These Shoes Weren’t Made for Walking (and They Aren’t Too Good for Standing Either): Court Dismisses Post-Breach Case Against Zappos for Lack of Standing

Last week yet another federal district court dismissed a post-data breach class action after concluding that the plaintiffs had not alleged any actual or imminent harm and, consequently, did not have standing to proceed. In re Zappos.com, Inc. Customer Data Security Breach Litig. MDL No. 2357, 12-cv-325 (D. Nev. June 1, 2015), arose out of a 2012 breach of Zappos’ servers, which contained names, passwords, email addresses, shipping addresses, and credit card information for approximately 24 million Zappos customers. Litigation followed and, following several years’ worth of settlement discussions, the defendant filed a motion to dismiss for lack of standing, arguing that the plaintiffs had not alleged that they suffered any actual or imminent concrete harm from the data breach. The Court granted the defendant’s motion, rejecting the three arguments the plaintiffs put forth in opposition.

• First, the Court summarily rejected the plaintiffs’ argument that they were injured by the “devaluation of their personal information.” Despite the plaintiffs’ contention that their personal information was valued at $30.49 to $44.62, the Court observed that the plaintiffs failed to allege that this value had decreased.
• Second, relying on Ninth Circuit precedent and the Supreme Court’s recent opinion in Clapper v. Amnesty International, the Court held that the plaintiffs’ claim that they faced “an increased threat of future identity theft and fraud” as a result of the breach was insufficient to confer an “injury” for standing purposes. The Court noted that “[t]he [three] years that have passed [since the breach] without Plaintiffs making a single allegation of theft or fraud demonstrate that the risk [of injury] is not immediate.” Likewise, the Court observed that any possible future harm that the plaintiffs might suffer was speculative because it was “based entirely on the decisions or capabilities of an independent, and unidentified actor”—the hacker or hackers that had accessed and stolen the customers’ data years earlier. The Court concluded by noting that “Plaintiffs’ damages at this point rely almost entirely on conjecture.”
• Third, the Court rejected the argument that three plaintiffs were injured by having purchased credit monitoring services as a result of the breach. The Court began by noting that, given the speculative nature of any future harm they might suffer as a result of the breach, the three plaintiffs’ purchase of credit monitoring services was an insufficient “injury.” The Court also expressed skepticism, based on the Supreme Court’s Clapper opinion, that plaintiffs could, in effect, purchase standing “merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”

The Court’s holding in Zappos is, in one sense, unremarkable. As the Court observed, it follows a string of opinions dismissing data breach cases for lack of standing. Zappos, however, is still important because of the caselaw on which it relies. The Zappos Court (a Nevada district court) was governed by Ninth Circuit standing precedent, which has been questioned for its adherence to the Supreme Court’s Clapper opinion. (Indeed, the Zappos Court noted that district courts in the Ninth Circuit appear to generally buck the trend of dismissing data breach cases for lack of standing.) Nonetheless, based on both Ninth Circuit precedent and Clapper, the Zappos Court held that the plaintiffs had not adequately alleged an injury and, therefore, lacked standing.  Zappos thus demonstrates the difficulties many plaintiffs continue to face in bringing post-data breach lawsuits.