In Short

The Situation: Relating to a 2012 data breach lawsuit against Zappos.com, a district court had found that a certain group of plaintiffs lacked standing to sue because they "failed to allege instances of actual identity theft or fraud."

The Development: In reversal of the lower court's decision, a unanimous Ninth Circuit panel has resurrected claims against Zappos.com, finding that the "imminent" risk of identity theft from the breach was enough to establish standing to sue.

Looking Ahead: Ninth Circuit litigants should consider the decision in determining how to respond to a data breach complaint.

A unanimous Ninth Circuit panel recently revived a data breach lawsuit against Zappos.com by holding that plaintiffs, whose personal information was stolen but not actually misused, had standing to sue, at least in the context of a motion to dismiss, because they faced a "substantial risk of identity theft." See In re Zappos.com, Inc., 884 F.3d 893 (9th Cir. 2018).

In re Zappos.com arises out of a January 2012 data breach in which hackers allegedly stole the names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information of more than 24 million customers of the online retailer Zappos.com. While the district court found that one group of plaintiffs had standing to sue because they alleged "that actual fraud occurred as a direct result of the breach," the district court also concluded that a second group of plaintiffs lacked standing because they "failed to allege instances of actual identity theft or fraud." The second group of plaintiffs appealed the dismissal of their claims.

In reversing the dismissal of those plaintiffs' claims, the Ninth Circuit relied on its earlier decision in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). The plaintiffs in Krottner were employees of Starbucks whose Social Security numbers and other personal information were on a stolen laptop containing the unencrypted data. Although there was no indication the stolen data had been misused, the plaintiffs still alleged a sufficient injury because of their "increased risk of future identity theft."

As a threshold matter, the Ninth Circuit addressed for the first time whether Krottner was still good law in light of the Supreme Court's decision in Clapper v. Amnesty International USA, 568 U.S. 398 (2013).

In Clapper, a group of plaintiffs argued that certain surveillance procedures would allow the government to unlawfully intercept their confidential communications with non-U.S. persons. The plaintiffs ultimately lacked standing, however, because the future injury they alleged required too many speculative inferences. Instead, the threatened injury must be "certainly impending" to establish standing.

The Ninth Circuit contrasted the facts in Clapper, which it said required "a speculative multi-link chain of inferences," with the facts in Krottner, where the court concluded that the breach posed a "substantial risk" of identity theft. Based on the facts that the Ninth Circuit found distinguished the cases, the Ninth Circuit concluded that Clapper and Krottner were not irreconcilable. Thus, the Ninth Circuit concluded that Krottner remained good law and that the district court had erred in dismissing the claims of those plaintiffs who could not allege an actual injury.

The decision is also potentially distinguishable on other facts. For example, the court also noted that other plaintiffs (whose claims were not at issue in the appeal) had specifically alleged that they suffered financial losses from the breach, and two other plaintiffs whose claims were at issue in the appeal claimed that hackers took over certain accounts and sent advertisements to people in their address books.

Finally, the Ninth Circuit expressly noted that its ruling in the context of a motion to dismiss did not ultimately resolve the standing issue. The court cautioned, "In opposing a motion for summary judgment, … Plaintiffs would need to come forward with evidence to support standing." The court bolstered that conclusion when it noted "a case may become moot as time progresses," suggesting that the mere "risk" of injury may not in the end be sufficient to support standing.

As the court noted, a ruling on a motion to dismiss in a data breach case may well turn on the nature of the data allegedly stolen and the substance of the allegations before the court. Litigants in the Ninth Circuit should take the In re Zappos.com decision into account in determining how to respond to a data breach complaint given the specific allegations in their cases and any further developments in the law.

Zappos, Inc. has petitioned the Ninth Circuit for rehearing by the panel, or alternatively, for rehearing en banc.

Two Key Takeaways

  1. In making its determination, the Ninth Circuit relied on its earlier decision in Krottner v. Starbucks Corp., where, although there was no indication the stolen data had been misused, the plaintiffs still alleged a sufficient injury because of their "increased risk of future identity theft."
  2. The court also noted that a ruling on a motion to dismiss in a data breach case may well turn on the nature of the data allegedly stolen and the substance of the allegations before the court.