For years, district courts in the Ninth Circuit have grappled with the question of whether the threat of future harm arising out of a data breach is still sufficient for purposes of Article III standing following the Supreme Court's decision in Clapper v. Amnesty Int'l USA, 133 S.Ct. 1138 (2013). Earlier this month, a three-judge panel in the Ninth Circuit determined that it did, confirming that notwithstanding the Supreme Court's decision in Clapper, the Ninth Circuit's 2010 decision in Krottner v. Starbucks, 628 F.3d 1139 (9th Cir. 2010) − that an increased risk of identity theft is sufficient for purposes of Article III standing − remains good law.
By so holding, the Ninth Circuit joins the Sixth, Seventh and DC Circuits, which have concluded that the threat of future harm is sufficient for purposes of Article III standing. See, eg, Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015); Galaria v. Nationwide Mutual Ins. Co., 663 Fed.Appc. 384 (6th Cir. 2016); Attias v. Carefirst, Inc., 865 F.3d 620 (D.C. Cir. 2017), cert. denied, No. 17-641, 2018 WL 942459 (U.S. Feb. 20, 2018).
In In re Zappos.Com, Inc., Customer Data Security Breach Litig., Case No. 16-16860 (9th Cir. March 8, 2018), plaintiffs alleged that hackers breached Zappos's servers, stealing names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information for more than 24 million customers. Some of the plaintiffs alleged that the hackers used stolen information to conduct financial transactions, while others did not. The lower court dismissed the claims of those plaintiffs who did not allege any fraudulent transactions on the ground that increased risk of identity theft was insufficient injury for purposes of Article III standing.
On appeal, the three-judge panel rejected Zappos's argument that the Ninth Circuit's decision in Krottner, which involved the theft of a computer containing unencrypted personally identifiable information (PII), including social security numbers, for Starbucks employees, was no longer good law following the Supreme Court's decision in Clapper. The panel distinguished Clapper. It noted that the plaintiffs' alleged injury in Krottner "did not require a speculative multi-link chain of inferences" because "the Krottner laptop thief had all the information he needed to open accounts or spend money in the plaintiffs' names − actions that Krottner collectively treats as 'identity theft.'" This was not the case in Clapper. Based on this, the Court concluded that Clapper and Krottner were not "clearly irreconcilable," and Krottner remained good law.
With respect to the case at bar, the panel determined that, even though the Zappos breach did not result in the exposure of social security numbers and other sensitive personal information as was the case in Krottner, "the sensitivity of the stolen data" in the Zappos case was "sufficiently similar" to that in Krottner. On this basis, the panel concluded that the plaintiffs had alleged sufficient injury for purposes of Article III standing. The panel reasoned that "the information taken in the data breach still gave hackers the means to commit fraud or identity theft, as Zappos itself effectively acknowledged by urging affected customers to change their passwords on any other account where they may have used 'the same or a similar password.'"
This statement is certainly debatable. Theft of an online password on its own does not provide enough information to commit financial fraud or identity theft. Indeed, in contrast to breaches of all other information that triggers a notice requirement under the law, California's breach notice law does not require warning users of risk of identity theft or fraud in the case of breaches of online account passwords.
This decision is troubling for companies that suffer a breach that triggers a notification requirement under California law because the statute mandates statements warning consumers about risk to their data or online accounts, and the panel seized on this mandatory language to find that the plaintiffs had standing.
Although the decision is a significant win for the plaintiffs' data breach litigation bar, all is not lost for companies that face class actions following a data breach. In reaching its conclusion that the plaintiffs had standing to pursue their case, the panel distinguished the Eighth Circuit's ruling that the plaintiffs lacked standing to pursue multi-district litigation in In Re SuperValu, Inc., Customer Data Sec. Breach Litig., 870 F.3d 763 (8th Cir. 2017) on the ground that "no other PII, such as addresses, telephone numbers, or passwords, was stolen in that case." The panel also distinguished the Fourth Circuit's decision in Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), cert. denied sub nom Beck v. Shulkin, 137 S.Ct. 2307 (2017), on the ground that plaintiffs in that case had not alleged that the thief who stole the laptop containing patient information had "intentionally targeted the personal information compromised" in that case. The panel's discussion of these two cases demonstrates that the standing inquiry remains an inherently factual question that, on different facts, may yield a different result.
In addition, the panel emphasized that even though the plaintiffs had sufficiently alleged Article III standing in their complaint, "as litigation proceeds beyond the pleadings stage, the Complaint's allegations will not sustain Plaintiffs' standing on their own."
Thus, while plaintiffs litigating within the Ninth Circuit may be able to withstand a motion to dismiss based on allegations that the breach put them at risk of future harm, Article III standing may still prove a viable defense at later stages in the case if plaintiffs are unable to prove it. This may indeed be the case in Zappos, since the panel's ruling appears to be predicated in part on the plaintiffs' apparently incorrect allegations that full credit card numbers were stolen.