Norton Rose Fulbright - Data Protection Report blog

On March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re, Inc., finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, and Eighth Circuits over whether the mere exposure of personal information – without actual identity theft or credit/debit card fraud – establishes Article III standing.

The incident

Plaintiffs alleged that in January 2012, hackers breached Zappos’ servers, stealing personal identifying information of more than 24 million customers, including names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information. Later that month, Zappos notified its customers of the theft and recommended that they reset their passwords on the Zappos website as well as any other websites where customers used the same or similar passwords.

Ninth Circuit reverses dismissal on standing grounds

The district court distinguished between two sets of Plaintiffs: those who alleged financial losses from identity theft and those who did not. The district court dismissed the claims of the second group, finding that they did not have Article III standing to pursue their claims because they did not allege “actual identity theft or fraud.” The Ninth Circuit reversed, finding that Plaintiffs “sufficiently alleged an injury in fact based on a substantial risk that the Zappos hackers will commit identity fraud or identity theft.”

In its decision, the court relied on Ninth Circuit precedent in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), which allowed Starbucks employees to sue when a company laptop containing personal information was stolen, but plaintiffs had not suffered identity theft as a result. In doing so, the Zappos court rejected defendant’s argument that Krottner was no longer good law after Clapper v. Amnesty International USA, 568 U.S. 398 (2013), which held that an increased risk of harm is not enough to confer standing because it is not “certainly impending.” The Zappos decision distinguished Clapper on the basis that Clapper involved “sensitive” national security and separation of powers concerns, and a “speculative” chain of inferences, none of which were present in Krottner.

Thus, under Krottner, the Zappos court found that the mere exposure of personal identifying information poses a “substantial risk” of harm sufficient to survive a motion to dismiss. The court accepted Plaintiffs’ arguments that the type of information stolen in the Zappos breach, including full credit card numbers, “gave hackers the means to commit fraud or identity theft,” even if the hackers had not done so already. The court further found that the risk of future harm was “fairly traceable” to the breach and “redressable by relief that could be obtained through [ ] litigation.” On this basis, the court found that Plaintiffs had established Article III standing and their case could proceed.

Our take

The Ninth Circuit has now officially weighed in on what is a continuing circuit split concerning standing in data breach cases, joining its sister courts in the D.C., Sixth and Seventh Circuits to make it easier for plaintiffs to maintain data breach cases beyond the pleading stage despite no showing of actual injury. More troubling is that, by doubling down on Krottner, the Ninth Circuit continues to ignore the Supreme Court’s criticism in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016). There, the Supreme Court reversed a Ninth Circuit decision for failing to analyze whether a harm was both “concrete” and “individualized” – a failure that occurred in Krottner and has now been repeated in Zappos. As the Ninth Circuit has itself recognized, to allege a concrete injury there must be actual harm or a material risk of future harm. The D.C., Sixth and Seventh Circuits have all recognized a future risk in hacker or phishing cases, but the Ninth Circuit has arguably gone even further by reaffirming Krottner, a case that involved a lost computer which was more likely stolen for its resale value than for any personal information contained thereon. Regardless, seeing as the Supreme Court declined to take up the recent CareFirst Inc. v. Attias appeal, it does not appear that the Supremes will be resolving this circuit split any time soon.