[BreachExchange] Ninth Circuit Finds Data Breach Customers Have Initial Standing to Sue

Audrey McNeil audrey at riskbasedsecurity.com
Fri Apr 6 21:51:08 EDT 2018


https://www.lexology.com/library/detail.aspx?g=a17b35a3-6c22-4f31-b75f-
ec0ae3220aed

In Short

The Situation: Relating to a 2012 data breach lawsuit against Zappos.com, a
district court had found that a certain group of plaintiffs lacked standing
to sue because they "failed to allege instances of actual identity theft or
fraud."

The Development: In reversal of the lower court's decision, a unanimous
Ninth Circuit panel has resurrected claims against Zappos.com, finding that
the "imminent" risk of identity theft from the breach was enough to
establish standing to sue.

Looking Ahead: Ninth Circuit litigants should consider the decision in
determining how to respond to a data breach complaint.

A unanimous Ninth Circuit panel recently revived a data breach lawsuit
against Zappos.com by holding that plaintiffs, whose personal information
was stolen but not actually misused, had standing to sue, at least in the
context of a motion to dismiss, because they faced a "substantial risk of
identity theft." See In re Zappos.com, Inc., 884 F.3d 893 (9th Cir. 2018).

In re Zappos.com arises out of a January 2012 data breach in which hackers
allegedly stole the names, account numbers, passwords, email addresses,
billing and shipping addresses, telephone numbers, and credit and debit
card information of more than 24 million customers of the online retailer
Zappos.com. While the district court found that one group of plaintiffs had
standing to sue because they alleged "that actual fraud occurred as a
direct result of the breach," the district court also concluded that a
second group of plaintiffs lacked standing because they "failed to allege
instances of actual identity theft or fraud." The second group of
plaintiffs appealed the dismissal of their claims.

In reversing the dismissal of those plaintiffs' claims, the Ninth Circuit
relied on its earlier decision in Krottner v. Starbucks Corp., 628 F.3d
1139 (9th Cir. 2010). The plaintiffs in Krottner were employees of
Starbucks whose Social Security numbers and other personal information were
on a stolen laptop containing the unencrypted data. Although there was no
indication the stolen data had been misused, the plaintiffs still alleged a
sufficient injury because of their "increased risk of future identity
theft."

As a threshold matter, the Ninth Circuit addressed for the first time
whether Krottner was still good law in light of the Supreme Court's
decision in Clapper v. Amnesty International USA, 568 U.S. 398 (2013).

In Clapper, a group of plaintiffs argued that certain surveillance
procedures would allow the government to unlawfully intercept their
confidential communications with non-U.S. persons. The plaintiffs
ultimately lacked standing, however, because the future injury they alleged
required too many speculative inferences. Instead, the threatened injury
must be "certainly impending" to establish standing.

The Ninth Circuit contrasted the facts in Clapper, which it said required
"a speculative multi-link chain of inferences," with the facts in Krottner,
where the court concluded that the breach posed a "substantial risk" of
identity theft. Based on the facts that the Ninth Circuit found
distinguished the cases, the Ninth Circuit concluded that Clapper and
Krottner were not irreconcilable. Thus, the Ninth Circuit concluded that
Krottner remained good law and that the district court had erred in
dismissing the claims of those plaintiffs who could not allege an actual
injury.

The decision is also potentially distinguishable on other facts. For
example, the court also noted that other plaintiffs (whose claims were not
at issue in the appeal) had specifically alleged that they suffered
financial losses from the breach, and two other plaintiffs whose claims
were at issue in the appeal claimed that hackers took over certain accounts
and sent advertisements to people in their address books.

Finally, the Ninth Circuit expressly noted that its ruling in the context
of a motion to dismiss did not ultimately resolve the standing issue. The
court cautioned, "In opposing a motion for summary judgment, … Plaintiffs
would need to come forward with evidence to support standing." The court
bolstered that conclusion when it noted "a case may become moot as time
progresses," suggesting that the mere "risk" of injury may not in the end
be sufficient to support standing.

As the court noted, a ruling on a motion to dismiss in a data breach case
may well turn on the nature of the data allegedly stolen and the substance
of the allegations before the court. Litigants in the Ninth Circuit should
take the In re Zappos.com decision into account in determining how to
respond to a data breach complaint given the specific allegations in their
cases and any further developments in the law.

Zappos, Inc. has petitioned the Ninth Circuit for rehearing by the panel,
or alternatively, for rehearing en banc.

Two Key Takeaways

1. In making its determination, the Ninth Circuit relied on its earlier
decision in Krottner v. Starbucks Corp., where, although there was no
indication the stolen data had been misused, the plaintiffs still alleged a
sufficient injury because of their "increased risk of future identity
theft."
2. The court also noted that a ruling on a motion to dismiss in a data
breach case may well turn on the nature of the data allegedly stolen and
the substance of the allegations before the court.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180406/8d031788/attachment.html>


More information about the BreachExchange mailing list