On June 1, 2015, a U.S. District Court in Nevada dismissed a consolidated class action against Zappos stemming from a data breach in January 2012.  The court held that the plaintiffs lacked standing given their failure to identify any “instances of actual identity theft or fraud” since the data breach.  The Court’s reasoning appears to align with other recent decisions setting the bar for standing in data breach litigation to be a concrete showing of actual or imminent harm to affected individuals.

Zappos’ data breach saga began on January 15, 2012, when its servers in Kentucky and Nevada were hacked.  Personally identifiable information of approximately 24 million customers was stolen, including names, passwords, email addresses, phone numbers and physical addresses. However, unlike some other notable data breach incidents, only the last four digits of consumers’ credit card numbers were taken from Zappos’ servers.

The court initially denied a motion to dismiss for lack of standing—early in the case—finding that the plaintiffs’ alleged need to pay for credit monitoring services in view of the breach was sufficient to establish standing.  The case was then stayed repeatedly pending mediation and settlement discussions, but the lack of resolution by March 2015 induced the court to take up Zappos’ renewed motion to dismiss.

The court reversed its prior ruling and granted the renewed motion “given developments in the caselaw dealing with standing of data-breach victims,” as well as the Supreme Court’s decision in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013), which held that allegations “of possible future injury are not sufficient.”  The court therefore determined that the named plaintiffs would need to allege and show that they personally had suffered actual or imminent injury and concluded that the plaintiffs made no such allegations.

The court then discounted plaintiffs’ three alternate theories of alleged injury, as follows:

  • The plaintiffs argued that they were harmed by virtue of their personal information being “devalued,” and would sell for less on the black market subsequent to the breach.  The court rejected the theory as pure conjecture because —assuming such a value exists—none of the plaintiffs alleged trying to sell their information on the black market and experiencing such a devaluation.
  • The court also held that “an increased threat of future identity theft and fraud” was too speculative and did not constitute imminentharm, noting that “the majority of courts dealing with data-breach cases post-Clapper have held that absent allegations of actual identity theft or other fraud, the increased risk of such harm alone is insufficient to satisfy Article III standing.”  The court further noted that the plaintiffs failed to identify even a single incident of actual harm in the more than three years that had elapsed since the data breach.
  • Finally, the court held that plaintiffs could not establish harm by relying on alleged “costs to mitigate” potential threats, such as by purchasing credit monitoring services.  The court again relied on the Clapperdecision, which explained that plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”  Here too, the lack of actual or imminentharm was deemed fatal to the plaintiffs’ allegations.

A last opportunity does remain for the plaintiffs.  In dismissing the complaints without prejudice, the court granted the plaintiffs leave to amend their complaints in the event an occurrence of actual misuse of the stolen data has transpired since the earlier complaints were filed.

For a copy of the District Court’s decision, please click here.