A class action seeking damages for a 2012 data breach at Zappos.com that impacted 24 million customers will move forward after the U.S. Court of Appeals for the Ninth Circuit reversed a dismissal of certain plaintiffs for lack of standing.

In January 2012, hackers breached the servers of Zappos.com and stole the names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information of more than 24 million Zappos customers.

Several customers filed putative class actions against the online retailer, which were eventually consolidated into a multidistrict litigation in Illinois federal court. The plaintiffs alleged an “imminent” risk of identity theft or fraud in the breach.

Ruling on the defendant’s motion to dismiss for lack of standing, a federal district court issued a mixed decision. A group of plaintiffs who alleged they had already suffered financial losses from identity theft caused by Zappos’ breach had standing, but plaintiffs who did not allege such losses had their claims dismissed.

The second group of plaintiffs appealed to the Ninth Circuit, relying on Krottner v. Starbucks Corp., a 2010 case where the federal appellate panel held that employees of Starbucks had standing to sue the company based on the risk of identity theft they faced after a company laptop containing their personal information was stolen.

Zappos countered that Krottner was no longer good law after the Supreme Court’s 2013 decision in Clapper v. Amnesty International USA, which also addressed the question of standing based on the risk of future harm and found that a reasonable likelihood of future harm was not enough to show injury for standing purposes.

Since Clapper, however, the justices have acknowledged that plaintiffs canestablish standing where a “substantial risk” of future injury is demonstrated, the panel added.

Finding Krottner “not clearly irreconcilable with Clapper” and therefore binding, the court cited support from other federal appellate panels that have found standing based on a risk of harm.

“Plaintiffs allege that the type of information accessed in the Zappos breach can be used to commit identity theft, including by placing them at higher risk of ‘phishing’ and ‘pharming,’ which are ways for hackers to exploit information they already have,” the panel wrote. “Plaintiffs also allege that their credit card numbers were within the information taken in the breach … Congress has treated credit card numbers as sufficiently sensitive to warrant legislation prohibiting merchants from printing such numbers on receipts—specifically to reduce the risk of identity theft.”

In addition, two plaintiffs in the appeal claimed that the hackers took over their AOL accounts and sent advertisements to people in their address books. “Though not a financial harm, these alleged attacks further support Plaintiffs’ contention that the hackers accessed information that could be used to help commit identity fraud or identity theft,” the court said. “We thus conclude that Plaintiffs have sufficiently alleged an injury in fact under Krottner.”

Zappos’ argument that too much time has passed since the breach for any harm to be imminent was based on a “mistaken” understanding of the law, the Ninth Circuit said. The court assessed the plaintiffs’ standing as of January 2012, when the complaints were filed—not the present day.

Further concluding that the risk of future harm alleged by the plaintiffs was “fairly traceable” to Zappos’ failure to prevent the breach and the injury was redressable by relief that could be obtained through the litigation, the court reversed the dismissal based on lack of standing.

To read the opinion in Stevens v. Zappos.com, Inc., click here.

Why it matters: While the Ninth Circuit made clear that the evaluation of the risk of harm occurs at the time the complaint was filed, not the present day, it also noted that the complaint’s allegations will not sustain plaintiffs’ standing on their own as the case proceeds beyond the pleading stage. “In opposing a motion for summary judgment, for example, Plaintiffs would need to come forward with evidence to support standing,” the panel wrote. “But the passage of time does not change the relevant moment as to which Plaintiffs must establish that they had standing or heighten Plaintiffs’ burden in opposing the motion to dismiss.”