In re Zappos.com. Inc. Customer Data Security Breach Litigation (U.S.D.C. Nevada)

On Monday, a Nevada federal court granted, without prejudice, Zappos motion to dismiss the multi-district litigation relating to its data breach. Click here to view the decision.

In 2013, the court denied a similar motion to dismiss finding that the plaintiffs’ allegations that they paid money to monitor credit scores and secure financial information as a result of the breach were sufficient to establish standing. However, given the Supreme Court’s decision in Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2014), and following the logic of Krottner v. Starbucks, this week the court revisited the issue and found the plaintiffs lacked standing given plaintiffs’ claim of future harm was uncertain.

Plaintiffs argued they had standing because: (1) the data breach resulted in a devaluation of their personal information, (2) they suffer an increased threat of future identity theft and fraud, and (3) they purchased credit monitoring services (mitigation costs). The court quickly disposed of the first argument noting plaintiffs have not alleged any facts explaining how their personal information became less valuable as a result of the breach. The court also rejected the last argument noting that the future harm that plaintiffs took to mitigate must be imminent—and any future harm here was speculative. The court also noted that should a third party misuse a plaintiff’s personal information there would be an injury that can be compensated and at that point a plaintiff could return to court and have standing to recover (thus the basis for the court’s without prejudice ruling).

The court spends several pages addressing the plaintiffs’ second argument, discussing the Clapper ruling, then citing ten decisions from various jurisdictions finding that allegations of actual identity theft or other fraud along is insufficient to satisfy Article III standing. The Nevada court then turns to decisions by federal courts in the Ninth Circuit, discussing Krottner v. Starbucks Corp., In re Adobe Sys., Inc. Privacy Litig., In re Sony Gaming Networds & Customer Data Sec. Breach Litig., cases where courts have held an increased risk of future identity theft is sufficient to establish standing under Article III.

First, the Nevada court agrees with the Sony ruling that Clapper does not necessarily overrule Krottner test (1) plaintiff faces a credible threat of harm and (2) the harm must be both real and immediate), and finds itself bound by Krottner. The court then concludes that while the threat of harm may be credible since none of the plaintiffs had their information used during the three and half years since when the breach occurred it is obvious their harm is not immediate. Since the plaintiffs cannot meet the second prong of Krottner, the court finds they lack standing at this time.

The court also distinguishes Adobe noting that plaintiffs’ entire credit card numbers were stolen there, whereas in Zappos only 4 digits of a credit card were stolen, and notes that in Sony plaintiffs actually suffered unauthorized charges on credits cards which did not happen here (and also noted that a greater amount of time passed here for such actions to occur compared to the time between the breach and the decisions on the standing motions in Adobe and Sony).

While the facts in Zappos are unique, it will hopefully further dissuade the plaintiffs’ bar from bringing such actions—time will tell. Although this may dissuade litigation, remember data breaches remain expensive, with the average cost being nearly $4M ($154 per record)—so it is important to continue to take the steps to keep your security/privacy programs in place so as to prevent breaches, and so that you are prepared should a breach happen.