On June 1, 2015, a federal judge in the District of Nevada dismissed a putative class action stemming from a 2012 breach of Zappos's servers containing customer information. In re Zappos.com, Inc., No. 3:12-CV-00325-RCJ-VP, 2015 WL 3466943 (D. Nev. June 1, 2015). Although account numbers, passwords, email addresses and physical addresses, and the last four digits of credit card numbers were involved, none of the plaintiffs alleged they suffered any actual misuse of their data or harm therefrom. Lacking a basis to allege such harm, the plaintiffs argued they had standing based on an increased threat of fraud in the future and because the intrinsic value of their data had been diminished. The court, acknowledging that it had previously concluded in 2013 that plaintiffs had standing based on money spent to monitor their credit, which would relate to the alleged threat of future fraud, noted that, "given developments in the caselaw dealing with standing of databreach victims," including the Clapper decision and its progeny, it was appropriate to review its prior ruling. The court went on to hold that the plaintiffs could not show that they faced an immediate threat of harm, particularly as three-and-a-half years had passed since the breach occurred, and that they therefore lacked standing to sue. The court also rejected the plaintiffs' argument that the value of their data had been diminished given that plaintiffs nowhere alleged that they attempted to sell their information and were "rebuffed because of a lower price-point attributable to the security breach."
On June 15, 2015, a decision by the Central District of California came out the other way. In Corona v. Sony Pictures Entm't, Inc., No. 14-CV-09600 RGK EX, 2015 WL 3916744 (C.D. Cal. June 15, 2015), former employees of Sony brought suit against the company stemming from the November 2014 cyber-attack on Sony's network that impacted the data of at least 15,000 current and former employees. The court held that plaintiffs had standing based on their allegations that plaintiffs' data was posted on file-sharing websites for identity thieves to download and that some information had been used to send threatening emails to employees. The plaintiffs filed their motion for class certification at the end of June.