In a data breach putative class action, the U.S. Court of Appeals for the Ninth Circuit recently held that the plaintiffs sufficiently alleged Article III standing based on an alleged “increased risk of future identity theft.”

In so ruling, the Ninth Circuit rejected the defendant’s argument that Clapper v. Amnesty International USA, 568 U.S. 398 (2013), in which the Supreme Court of the United States held “an objectively reasonable likelihood” of injury was insufficient to confer standing, required dismissal.

A copy of the opinion in In re Zappos.com is available at: Link to Opinion.

In January 2012, hackers breached the servers of an online retailer and allegedly stole the names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information of more than 24 million customers.

Several of these customers filed putative class actions in federal courts across the country, and the cases were consolidated for pretrial proceedings. Although some of the plaintiffs alleged that hackers used stolen information about them to make financial transactions, the plaintiffs of this appeal did not allege that they suffered financial losses of any kind from identity theft.

The trial court dismissed the plaintiffs’ claim for lack of Article III standing. This appeal followed.

On appeal, the Ninth Circuit had to determine whether the plaintiffs had standing to sue based on alleged risk of future harm. As you may recall, to have Article III standing:

a plaintiff must show (1) it has suffered an “injury in fact” that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision. Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180-81 (2000); see also Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016).

A plaintiff threatened with future injury has standing to sue “if the threatened injury is ‘certainly impending,’ or there is a ‘substantial risk that harm will occur.'” Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (2013).

The Ninth Circuit addressed Article III standing of victims of data theft in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). In Krottner, a thief stole a laptop containing personal information of approximately 97,000 employees. Krottner, 628 F.3d at 1140. Some employees sued and the only harm that most alleged was an “increased risk of future identity theft.” Id., at 1142. The Ninth Circuit held that this was sufficient for Article III standing, holding that the plaintiffs had “alleged a credible threat of real and immediate harm” because the laptop with their personal information had been stolen. Id., 1143.

The retailer argued that the Supreme Court of the United States’s more recent ruling in Clapper v. Amnesty International USA, 568 U.S. 398 (2013) meant that Krottner did not control this case.

In Clapper, the plaintiffs challenged surveillance procedures authorized by federal law, and argued that they had Article III standing “because there [was] an objectively reasonable likelihood that their communications [would] be acquired “at some point in the future.” Clapper, 568 U.S. at 401. The Supreme Court held that “an objectively reasonable likelihood” of injury was insufficient because the plaintiffs in Clapper relied on a multi-link chain of inferences that was “too speculative” to constitute a cognizable injury in fact. Id.

However, in the Ninth Circuit’s view, the plaintiffs’ alleged injury in Krottner did not require a speculative chain of inference. See Krottner, 628 F.3d at 1143. Rather, the Ninth Circuit explained that the laptop thief in Krottner had all the information he needed to open accounts or spend money in the plaintiffs’ names. Id., at 1142.

Moreover, the Ninth Circuit noted that Clapper’s standing analysis was “especially rigorous” because the case arose in a sensitive national security context involving intelligence gathering and foreign affairs, and because the plaintiffs were asking the courts to declare actions of the executive and legislative branches unconstitutional. Clapper, 568 U.S. at 408.

Therefore, the Ninth Circuit held that Krottner was not clearly irreconcilable with Clapper, and remained binding law.

Next, the Ninth Circuit applied Krottner to the plaintiffs’ allegations. Specifically, the Ninth Circuit compared the sensitivity of the stolen data in this case to that in Krottner.

The plaintiffs alleged that the information stolen from the retailer can be used to commit identity theft, including by placing them at higher risk of “phishing” and “pharming,” which were ways for hackers to exploit information they already have to obtain even more personal information. The plaintiffs also alleged that their credit card numbers were stolen. Although there was no allegation in this case that the stolen information included social security numbers as there was in Krottner, the Ninth Circuit found that the information taken in the data breach gave hackers the means to immediately commit fraud or identity theft.

Additionally, the Ninth Circuit noted that there were other plaintiffs in this case who alleged that the hackers had already commandeered their accounts or identities using information taken from the data breach. While those plaintiffs’ claims were not at issue in this appeal, according to the Ninth Circuit, their alleged harm undermined the retailer’s assertion that the stolen data cannot be used for fraud or identity theft.

The Court also noted that two plaintiffs whose claims were at issue in this appeal claimed that the hacker took over their AOL accounts, and sent advertisements to people in their address books. Though not a financial harm, as the Ninth Circuit explained, “these alleged attacks further support Plaintiffs’ contention that the hackers accessed information that could be used to help commit identity fraud or identity theft.”

Thus, the Ninth Circuit concluded that the plaintiffs had sufficiently alleged an injury in fact under Krottner.

The Court then turned to the remaining Article III requirements: whether the alleged risk of future harm is “fairly traceable” to the conduct challenged, and whether the injury will be redressed by the litigation.

In Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir 2015), the Seventh Circuit recognized “[t]he fact that some other store might [also] have caused the plaintiffs’ private information to be exposed does nothing to negate the plaintiffs’ standing to sue” and their injury was nonetheless “fairly traceable” to the defendant’s data breach. Remijas, 794 F.3d at 697.

Relying on Remijas, the Ninth Circuit determined that even if the plaintiffs suffered identity theft or fraud caused by data stolen in other breaches (rather than the data stolen from the vendor in this case), it would not negate their standing to sue. As the Ninth Circuit explained, those issues were more about the merits of causation and damages and less about standing.

The Ninth Circuit also found that the risk of identity theft was redressable by relief that could be obtained through this litigation. Namely, if the plaintiffs succeeded on the merits, any proven injury could be compensated through damages. See Remijas, 794 F.3d at 696-97.

Accordingly, the Ninth Circuit reversed the trial court’s judgment as to the plaintiffs’ standing and remanded to the trial court for further proceedings.