Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

In re Zappos.Com, Inc., Customer Data Security Breach Litigation

United States Court of Appeals, Ninth Circuit

March 8, 2018

In re Zappos.Com, Inc., Customer Data Security Breach Litigation,
v.
Zappos.com., Inc., Defendant-Appellee. Theresa Stevens; Kristin O'Brien; Terri Wadsworth; Dahlia Habashy; Patti Hasner; Shari Simon; Stephanie Priera; Kathryn Vorhoff; Denise Relethford; Robert Ree, Plaintiffs-Appellants,

          Argued and Submitted December 5, 2017 San Francisco, California

         Appeal from the United States District Court for the District of Nevada Robert Clive Jones, Senior District Judge, Presiding D.C. No. 3:12-cv-00325-RCJ-VPC

          Douglas Gregory Blankinship (argued), Finkelstein Blankinship Frei-Pearson and Garber LLP, White Plains, New York; David C. O'Mara, The O'Mara Law Firm P.C., Reno, Nevada; Ben Barnow, Barnow and Associates P.C., Chicago, Illinois; Richard L. Coffman, The Coffman Law Firm, Beaumont, Texas; Marc L. Godino, Glancy Binkow & Goldberg LLP, Los Angeles, California; for Plaintiffs-Appellants.

          Stephen J. Newman (argued), David W. Moon, Brian C. Frontino, and Julia B. Strickland, Stroock & Stroock & Lavan LLP, Los Angeles, California; Robert McCoy, Kaempfer Crowell, Las Vegas, Nevada; for Defendant-Appellee.

          Before: John B. Owens and Michelle T. Friedland, Circuit Judges, and Elaine E. Bucklo, [*] District Judge.

         SUMMARY [**]

         Article III Standing

         The panel reversed the district court's dismissal, for lack of Article III standing, of plaintiffs' claims alleging that they were harmed by hacking of their accounts at the online retailer Zappos.com.

         The panel held that under Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), plaintiffs sufficiently alleged standing based on the risk of identity theft. The panel rejected Zappos's argument that Krottner was no longer good law after Clapper v. Amnesty International USA, 568 U.S. 398 (2013). And the panel held that plaintiffs sufficiently alleged an injury in fact under Krottner, based on a substantial risk that the Zappos hackers will commit identity fraud or identity theft. The panel assessed plaintiffs' standing as of the time the complaints were filed, not as of the present. The panel further held that plaintiffs sufficiently alleged that the risk of future harm they faced was "fairly traceable" to the conduct being challenged; and the risk from the injury of identity theft was also redressable by relief that could be obtained through this litigation.

         The panel addressed an issue raised by sealed briefing in a concurrently filed memorandum disposition.

          OPINION

          FRIEDLAND, CIRCUIT JUDGE

         In January 2012, hackers breached the servers of online retailer Zappos.com, Inc. ("Zappos") and allegedly stole the names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information of more than 24 million Zappos customers. Several of those customers filed putative class actions in federal courts across the country, asserting that Zappos had not adequately protected their personal information. Their lawsuits were consolidated for pretrial proceedings.

         Although some of the plaintiffs alleged that the hackers used stolen information about them to conduct subsequent financial transactions, the plaintiffs who are the focus of this appeal ("Plaintiffs") did not. This appeal concerns claims based on the hacking incident itself, not any subsequent illegal activity.

         The district court dismissed Plaintiffs' claims for lack of Article III standing. In this appeal, Plaintiffs contend that the district court erred in doing so, and they press several potential bases for standing, including that the Zappos data breach put them at risk of identity theft.

         We addressed standing in an analogous context in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). There, we held that employees of Starbucks had standing to sue the company based on the risk of identity theft they faced after a company laptop containing their personal information was stolen. Id. at 1140, 1143. We reject Zappos's argument that Krottner is no longer good law after Clapper v. Amnesty International USA, 568 U.S. 398 (2013), and hold that, under Krottner, Plaintiffs have sufficiently alleged standing based on the risk of identity theft.[1]

         I.

         When they bought merchandise on Zappos's website, customers provided personal identifying information ("PII"), including their names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information. Sometime before January 16, 2012, hackers targeted Zappos's servers, stealing the PII of more than 24 million of its customers, including their full credit card numbers.[2] On January 16, Zappos sent an email to its customers, notifying them of the theft of their PII. The company recommended "that they reset their Zappos.com account passwords and change the passwords 'on any other web site where [they] use the same or a similar password.'" Some customers responded almost immediately by filing putative class actions in federal district courts across the country.

         In these suits, Plaintiffs alleged an "imminent" risk of identity theft or fraud from the Zappos breach. Relying on definitions from the United States Government Accountability Office ("GAO"), they characterized "identity theft" and "identity fraud" as "encompassing various types of criminal activities, such as when PII is used to commit fraud or other crimes, " including "credit card fraud, phone or utilities fraud, bank fraud and government fraud."[3]

         The Judicial Panel on Multidistrict Litigation transferred several putative class action lawsuits alleging harms from the Zappos data breach to the District of Nevada for pretrial proceedings. After several years of pleadings-stage litigation, including a hiatus for mediation, the district court granted in part and denied in part Zappos's motion to dismiss the Third Amended Consolidated Complaint ("Complaint") and granted Zappos's motion to strike the Complaint's class allegations. The court distinguished between two groups of plaintiffs: (1) plaintiffs named only in the Third Amended Complaint who alleged that they had already suffered financial losses from identity theft caused by Zappos's breach, and (2) plaintiffs named in earlier complaints who did not allege having already suffered financial losses from identity theft.

         The district court ruled that the first group of plaintiffs had Article III standing because they alleged "that actual fraud occurred as a direct result of the breach." But the court ruled that the second group of plaintiffs (again, here referred to as "Plaintiffs") lacked Article III standing and dismissed their claims without leave to amend because Plaintiffs had "failed to allege instances of actual identity theft or fraud." The ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.