9th Circuit issues Article III standing guidance in hacking context

Victims of a data breach whose stolen information has not yet been used by hackers may sue in federal court, the 9th U.S. Circuit Court of Appeals ruled Thursday, adding to a growing body of case law addressing digital-age Article III standing questions.

Six years into litigation stemming from a 2012 attack on Zappos.com Inc.'s servers that allegedly took private information from 24 million online buyers, plaintiffs who sued the online shoe sale giant will be allowed to proceed with their case, Judge Michelle T. Friedland wrote in a unanimous three-judge opinion. Stevens v. Zappos.com Inc., 2018 DJDAR 2177.

The panel said that a 2010 9th Circuit decision, which allowed Starbucks employees to proceed with a lawsuit against their employer after a company laptop containing the names and social security numbers of 97,000 employees was stolen, had not been made bad law by a 2013 U.S. Supreme Court decision that denied standing for speculative harm.

"[T]he sensitivity of the personal information, combined with its theft, led us to conclude that the plaintiffs had adequately alleged an injury in fact supporting standing," Friedland wrote, addressing the court's 2010 rationale. Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010).

"The sensitivity of the stolen data in this case is sufficiently similar to that in Krottner to require the same conclusion here," she continued.

In 2013, the U.S. Supreme Court considered a challenge to amendments to the Foreign Intelligence Surveillance Act, which allowed the government to surveil telephone and e-mail communications of foreigners abroad.

In a 5-4 decision, the court rejected plaintiffs' claims to challenge the law, noting that their allegations were too speculative. The plaintiffs had argued that the law created "an objectively reasonable likelihood" of injury. Clapper v. Amnesty International USA, 568 U.S. 398 (2013).

Counsel for Zappos unsuccessfully argued before the 9th Circuit that Clapper had rendered Krottner bad law.

Hackers behind the attack in question before the court breached Zappos' cybersecurity protections and absconded with the credit card information of 24 million online shoppers as well as personal information such as full names, account numbers, email addresses, cell phone numbers and home addresses.

Lawsuits and putative class actions stemming from the attack were consolidated in multi-district litigation before U.S. District Judge Robert Clive Jones of Nevada.

Plaintiffs were divided into two categories for the purposes of the case: those whose information had been used by hackers and those whose hadn't.

Addressing a third amended complaint, Jones ruled that the plaintiffs whose information had been used had standing, but dismissed the claims of those whose information appeared to have gone untouched by the hackers.

But the 9th Circuit said, "The information taken in the data breach still gave hackers the means to commit fraud or identify theft."

The Zappos decision is the latest circuit opinion on the standing question in the context of cyberattacks.

Last year, the U.S. District of Columbia Circuit Court of Appeals considered a district court ruling that held that plaintiffs whose personal information was stolen in a cyberattack on a medical provider could not sue because the injury was too speculative.

The D.C. Circuit said that the district court's reading was too narrow and reversed. The Supreme Court declined to review that ruling last month. Attias v. Carefirst, Inc., 865 F.3d 620 (D.C. Cir. 2017).

The 7th Circuit has also ruled similarly to the 9th and D.C. Circuits in cyberattack standing disputes.

But 8th Circuit ruled last year that allegations of credit card theft in a cyberattack were not enough to establish standing, as the attack in question was unable to secure other personal information like passwords and telephone numbers.

In a lengthy footnote, Friedland addressed each of these cases, saying that the Krottner decision was not irreconcilable with the post-Clapper decisions, because the standing determinations rest on the particular facts of each case.

Friedland was joined in her opinion by Judge John B. Owens and U.S. District Judge Elaine E. Bucklo, visiting from Northern Illinois.

Douglas Gregory Blankinship, a partner at Finkelstein Blankinship Frei-Pearson and Garber LLP of White Plains, New York, represented the plaintiffs before the court. He did not respond to a request for comment.

Stephen J. Newman, a partner at Stroock & Stroock & Lavan LLP in Los Angeles, represented Zappos.com Inc.. He referred a request for comment to his client. Zappos did not respond.