Stevens v. Zappos.com., Inc. (In re Zappos.com., Inc.)
888 F.3d 1020
| 9th Cir. | 2018Background
- In 2012 hackers stole personal identifying information (PII) from Zappos servers affecting >24 million customers, including credit card data and account credentials.
- Multiple putative class actions were filed and consolidated; plaintiffs here did not allege financial loss from subsequent misuse.
- The district court dismissed these plaintiffs for lack of Article III standing (they had not alleged actual identity theft).
- On appeal plaintiffs argued they had standing based on a substantial and imminent risk of identity theft from the breach.
- The Ninth Circuit reversed, holding plaintiffs adequately alleged an injury-in-fact based on increased risk of identity theft and remanded.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether plaintiffs have Article III standing based on risk of future identity theft | Risk from the data breach is imminent/substantial; stolen PII is the type used for identity theft | Risk is too speculative and time has passed so no present injury; standing should be assessed at present or at operative complaint | Plaintiffs have alleged a substantial risk of imminent harm and thus pleaded injury-in-fact under Krottner; standing exists |
| Whether Krottner remains good law after Clapper | Krottner remains controlling; theft of PII can create credible imminent risk | Clapper tightened the imminence requirement and undermines Krottner | Krottner and Clapper are not clearly irreconcilable; Krottner remains binding on these facts |
| Proper temporal point to assess standing (original v. amended complaint) | Standing can be evaluated based on the allegations in the operative complaint and original complaints; allegations here are materially the same | Standing must be assessed at the present/at amended complaint and time lapse defeats imminence | Whether assessed at original or amended complaints, allegations show imminent risk; facial attack not appropriate to resolve factual disputes |
| Whether causation and redressability are satisfied | Risk of harm is fairly traceable to Zappos' security failures; damages/injunctive relief can remedy injury | Other breaches or actors could have caused harm, undermining traceability | Causation and redressability adequately alleged; potential competing causes go to merits, not standing |
Key Cases Cited
- Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (stolen unencrypted employee data can create Article III standing based on substantial risk of identity theft)
- Clapper v. Amnesty Int'l USA, 568 U.S. 398 (2013) (future injury must be certainly impending; speculative multi-link inferences insufficient for standing)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (standing requires injury-in-fact, causation, and redressability; evidentiary burdens evolve through litigation)
- Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) (data-breach plaintiffs can have standing because the purpose of hacks implies a risk of fraudulent misuse)