Zappos HQ (old city hall)
Zappos’ Las Vegas Headquarters (and the old Las Vegas City Hall)

Breach Level Index reports that an average of 59 personal data records are stolen or lost every second. But not every data breach shows up on the credit card bill next month. So when is a breach enough to support a federal case? The Ninth Circuit recently confirmed that the risk of identity theft alone is enough.

Several years ago, Zappos.com (an online shoe and clothing retailer owned by Amazon) was hacked. The hackers stole personal information from more than 24 million customers, including credit card numbers. Some of those customers filed class-action lawsuits. Several cases were consolidated in the District of Nevada, where Zappos is based. One class of plaintiffs alleged that the breach had exposed them to a greater risk of identity theft. The district court dismissed these claims for lack of standing because these plaintiffs had not alleged any financial harm as a result of that increased risk of identity theft.

The Ninth Circuit reversed, noting that an earlier lawsuit against Starbucks had found that the risk of identity theft was injury enough for Article III. The plaintiffs had alleged the same injury in the suit against Zappos: The information stolen from Zappos “gave hackers the means to commit fraud or identity theft . . . .” The court also noted that Congress had singled out credit card numbers for protection, banning retailers from printing them on receipts “specifically to reduce the risk of identity theft.” Because the personal nature of that information created a risk of identity theft the plaintiffs had standing to sue.

The Ninth Circuit also rejected Zappos’ argument that too much time had passed since the breach for any harm to be imminent. The court noted that when looking at the requirements of standing the only relevant time period is the time when the action was brought. And the “initial complaint against Zappos was filed on the same day that Zappos provided notice of the breach.”

The Ninth Circuit is in step with the other circuits on Article III and the risk of identity theft. The Sixth Circuit, for example, delivered a similar ruling in a claim against Nationwide in 2016, citing the Ninth Circuit’s decision in the Starbucks case—although the Sixth Circuit also noted that the plaintiffs were going to have to spend time and money on credit-monitoring.

You can read the Ninth Circuit’s opinion here and the Sixth Circuit’s opinion here.

Leave a comment