Court reinstates Zappos data breach litigationPosted On: Mar. 9, 2018 12:13 PM CST
A federal appeals court has reinstated litigation filed by plaintiffs whose personal information was stolen in the 2012 hacking of online shoe retailer Zappos Inc., even though they did not allege their data was misused.
The 9th U.S. Circuit Court of Appeals in San Francisco held in Thursday’s ruling in In re; Zappos.Com Inc., Customer Data Security Breach Litigation that the plaintiffs had standing to sue because of the risk of identity theft.
The data stolen from 24 million customers of Zappos.com, a unit of Seattle-based Amazon.com Inc., included names, account numbers, passwords, email addresses, billing and shipping addresses, phone numbers and the last four digits of credit cards used to make purchases. The thieves had gained access to the internal network through servers in Shepherdsville, Kentucky.
Several putative class action lawsuits alleging harm from the data breach were transferred to the U.S. District Court in Reno, Nevada. The court distinguished between two groups of plaintiffs: those who alleged they had suffered from financial losses from identity theft caused by the breach, and those who did not. The court held that the first group had standing to sue, but the second did not.
A three-judge appeals court panel unanimously held that the group that did not suffer financial losses could pursue their litigation as well. “Plaintiffs allege that the type of information accessed in the Zappos breach can be used to commit identity theft, including by placing them at higher risk of ‘phishing’ and ‘pharming,’ which are ways for hackers to exploit information they already have in order to get even more (personally identifiable information),” said the ruling.
“Indeed, the plaintiffs who alleged that the hackers already commandeered their accounts or identities using information taken from Zappos specifically alleged that they suffered financial losses because of the Zappos data breach (which is why the district court held that they had standing).
“Although those plaintiffs’ claims are not at issue in this appeal, their alleged harm undermines Zappos’s assertion that the data stolen in the breach cannot be sued for fraud or identity theft,” the opinion states.
Plaintiffs “have sufficiently alleged an injury in fact based on a substantial risk that the Zappos hackers will commit identity fraud or identity theft,” said the ruling, in remanding the case for further proceedings.