In re Zappos.Com, Inc., Customer Data Security Breach Litigation,
Zappos.com., Inc., Defendant-Appellee. Theresa Stevens; Kristin O'Brien; Terri Wadsworth; Dahlia Habashy; Patti Hasner; Shari Simon; Stephanie Priera; Kathryn Vorhoff; Denise Relethford; Robert Ree, Plaintiffs-Appellants,
and Submitted December 5, 2017 San Francisco, California
from the United States District Court for the District of
Nevada Robert Clive Jones, Senior District Judge, Presiding
D.C. No. 3:12-cv-00325-RCJ-VPC
Douglas Gregory Blankinship (argued), Finkelstein Blankinship
Frei-Pearson and Garber LLP, White Plains, New York; David C.
O'Mara, The O'Mara Law Firm P.C., Reno, Nevada; Ben
Barnow, Barnow and Associates P.C., Chicago, Illinois;
Richard L. Coffman, The Coffman Law Firm, Beaumont, Texas;
Marc L. Godino, Glancy Binkow & Goldberg LLP, Los
Angeles, California; for Plaintiffs-Appellants.
Stephen J. Newman (argued), David W. Moon, Brian C. Frontino,
and Julia B. Strickland, Stroock & Stroock & Lavan
LLP, Los Angeles, California; Robert McCoy, Kaempfer Crowell,
Las Vegas, Nevada; for Defendant-Appellee.
Before: John B. Owens and Michelle T. Friedland, Circuit
Judges, and Elaine E. Bucklo, [*] District Judge.
panel reversed the district court's dismissal, for lack
of Article III standing, of plaintiffs' claims alleging
that they were harmed by hacking of their accounts at the
online retailer Zappos.com.
panel held that under Krottner v. Starbucks Corp.,
628 F.3d 1139 (9th Cir. 2010), plaintiffs sufficiently
alleged standing based on the risk of identity theft. The
panel rejected Zappos's argument that Krottner
was no longer good law after Clapper v. Amnesty
International USA, 568 U.S. 398 (2013). And the panel
held that plaintiffs sufficiently alleged an injury in fact
under Krottner, based on a substantial risk that the
Zappos hackers will commit identity fraud or identity theft.
The panel assessed plaintiffs' standing as of the time
the complaints were filed, not as of the present. The panel
further held that plaintiffs sufficiently alleged that the
risk of future harm they faced was "fairly
traceable" to the conduct being challenged; and the risk
from the injury of identity theft was also redressable by
relief that could be obtained through this litigation.
panel addressed an issue raised by sealed briefing in a
concurrently filed memorandum disposition.
FRIEDLAND, CIRCUIT JUDGE
January 2012, hackers breached the servers of online retailer
Zappos.com, Inc. ("Zappos") and allegedly stole the
names, account numbers, passwords, email addresses, billing
and shipping addresses, telephone numbers, and credit and
debit card information of more than 24 million Zappos
customers. Several of those customers filed putative class
actions in federal courts across the country, asserting that
Zappos had not adequately protected their personal
information. Their lawsuits were consolidated for pretrial
some of the plaintiffs alleged that the hackers used stolen
information about them to conduct subsequent financial
transactions, the plaintiffs who are the focus of this appeal
("Plaintiffs") did not. This appeal concerns claims
based on the hacking incident itself, not any subsequent
district court dismissed Plaintiffs' claims for lack of
Article III standing. In this appeal, Plaintiffs contend that
the district court erred in doing so, and they press several
potential bases for standing, including that the Zappos data
breach put them at risk of identity theft.
addressed standing in an analogous context in Krottner v.
Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). There,
we held that employees of Starbucks had standing to sue the
company based on the risk of identity theft they faced after
a company laptop containing their personal information was
stolen. Id. at 1140, 1143. We reject Zappos's
argument that Krottner is no longer good law after
Clapper v. Amnesty International USA, 568 U.S. 398
(2013), and hold that, under Krottner, Plaintiffs
have sufficiently alleged standing based on the risk of
they bought merchandise on Zappos's website, customers
provided personal identifying information ("PII"),
including their names, account numbers, passwords, email
addresses, billing and shipping addresses, telephone numbers,
and credit and debit card information. Sometime before
January 16, 2012, hackers targeted Zappos's servers,
stealing the PII of more than 24 million of its customers,
including their full credit card numbers. On January 16,
Zappos sent an email to its customers, notifying them of the
theft of their PII. The company recommended "that they
reset their Zappos.com account passwords and change the
passwords 'on any other web site where [they] use the
same or a similar password.'" Some customers
responded almost immediately by filing putative class actions
in federal district courts across the country.
these suits, Plaintiffs alleged an "imminent" risk
of identity theft or fraud from the Zappos breach. Relying on
definitions from the United States Government Accountability
Office ("GAO"), they characterized "identity
theft" and "identity fraud" as
"encompassing various types of criminal activities, such
as when PII is used to commit fraud or other crimes, "
including "credit card fraud, phone or utilities fraud,
bank fraud and government fraud."
Judicial Panel on Multidistrict Litigation transferred
several putative class action lawsuits alleging harms from
the Zappos data breach to the District of Nevada for pretrial
proceedings. After several years of pleadings-stage
litigation, including a hiatus for mediation, the district
court granted in part and denied in part Zappos's motion
to dismiss the Third Amended Consolidated Complaint
("Complaint") and granted Zappos's motion to
strike the Complaint's class allegations. The court
distinguished between two groups of plaintiffs: (1)
plaintiffs named only in the Third Amended Complaint who
alleged that they had already suffered financial losses from
identity theft caused by Zappos's breach, and (2)
plaintiffs named in earlier complaints who did not allege
having already suffered financial losses from identity theft.
district court ruled that the first group of plaintiffs had
Article III standing because they alleged "that actual
fraud occurred as a direct result of the breach." But
the court ruled that the second group of plaintiffs (again,
here referred to as "Plaintiffs") lacked Article
III standing and dismissed their claims without leave to
amend because Plaintiffs had "failed to allege instances
of actual identity theft or fraud." The ...