In In re Zappos.com, Inc., Customer Data Security Breach Litigation (9th Cir., Mar. 8, 2018), the U.S. Court of Appeals for the 9th Circuit issued a decision that represents a more expansive way to understand data security harm. The case arises out of a breach where hackers stole personal data on 24 million+ individuals. Although some plaintiffs alleged they suffered identity theft as a result of the breach, other plaintiffs did not. The district court held that the plaintiffs that hadn’t yet suffered an identity theft lacked standing.
Standing is a requirement in federal court that plaintiffs must allege that they have suffered an “injury in fact” — an injury that is concrete, particularized, and actual or imminent. If plaintiffs lack standing, their case is dismissed and can’t proceed. For a long time, most litigation arising out of data breaches was dismissed for lack of standing because courts held that plaintiffs whose data was compromised in a breach didn’t suffer any harm. Clapper v. Amnesty International USA, 568 U.S. 398 (2013). In that case, the Supreme Court held that the plaintiffs couldn’t prove for certain that they were under surveillance. The Court concluded that the plaintiffs were merely speculating about future possible harm.
Early on, most courts rejected standing in data breach cases. A few courts resisted this trend, including the 9th Circuit in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). There, the court held that an increased future risk of harm could be sufficient to establish standing.
Then along came Clapper, adding ammunition to the courts rejecting standing. Courts found no standing in cases brought by plaintiffs with a theory that a breach resulted in an increased risk of future harm.
But in the past few years, some courts have begun to embrace the theory that increased risk of future harm is a sufficient injury to satisfy the standing requirement. In Zappos, the defendants argued that Clapper rejected the theory in Krottner, and thus, Krottner should no longer be viable. The 9th Circuit, however, held that Clapper didn’t reject the risk of future injury theory entirely, only when there wasn’t a “substantial risk that the harm will occur.”
The Zappos court concluded that in the Zappos breach, there was such a substantial risk. The court reasoned that the the “information taken in the data breach still gave hackers the means to commit fraud or identity theft, as Zappos itself effectively acknowledged by urging affected customers to change their passwords on any other account where they may have used ‘the same or a similar password.'”
Now, there’s a major circuit split on the issue of whether the increased risk of future harm can be sufficient for standing. Here’s a chart of some of the cases in the split over the past few years:
For those of you who are interested in the issue of data breach harm, I recently published an article about it:
Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety: A Theory of Data Breach Harms, 96 Texas Law Review 737 (2018)
Here’s a post that summarizes the article:
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 3-5, 2018 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.
NEWSLETTER: Subscribe to Professor Solove’s free newsletter
TWITTER: Follow Professor Solove on Twitter.