On March 8, 2018, the Ninth Circuit Court of Appeals (“Ninth Circuit”) reversed a decision from the United States District Court for the District of Nevada. The trial court found that one subclass of plaintiffs in In re Zappos.Com, Inc. Customer Data Security Breach Litigation, had not sufficiently alleged injury in fact to establish Article III standing. The opinion focused on consumers who did not allege that any fraudulent charges had been made using their identities, despite hackers accessing their names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information in a 2012 data breach.
As a threshold matter, this was the first occasion the Ninth Circuit had to find that its 2010 data breach standing precedent in Krottner v. Starbucks could be reconciled with the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International. In Krottner, the Ninth Circuit found that the theft of a laptop containing consumers’ personally identifying information raised a “credible threat of real and immediate harm.” In Clapper, the U.S. Supreme Court held that the “objectively reasonable likelihood” that plaintiffs’ communications would be swept up in FISA surveillance did not rise to level of a “certainly impending injury” necessary to establish Article III standing.
The Ninth Circuit noted the series of inferences alleged by the Clapper plaintiffs, where none of their communications had yet been intercepted, much less under the specific statute that plaintiffs were challenging. In Krottner, however, the thief had acquired all of the information necessary to steal the plaintiffs’ identities once he or she accessed the stolen laptop. Similarly, in In re Zappos, the Ninth Circuit reasoned that plaintiffs had alleged that hackers had accessed enough data to enable the hackers to steal their identities.
The Ninth Circuit left open the possibility that plaintiffs might not be able to present sufficient evidence to support standing at summary judgment. But it joined a growing list of federal circuit courts finding that Article III standing in consumer data breach litigation can be “based on the hacking incident itself, not any subsequent illegal activity.”