On March 8th, the Ninth Circuit Court of Appeals ruled in Stevens v. Zappos.com, Inc. that a group of Zappos customers whose accounts were hacked six years ago could bring a class action against the company, even though there is no evidence that hackers used the plaintiffs’ data.

Case Background

In January 2012, hackers breached the servers of online retailer Zappos.com, Inc. They allegedly stole 24 million customers’ data, including their names, email addresses, phone numbers, and credit card information. Many of these customers filed class actions in federal courts, asserting that Zappos had inadequately protected their personal information. Several of the class actions were consolidated in federal district court in Nevada.

The district court ruled that plaintiffs who had suffered financial losses from the data breach could pursue their claims, but plaintiffs who had not already suffered such losses lacked standing to sue. The latter group of plaintiffs appealed.

Appellate Court’s Reasoning

The Ninth Circuit Court of Appeals determining the plaintiffs had standing to file suit, reversing the district court. The Court of Appeals acknowledged that the constitutional principle of standing requires a plaintiff to show, among other factors, that it has suffered an actual or imminent injury, rather than a conjectural or hypothetical one. A plaintiff threatened with future injury has standing if there is a substantial risk that the harm will occur.

The Court of Appeals relied on its 2010 ruling in Krottner v. Starbucks Corp., in which Starbucks was sued by its employees after the theft of a company laptop containing the employees’ personal information. In Krottner, the court held that even though the employees had not suffered financial losses, they had standing to sue the company based on the increased risk of future identity theft.

Next, the Court of Appeals considered the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International USA. In that case, the plaintiffs challenged surveillance procedures authorized by federal statute, contending that their private telephone and email communications could be compromised. The Supreme Court held that the plaintiffs did not have standing, because the plaintiffs’ theory of injury relied on a series of inferences that were too speculative to present a threat of certainly impending injury.

The Court of Appeals distinguished its prior ruling in Krottner from the Supreme Court’s decision in Clapper, stating that the alleged injury in Krottner did not rely on a speculative multi-link chain of inferences like the alleged injury in Clapper did. The Court of Appeals also noted that the Supreme Court had used an especially rigorous analysis of standing because the case arose in a sensitive national security context and because the plaintiffs were asking the courts to declare actions of the executive and legislative branches unconstitutional. Finally, the court recognized a 2014 Supreme Court case holding that standing may be based on a future injury if there is a substantial risk that the harm will occur.

The Court of Appeals concluded that its Krottner decision controlled the result in the Zappos case. The cases were similar in that they both involved theft of sensitive data. The court concluded that the Zappos plaintiffs adequately alleged an injury supporting their standing.

The court acknowledged that the plaintiffs in Zappos had not alleged their social security numbers were stolen, as had occurred in Krottner. However, the information taken in the data breach still gave hackers the means to commit fraud or identity theft. The court noted that after the data breach, Zappos had urged affected customers to change their passwords. Furthermore, other Zappos customers allegedly had suffered financial losses due to the breach.

The Court of Appeals also rejected Zappos’ argument that too much time had passed since the breach for any harm to be imminent. The court stated that it looked at the state of the case at the time the complaint was filed, rather than at the time it considered the appeal. The plaintiffs had filed suit on the day Zappos notified them of the breach or soon thereafter. Further, the full extent of identity theft or identity fraud may not be revealed for years.

Effect on Companies

In the Zappos decision, the Court of Appeals broadly interpreted plaintiffs’ standing to bring lawsuits stemming from the potential for identity theft and identity fraud. The Zappos ruling keeps the door open to extensive and expensive litigation against companies whose data is breached. We strongly advise companies to maximize data security procedures. Although this can be time-consuming and costly, in the long run data security may seem like a bargain compared with a barrage of lawsuits.

Also note that the Court of Appeals mentioned Zappos’ after-the-fact attempt to protect its customers by urging them to change their passwords, and used this attempt against the company in considering it evidence that losses could be imminent. Although this is an unfortunate example of no good deed going unpunished, companies should continue trying to alleviate data breaches by informing the suspected victims of such breaches and telling them how best to protect their information going forward.