In In re Zappos.com, Inc., Customer Data Security Breach Litigation (9th Cir., Mar. 8, 2018), the U.S. Court of Appeals for the 9th Circuit issued a decision that represents a more expansive way to understand data security harm. The case arises out of a breach where hackers stole personal data on 24 million+ individuals. Although some plaintiffs alleged they suffered identity theft as a result of the breach, other plaintiffs did not. The district court held that the plaintiffs that hadn’t yet suffered an identity theft lacked standing.
Standing is a requirement in federal court that plaintiffs must allege that they have suffered an “injury in fact” — an injury that is concrete, particularized, and actual or imminent. If plaintiffs lack standing, their case is dismissed and can’t proceed. For a long time, most litigation arising out of data breaches was dismissed for lack of standing because courts held that plaintiffs whose data was compromised in a breach didn’t suffer any harm. Clapper v. Amnesty International USA, 568 U.S. 398 (2013). In that case, the Supreme Court held that the plaintiffs couldn’t prove for certain that they were under surveillance. The Court concluded that the plaintiffs were merely speculating about future possible harm.
Early on, most courts rejected standing in data breach cases. A few courts resisted this trend, including the 9th Circuit in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). There, the court held that an increased future risk of harm could be sufficient to establish standing.
Then along came Clapper, adding ammunition to the courts rejecting standing. Courts found no standing in cases brought by plaintiffs with a theory that a breach resulted in an increased risk of future harm.
But in the past few years, some courts have begun to begun to embrace the theory that increased risk of future harm is a sufficient injury to satisfy the standing requirement. In Zappos, the defendants argued that Clapper rejected the theory in Krottner, and thus, Krottner should no longer be viable. The 9th Circuit, however, held that Clapper didn’t reject the risk of future injury theory entirely, only when there wasn’t a “substantial risk that the harm will occur.”
The Zappos court concluded that in the Zappos breach, there was such a substantial risk. The court reasoned that the the “information taken in the data breach still gave hackers the means to commit fraud or identity theft, as Zappos itself effectively acknowledged by urging affected customers to change their passwords on any other account where they may have used ‘the same or a similar password.’”
Now, there’s a major circuit split on the issue of whether the increased risk of future harm can be sufficient for standing. Here’s a chart of some of the cases in the split over the past few years:
For those of you who are interested in the issue of data breach harm, I recently published an article about it:
Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety: A Theory of Data Breach Harms, 96 Texas Law Review 737 (2018)
Here’s a post that summarizes the article: