Summary: Several putative class action lawsuits were filed as the result of a January 2012 hack attack on online retailer Zappos.com, Inc.’s servers. The hack allowed the theft of personal identifying information (“PII”) of more than 24 million Zappos customers. There was an MDL set up in the District of Nevada to handle pretrial proceedings. Zappos filed a motion to dismiss the third amended consolidated complaint and a motion to strike the class allegations. The Court grouped the various plaintiffs into (1) those who alleged that they had financial losses from identity theft; and (2) those named in earlier complaints who did not allege having financial losses from identity theft. The District Court ruled that the group alleging they already had financial losses had Article III standing. However, the district judge ruled the second group “lacked Article III standing and dismissed their claims without leave to amend because plaintiffs had ‘failed to allege instances of actual identity theft or fraud.’” The 9th Circuit reversed on appeal.
The 9th Circuit stated that it had addressed standing in a similar context in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). In that case the Court “held that employees of Starbucks had standing to sue the company based on the risk of identity theft they faced after a company laptop containing their personal information was stolen…We reject Zappos’s argument that Krottner is no longer good law after Clapper v. Amnesty International USA, 508 U.S. 398, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013), and hold that, under Krottner, Plaintiffs have sufficiently alleged standing based on the risk of identity theft.”
The Court made clear that the attack Zappos made was presented “as a facial, not a factual, attack on standing.” Because it was a facial attack in a FRCP 12(b)(1) motion, “we take the allegations in the plaintiff’s complaint as true.” Citing Whisnant v. United States, 400 F.3d 1177, 1179 (9th Cir. 2005).) Importantly, the Court noted the plaintiffs had alleged “an imminent risk of identity theft or fraud from the Zappos breach.” The Court quoted from Susan B. Anthony List v. Driehaus, 134 S.Ct. 2334, 2341 (2014) supporting the proposition that any plaintiff “threatened with future injury has standing to sue if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.” Quoting Clapper v. Amnesty Int’l USA, supra (internal quotation marks omitted). By quoting from Susan B. Anthony, the Court signaled its conclusion that Krottner remained good law after Clapper and still controlled.
The Court proceeded to discuss Clapper and Krottner at length. That discussion included Clapper’s multi-link analysis which caused the Supreme Court to conclude the plaintiffs’ “multi chain of inferences was… ‘too speculative’ to constitute a cognizable injury in fact. However, unlike Clapper, Krottner and the plaintiffs in the Zappos putative class action litigation did not have multi-link chains of inferences. Furthermore, there was no national security or separation of powers concerns as were present in Clapper. As noted by the Court in Susan B. Anthony, “[a]n allegation of future injury may suffice if the threatened injury is ‘certainly impending’ or there is a ‘substantial risk that the harm will occur.’” The 9th Circuit further noted that its reconciliation of Clapper with Klottner was consistent with rulings from the D.C. and 7th Circuits. The Court found the allegations by plaintiffs were comparable to the allegations in Krottner and for that reason held “plaintiffs have sufficiently alleged an injury in fact based on a substantial risk that the Zappos hackers will commit identity fraud or identity theft.” The Court also cited for support the 4th Circuit decision in Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), cert. denied sub nom., Beck v. Shulkin, 137 S.Ct. 2307 (2017).
The additional Article III standing requirements had also been satisfied. “Plaintiffs sufficiently allege that the risk of future harm they face is ‘fairly traceable’ to the conduct being challenged—here, Zappos’s failure to prevent the breach.” The Court concluded its analysis stating that the “injury from the risk of identity theft is also redressable by relief that could be obtained through this litigation” because “at least some of their requested injunctive relief would limit the extent of the threatened injury by helping Plaintiffs to monitor their credit and the like.”
The In re Zappos.com, Inc. case is another important Article III standing case clarifying the standing rules since Clapper and Spokeo. Class action practitioners need to continue reading and analyzing the numerous cases confronting and ruling on the important Article III standing issue.