, alleging an "imminent" risk of identity theft or fraud from the data breach.
- The plaintiffs whose claims are at issue in this appeal ("Plaintiffs") did not allege that they had already suffered financial losses from identity theft due to the breach.
- Two plaintiffs whose claims are at issue in this appeal alleged that hackers took over their AOL accounts and sent advertisements to people in their address books.
- Plaintiffs alleged that the full extent of identity theft or identity fraud from a data breach may not manifest for years, and it may take time for victims to become aware of the theft.
Procedural Posture:
- Several putative class action lawsuits were filed in federal district courts across the country by Zappos customers alleging harms from the data breach.
- The Judicial Panel on Multidistrict Litigation transferred these cases to the District of Nevada for pretrial proceedings.
- After several years of pleadings-stage litigation, the district court granted in part and denied in part Zappos's motion to dismiss the Third Amended Consolidated Complaint and granted Zappos's motion to strike the Complaint's class allegations.
- The district court ruled that plaintiffs who alleged actual financial losses from identity theft caused by the breach had Article III standing.
- However, the district court ruled that the plaintiffs (referred to as 'Plaintiffs' in this appeal) who did not allege having already suffered financial losses from identity theft lacked Article III standing and dismissed their claims without leave to amend.
- The parties then agreed to dismiss all remaining claims with prejudice, leading to the Plaintiffs' appeal to the Ninth Circuit Court of Appeals (Zappos being the appellee).
Premium Content
Subscribe to Lexplug to view the complete brief
You're viewing a preview with Rule of Law, Facts, and Procedural Posture
Issue:
Does a data breach victim, who has not yet suffered actual identity theft or financial fraud, have Article III standing to sue for an increased risk of future identity theft when sensitive personal identifying information (PII) has been stolen?
Opinions:
Majority - Friedland, Circuit Judge
Yes, a data breach victim who has not yet suffered actual identity theft or financial fraud has Article III standing to sue when sensitive personal identifying information (PII) has been stolen, as there is a substantial risk of future identity theft. The Ninth Circuit reaffirmed its precedent from Krottner v. Starbucks Corp., which held that a credible threat of real and immediate harm exists when a laptop containing unencrypted personal data is stolen, even without actual misuse. The court found Krottner not "clearly irreconcilable" with the Supreme Court's decision in Clapper v. Amnesty International USA. While Clapper required "certainly impending" injury and rejected a "speculative multi-link chain of inferences" in a national security context, it also acknowledged "substantial risk" as a valid basis for future injury standing. The Clapper standard was also deemed "especially rigorous" due to national security and separation of powers concerns, which are absent in data breach litigation. In this case, the stolen data (including full credit card numbers, names, and passwords) was highly sensitive, providing hackers with the immediate means to commit identity theft or fraud, thus creating a "substantial risk." This risk is more direct than the speculative chain of events in Clapper. The court also noted that the ability for identity theft to manifest years later supports the imminence of the risk, and that two plaintiffs already experienced non-financial account takeovers, further supporting the contention that hackers accessed exploitable information.
Analysis:
This case clarifies and reinforces the Ninth Circuit's interpretation of Article III standing for data breach victims, particularly regarding the "injury in fact" requirement for future harm. By distinguishing Clapper, the court ensures that the rigorous standard for standing in national security contexts does not impede plaintiffs seeking redress for data breaches in commercial settings. This decision empowers victims to pursue claims based on a "substantial risk" of identity theft, even without immediate evidence of actual financial fraud, aligning the Ninth Circuit with other circuits that have recognized such a risk as sufficient for standing. This outcome likely encourages companies to enhance data security measures and facilitates class action litigation in the wake of significant data breaches.
