In re Zappos.com, Inc. Customer Data Security Breach – Big 9th Cir. Opinion

On March 8, 2018, the 9th Circuit Court of Appeals published its opinion on In re Zappos.com, Inc., Customer Data Security Breach Litigation, No. 16-16860 (9th Cir. 2018).

The case has nothing to do with shoes — except the fact that Plaintiffs were Zappos customers whose private identifying data was stolen by some thieves who hacked into Zappos’ system. Plaintiffs were some of the 24 million Zappos customers whose info got stolen. 

Some of these unfortunate customers actually were victims of identity theft. Hackers used some customers’ info to commit fraudulent transactions (and may have bought some killer shoes — I don’t know).

[Image credit: Pixabay / creative commons]
Some other customers didn’t experience any immediate ill effects from the breach. But now that their data was in the wrong hands, they were afraid that they could be victims of identity theft at any time. Sounds like a reasonable fear, right?

These customers were tired of “waiting for the other shoe to drop,” so to speak, so they sued too. Consumers brought multiple different class action lawsuits against Zappos, which were eventually consolidated into one case to make it manageable for the courts.

But here’s the tricky part about bringing a lawsuit in federal court. You must have “standing” to do so under Article III of the U.S. Constitution.

The subject of Article III standing can go down a deep rabbit hole pretty fast. It’s not generally part of the high school civics curriculum, and it famously stumps law students. So, I’ll do my best to make it simple, and explain why the lower court treated the consumers who had suffered identity theft differently from those who were at risk for it.

Let’s say you are really into birds. You’re like Jack Black’s character — no, you’re Owen Wilson’s character — in the film “The Big Year.” You’re such a bird nerd you’ll travel around the world to catch a glimpse of a rare bird in the wild. And, the Endangered Species Act is important to you because you want to see these birds thrive for generations.

[Image credit: Pixabay / creative commons]
Well, one day you find out that two agencies that decide what animals get listed on the Endangered Species List decided that the government is only going to care about actions affecting species within the United States. This makes no sense to you. So along with a couple of your favorite environmental organizations, you sue the Secretary of the Interior (where the buck stops) and ask the court to order the government to change its regulation.

Eventually your case makes it all the way to the United States Supreme Court. And what does the Court say? Sorry, buddy. There was this one case a while back called Lujan v. Defenders of Wildlife, and even if you like birds more than the plaintiffs in that case liked crocodiles and elephants, you don’t have a case. You don’t have “standing” to bring a lawsuit. You have not suffered an “injury” to a “legally protected interest” that is “sufficiently concrete and particularized” that is likely to be made any better by your lawsuit. Your connection to the government’s actions and your disappointment are just too wishy-washy for this to be something the courts should care about. You’re speculating and whining. And everyone agrees. Go back to your grassroots public interest campaign.

[Image credit: Pixabay / creative commons]
The founders of this country were clear that certain things belong in the court system — “cases and controversies” — and certain things belong to the other branches of government, and good luck having any influence on those. If you’d like to rub salt in your wounds, read the opinion: Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992).

Sounds kind of harsh, right? “But we are not talking about bird watching here,” you say. “We are talking about the security and privacy of personal financial data! A bird might be starving in some other country because it has lost its habitat, but what about me, up all night worrying that a hacker might buy 100 pairs of shoes and foot me with the bill? Won’t the courts take me seriously then?”


The short answer is yes. The long answer is, plead your case carefully, and hope you live in the 9th Circuit.

The Supreme Court reiterated in Spokeo, Inc. v. Robins, 136 S.Ct. 1540 (2016) that in order to have Article III standing you must have a concrete and particularized injury-in-fact in addition to a statutory claim. The Supreme Court was willing to allow for the possibility that you could have a “concrete,” yet “intangible” harm, but just meeting the criteria for a statutory violation isn’t enough.

So, why all this talk about birds and shoes on a site devoted to credit reporting?

Spokeo is a Fair Credit Reporting Act case.

The consumer Robins sued Spokeo because Spokeo, one of those people search websites, published on the interwebs that the consumer was a different guy, with a different marital status, age and job. Spokeo, Inc. didn’t steal Robins’ wallet or punch him in the face, but Robins was possibly harmed in intangible ways that were still “concrete.” Don’t we all want the truth told about us? Can you think of ways that an incorrect page about you online could hurt your reputation? But, the Supreme Court wouldn’t make the judgment call on whether Robins was harmed or had a “material risk” of harm beyond just being able to point at the Fair Credit Reporting Act statute to say “duh, see?” So, the Supreme Court sent the case back home to the 9th Circuit Court of Appeals.

Once Robins’ case was back in the hands of the 9th Circuit, the Appeals Court was quick to find that a false people search report was not a merely technical procedural violation of the FCRA and was sufficiently “concrete” to have Article III standing. The Appeals Court made it clear that the consumer will have to connect the dots between the violation and the harm that flowed from it. You can read the opinion here: Robins v. Spokeo, Inc., 867 F.3d 1108 (9th Cir. 2017).

So now let’s get back to the Zappos, Inc. data breach case.

The 9th Circuit’s opinion is a big one for consumers because it recognizes that anxiously worrying about whether hackers will commit identity theft against you with the information they stole is a material risk of harm. “Waiting for the other shoe to drop” is therefore a sufficiently concrete injury-in-fact to have standing to sue Zappos, Inc. and allege that Zappos didn’t have good enough safeguards in place to protect your data from hackers. And, as the Appeals Court pointed out, you don’t need to make a lot of assumptions or inferences to get from “hackers stole my data” to “hackers, posing as me, on manic shopping spree.” While we don’t know for sure what a criminal will or won’t do, it’s not farfetched, and we can trace it to its root cause.

The impact of this opinion is potentially an even bigger win for consumers since data breaches are in the news all the time these days, and there are plenty of cases still pending that arose out of the large-scale data breach announced by Equifax in September 2017.

Read the opinion here: In re Zappos.com, Inc.

And if you are a victim of identity theft, go to www.identitytheft.gov and call my office for a consultation at 206-529-5195. I have successfully litigated identity theft cases and helped people clean up the mess.