Last week, the U.S. Court of Appeals for the Ninth Circuit revived a class action lawsuit related to a 2012 data breach, determining that the future risk of identity theft suffices to establish Article III standing, even where there has been no actual harm. At issue in the case, In re Zappos.com, was whether the plaintiffs had standing to bring claims based on a January 2012 data breach where hackers allegedly stole the personal information of more than 24 million Zappos.com Inc. customers—names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information.
The decision is likely to have a significant impact on data breach litigation given the number of such cases filed in the Ninth Circuit. The circuits are currently split on the standard for establishing Article III standing in data breach litigation, a split that will likely continue until the Supreme Court addresses the issue.
The Ninth Circuit’s decision also creates a need for companies to revisit their standard breach notification language, as the court revived the claims against Zappos in part because Zappos warned its customers in its notice that they should consider changing their passwords due to the breach, which the court considered evidence that consumers were at risk of harm from the incident.
Click here to read Crowell & Moring’s full alert.