No Injury? No Problem: Mere Risk Of Identity Theft Can Establish Standing

Author:Mr David McDowell, Tiffany Cheung and Morgan Donoian MacBride
Profession:Morrison & Foerster LLP
 
FREE EXCERPT

Standing requirements have forced many a data breach action to stand down. Can a plaintiff have a claim (and on behalf of a massive class) when plaintiff hasn't suffered any harm? For those polling the Circuits, the Ninth Circuit votes "yes." And because no good deed goes unpunished, the Court interpreted defendant's helpful advice to consumers as an "acknowledgment" of the harm.

For years, district courts in the Ninth Circuit have debated whether the mere risk of future identity theft originating from a data breach constitutes an injury sufficient to confer Article III standing following the United States Supreme Court's decision in Clapper v. Amnesty Int'l USA, 133 S.Ct. 1138 (2013). On March 8, 2018, in In re Zappos.com, Inc., Customer Data Security Breach Litig., Case No. 16-16860 (9th Cir. 2018), the Ninth Circuit concluded that it did. The Court found that, notwithstanding the Supreme Court's decision in Clapper, its prior decision in Krottner v. Starbucks, 628 F.3d 1139 (9th Cir. 2010) - that the threat of future harm was sufficient to confer standing - remains the law in the Ninth Circuit.

In In re Zappos, the plaintiffs alleged that in 2012 hackers breached the servers of online retailer Zappos.com. The hackers allegedly stole the names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information for more than 24 million customers. While some of the plaintiffs alleged that the hackers actually used their stolen information to conduct financial transactions, other plaintiffs did not. Judge Robert C. Jones of the District of Nevada dismissed the claims of those plaintiffs who "failed to allege instances of actual identity theft or fraud" on the basis that they lacked Article III standing. Those plaintiffs appealed.

In re Zappos is the first time the Ninth Circuit considered whether Krottner could be reconciled with the Supreme Court's later decision in Clapper. In Krottner, the Ninth Circuit found that allegations of an "increased risk of future identity theft" resulting from the theft of a laptop represented a "credible threat of real and immediate harm" sufficient to establish Article III standing. In Clapper, however, the Supreme Court found that the "objectively reasonable likelihood" that plaintiffs' communications would be the subjects of governmental surveillance authorized by the Foreign Intelligence Surveillance Court did not rise to the level of a "certainly...

To continue reading

FREE SIGN UP