On June 1, 2015, the U.S. District Court for the District of Nevada dismissed a consolidated consumer class action against Zappos.com Inc. stemming from a data breach in January 2012, in which the consumers raised various claims relating to the theft of their personally identifiable information from Zappos’ servers. The district court held that the plaintiffs failed to adequately allege a concrete injury under Article III, because they failed to allege any “instances of actual identity theft or fraud” involving their personal information following the data breach.
Zappos’ data breach saga began on Jan. 15, 2012, when its servers in Kentucky and Nevada were hacked. Personally identifiable information of approximately 24 million customers was stolen, including names, passwords, email addresses, phone numbers and physical addresses. Unlike some other notable data breach incidents, the hackers were only able to steal the last four digits of credit card numbers.
Early in the case, in September 2013, the court denied a motion to dismiss for lack of standing, finding that the plaintiffs’ alleged need to pay for credit monitoring services in view of the breach was sufficient to establish standing. The court then stayed the case repeatedly pending mediation and settlement discussions, but the lack of resolution by March 2015 induced the court to take up Zappos’ renewed motion to dismiss.
The district court discounted its prior ruling and granted the renewed motion “given developments in the caselaw dealing with standing of data-breach victims,” as well as the U.S. Supreme Court’s decision in Clapper v. Amnesty Int’l USA. In Clapper, the Supreme Court held that an allegation of future injury may suffice for standing only if the threatened injury is “certainly impending,” or there is a “‘substantial risk’ that the harm will occur”; otherwise the allegations “of possible future injury are not sufficient.” The district court in Zappos determined that the plaintiffs did not sufficiently allege injury for Article III standing, because “an increased threat of future identity theft and fraud” was too speculative to constitute imminent harm. The district court further held that plaintiffs could not establish harm by relying on “costs to mitigate” potential threats, such as by purchasing credit monitoring services.
Is Dismissal for Lack of Alleged Harm in Data Breach Cases the New Normal?
Motions to dismiss for lack of Article III standing have become the most effective mechanism for obtaining early dismissal of data breach consumer class actions. District courts have frequently dismissed such actions where plaintiffs have not alleged specific economic harm, and the Zappos decision seems to acknowledge this as a trend going so far as to overturn its prior position due to “developments in the caselaw” and the Clapper decision. Indeed, the vast majority of cases with similar data breach claims — particularly those decided in the wake of Clapper — have found that plaintiffs failed to allege the requisite concrete injury for standing.
Yet there have also been some cases post-Clapper where courts found a basis for Article III standing. In Moyer v. Michaels Stores, for example, the U.S. District Court for the Northern District of Illinois found that plaintiffs sufficiently alleged injury for Article III standing in view of the Seventh Circuit’s decision in Pisciotta v. Old Natl. Bancorp, a pre-Clapper decision that held that consumers facing an increased risk of identity theft following a data breach can satisfy the injury requirement even if they suffer no concrete monetary loss. The district court in Moyer also distinguished Clapper as specially relating to the unique national security context at issue in that case, where there was no evidence that the relevant risk of harm had ever materialized in similar circumstances. Specifically, the district court stated that “Clapper applied the imminence requirement in an ‘especially rigorous’ fashion given that the merits of the case would have required the Court to decide whether the FISA Amendments Act of 2008  was unconstitutional.”
In the case of Adobe Systems Inc. Privacy Litigation¸ the U.S. District Court for the Northern District of California held that the plaintiffs sufficiently alleged an injury for Article III standing, citing as precedent the Ninth Circuit’s pre-Clapper decision in Krottner v. Starbucks Corp. that “the possibility of future injury may be sufficient to confer standing” where the plaintiff is “immediately in danger of sustaining some direct injury as the result of the challenged conduct.” The Adobe district court also distinguished Clapper as relating to circumstances where the risk of future harm was too speculative, whereas the personal information stolen from Adobe was known to be decrypted and had already surfaced on websites used by hackers. Likewise, in a lawsuit prompted by a Sony breach involving its online services for the PS3 and PSP gaming devices, the U.S. District Court for the Southern District of California held that the plaintiffs had standing because they alleged a “credible threat of impending harm” due to the public disclosure of their personal information following the data breach., 
Consumer claims arising out of data breaches will only increase, as everything is being connected to the Internet, more and more information is being collected, stored, maintained and shared, and the number of cyber incidents are rapidly increasing. Accordingly, the evolution of the standing issues in data breach consumer class actions is a critical legal development. But it remains to be seen whether a clear consensus emerges on how “likely” an imminent harm must be to satisfy the injury prong of Article III standing requirements in data breach consumer class actions. Although there appears to be a subtle divergence among various district courts jurisdictions, there has been no circuit court cases on point post-Clapper. Moreover, the different outcomes post-Clapper might be more attributable to distinctions in the facts before each court.
Other potential avenues for standing are also evolving as well. On April 27, 2015, the Supreme Court granted certiorari in Spokeo Inc. v. Robins Inc. to address the issue of Article III standing raised in that case. Spokeo was sued for allegedly violating the Fair Credit Reporting Act by providing false information about the plaintiff on its website. The California district court granted Spokeo’s motion to dismiss for lack of standing, but the Ninth Circuit reversed, holding that (1) a plaintiff can suffer a violation of a statutory right without suffering actual damages, (2) the plaintiff in this particular case suffered a concrete and particularized injury in his handling of his credit information, and (3) the statutory monetary damages sought could redress the FCRA violation.
The question presented to the Supreme Court is whether Congress may confer Article III standing on a plaintiff by authorizing a private right of action based on violation of a federal statute. Although the precise question before the Supreme Court concerns standing based on a violation of a federal statute, the high court’s decision might have a broader impact on the types of claims brought in consumer data breach class actions and the lower courts’ resolution of the claims.
Originally published in Law360 on June 23, 2015