884 F.3d 893
9th Cir.2018Background
- In January 2012 hackers breached Zappos’s servers and accessed personal identifying information (PII) for >24 million customers, including names, emails, addresses, passwords, and credit/debit card data. Zappos alerted customers and advised changing passwords.
- Multiple putative class actions were filed and consolidated in the District of Nevada; some plaintiffs alleged actual financial loss from subsequent misuse, others (the appellants here) alleged only increased risk of identity theft.
- The district court held that plaintiffs who alleged actual fraud had standing, but dismissed plaintiffs who alleged only an increased/ imminent risk of identity theft for lack of Article III standing.
- On appeal the Ninth Circuit considered whether prior Ninth Circuit precedent (Krottner v. Starbucks) allowing standing based on risk of identity theft remained good law after the Supreme Court’s decision in Clapper v. Amnesty International.
- The Ninth Circuit evaluated standing at the time the suits were filed (January 2012) and focused on whether the theft of sensitive PII created a substantial risk of future identity theft sufficient to establish injury-in-fact.
- The court reversed the dismissal for lack of standing and remanded, holding appellants adequately alleged a concrete, imminent risk of identity theft traceable to Zappos’s breach.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether plaintiffs who only allege an increased risk of identity theft have Article III standing | Risk from theft of sensitive PII (including card numbers, passwords) is a concrete, imminent injury (substantial risk of identity theft) | Risk is speculative; plaintiffs have not alleged actual misuse and Clapper requires "certainly impending" injury | Plaintiffs have standing based on a substantial risk of identity theft under Krottner; reversal and remand |
| Whether Krottner remains controlling after Clapper | Krottner remains valid; data-theft cases do not require the same multi-link speculation present in Clapper | Clapper limits standing for speculative future harms, so Krottner is incompatible | Krottner is not clearly irreconcilable with Clapper and remains binding |
| Whether the passage of time (since 2012 breach) defeats imminence of injury | Standing is assessed at filing; suits were filed contemporaneously with notice, so imminence satisfied | Passage of time reduces imminence and makes injuries speculative | Standing assessed as of filing; time elapsed does not defeat a pleading-stage showing of substantial risk |
| Traceability and redressability of alleged future identity theft to Zappos breach | The breach is fairly traceable to the increased risk; damages or injunctive relief could redress harms | Other breaches or causes could have contributed, undermining traceability | Alleged risk is fairly traceable to Zappos’s failure; redressable by damages and injunctive relief |
Key Cases Cited
- Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (holding theft of a laptop containing unencrypted PII can create a credible, imminent risk of identity theft sufficient for standing)
- Clapper v. Amnesty Int'l USA, 568 U.S. 398 (2013) (requiring threatened injury be "certainly impending" and cautioning against multi-step speculative chains of inference for standing)
- Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015) (recognizing that hackers’ purpose in stealing PII supports inference of substantial risk of fraudulent misuse)
- Attias v. CareFirst, Inc., 865 F.3d 620 (D.C. Cir. 2017) (holding a data breach of sensitive PII can itself create a substantial risk of future harm supporting standing)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (outlining Article III standing requirements and that each element must be supported at successive litigation stages)