Last week, the Ninth Circuit held that the victims of a 2012 data breach of Zappos.com (“Zappos”) faced a “substantial risk” of future identity theft that was sufficient to meet the injury in fact requirement for Article III standing. Stevens v. Zappos.com, Inc. (In re Zappos.com, Inc., Customer Data Sec. Breach Litig.), 2018 U.S. App. LEXIS 5841 (Mar. 8, 2018).
Sometime before January 16, 2012, hackers breached Zappos’s servers and allegedly stole more than 24 million customers’ names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information. Following the breach, customers around the country filed class action lawsuits against Zappos, alleging negligence, breach of contract, unjust enrichment and breach of the covenant of good faith and fair dealing, as well as violations of various states’ deceptive trade practices, consumer protection acts, and data breach notification statutes. In June 2012, six of the class action suits were consolidated in the U.S. District Court for the District of Nevada. Some plaintiffs had alleged that they had already suffered financial losses from identity theft resulting from the breach. Other plaintiffs had alleged that although they had not yet suffered financial losses from identity theft, there was an “imminent” risk they would suffer such harms in the future. Zappos moved to dismiss the plaintiffs’ claims for lack of Article III standing.
In May 2016, the district court granted in part and denied in part Zappos’s motion to dismiss the plaintiffs’ Third Amended Consolidated Complaint. The district court found that “the first group of plaintiffs had Article III standing because they alleged ‘that actual fraud occurred as a direct result of the breach,’” but the second group plaintiffs lacked standing because they “‘failed to allege instances of actual identity theft or fraud.’” Id. at *5-6. The plaintiffs appealed.
The Ninth Circuit focused its analysis on a case the district court did not consider, Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). “In Krottner, a thief stole a laptop containing ‘the unencrypted names, addresses, and social security numbers of approximately 97,000 Starbucks employees.’” Id. at *6-7 (citing Krottner, 628 F.3d at 1140). The plaintiffs in Krottner successfully alleged an Article III harm because the “increased risk of future identity theft” amounted to “‘a credible threat of real and immediate harm’ because the laptop with their [personally identifiable information] had been stolen.’” Id. at *7 (citing Krottner, 628 F.3d at 1143).
Zappos argued that Krottner fell short of the standards set forth in Clapper v. Amnesty International USA, which held that a “threatened injury must be certainly impending to constitute injury in fact.” 568 U.S. 398, 401 (2013) (citations omitted). In Clapper, a group of “‘attorneys and human rights, labor, legal, and media organizations whose work allegedly require[d] them to engage in sensitive and sometimes privileged telephone and e-mail communications with . . . individuals located abroad,’” challenged surveillance procedures authorized by the Foreign Intelligence Surveillance Act of 1978 (“FISA”). Id. at *8 (citing Clapper, 568 U.S. at 401, 406). The plaintiffs argued they had standing under Article III because there was an objectively reasonable likelihood that the government would use FISA to acquire their communications in the future. Clapper, 568 U.S. at 401. The Supreme Court found that the plaintiffs’ “theory of standing, which relies on a highly attenuated chain of possibilities, does not satisfy the requirement that threatened injury must be certainly impending.” Clapper, 568 U.S. at 410 (citations omitted).
The Ninth Circuit rejected Zappos’ argument that Krottner conflicted with Clapper.
Unlike in Clapper, the plaintiffs’ alleged injury in Krottner did not require a speculative multi-link chain of inferences. See Krottner, 628 F.3d at 1143. The Krottner laptop thief had all the information he needed to open accounts or spend money in the plaintiffs’ names—actions that Krottner collectively treats as “identity theft.” Id. at 1142. Moreover, Clapper’s standing analysis was “especially rigorous” because the case arose in a sensitive national security context involving intelligence gathering and foreign affairs, and because the plaintiffs were asking the courts to declare actions of the executive and legislative branches unconstitutional. Clapper, 568 U.S. at 408 (quoting Raines v. Byrd, 521 U.S. 811, 819 (1997)). Krottner presented no such national security or separation of powers concerns.
Id. at *10. The Ninth Circuit then pointed out other cases where the Supreme Court had found that a “substantial risk” of injury satisfied Article III, including Susan B. Anthony List v. Driehaus. In that case, the Supreme Court stated that “[a]n allegation of future injury may suffice if the threatened injury is ‘certainly impending,’ or there is a ‘substantial risk that the harm will occur.’” Id. at 10-11 (citing Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (2014) (quoting Clapper, 568 U.S. at 414 & n.5)).
Having determined that Krottner did not conflict with Clapper, the Ninth Circuit explained that in Krottner “the sensitivity of the personal information, combined with its theft, led us to conclude that the plaintiffs had adequately alleged an injury in fact supporting standing.” Stevens, 2018 U.S. App. LEXIS 5841 at *11 (citing Krottner, 628 F.3d at 1143). The Ninth Circuit then found that the data stolen from Zappos’s servers was sensitive enough to give “hackers the means to commit fraud or identity theft” and was thus similar enough the data stolen in Krottner to support a finding that the plaintiffs who had not yet experienced fraud as a result of the breach had adequately alleged an injury in fact. Id. at 11-12. The court further noted that the existence of a different class of plaintiffs that allegedly had already experienced fraud as a result of the breach, “undermines Zappos’s assertion that the data stolen in the breach cannot be used for fraud or identity theft.” Id. at *13. The Ninth Circuit remanded the case to the district court for further proceedings.
Stevens is one of the most recent Ninth Circuit cases to address standing in the context of data breach and privacy violations. While standing remains a substantial hurdle for data breach plaintiffs, Stevens and Krottner demonstrate that when a thief or hacker acquires information sensitive enough to perpetrate future identity fraud, the risk of harm is likely substantial enough to satisfy the injury in fact requirement for Article III standing.