Data breach standing ruling invites review

In In re Zappos.com, Inc., 2018 DJDAR 2177 (March 8, 2018), the 9th U.S. Circuit Court of Appeals ruled that merely having personal information exposed in a security breach constitutes sufficient harm to justify Article III standing in federal court, regardless of whether the information in fact is used for identity theft or other improper purposes. In so ruling, the 9th Circuit invites a petition for certiorari to the U.S. Supreme Court based on what is now a clear circuit split on the issue of what level of harm is required in a cybersecurity case where information is taken but not actually used for improper purposes.

There is always a theoretical harm that when personal information is acquired as a result of a security breach, it may be used for identity theft or other fraud. Of course, it may also never be used for improper purposes. Companies have become adept at quickly alerting consumers, cancelling or restricting access to login and account credentials or other account information in response to a security breach. In many cases, these protective measures are taken before consumers even learn of a breach. Consumers themselves also may place credit freezes and other restrictions on their financial records to deter potential abuse following a security breach. Consequently, as we know as a matter of fact from most putative security breach class action suits, the named plaintiffs have incurred no present harm.

In Clapper v. Amnesty International USA, 568 U.S. 938 (2013), the U.S. Supreme Court, by a 5-4 margin, tightened the threshold for plaintiffs to establish standing in cases based on the threat of future harm, rejecting the argument that standing could be established based on "an objectively reasonable likelihood" of future harm. This ruling arguably conflicted with the 9th Circuit's earlier decision in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), in which the 9th Circuit had found "a credible threat of real an immediate harm" merely because a laptop containing plaintiff's personally identifiable information had been stolen. In Zappos, however, the 9th Circuit construed Clapper as consistent with Krottner and therefore applied this earlier 9th Circuit precedent to find standing.

In contrast to the 9th Circuit, courts in many other parts of the country have held that Clapper tightened the requirement for establishing standing based solely on the threat of future harm and have rejected standing in cases where personal information has been exposed but the plaintiffs have not been the victims of fraud or identity theft. See, e.g., Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017) (finding no standing, despite statistical evidence suggesting that plaintiffs faced an enhanced risk of future identity theft because of a security breach as "too speculative" to constitute an injury-in-fact); In re SuperValu, Inc., Customer Data Security Breach Litig., 870 F.3d 763 (8th Cir. 2017) (affirming dismissal for lack of standing where plaintiffs' names, credit or debit card account numbers, expiration dates, card verification value (CVV) codes, and personal identification numbers (PINs) potentially were exposed, but plaintiffs had not been victims of identity theft); see also Whalen v. Michael's Stores, Inc., 689 F. App'x. 89 (2d Cir. 2017) (rejecting standing in an unreported opinion where unknown parties sought to use plaintiff's credit card in Ecuador a few days after a security breach, where the attempted charges were rejected and her card was replaced).

By contrast, other circuits have found standing in the absence of identity theft based on intangible harm such as the costs associated with mitigating the risk of loss. See, e.g., Lewert v. P.F. Chang's China Bistro Inc., 819 F.3d 963 (7th Cir. 2016); Attias v. Carefirst, Inc., 865 F.3d 620 (D.C. Cir. 2017), cert. denied, 2018 WL 942459 (U.S. Feb. 20, 2018); see also Galaria v. Nationwide Mut. Ins. Co., 663 F. App'x 384 (6th Cir. 2016) (finding standing, by a 2-1 decision, in an unreported opinion).

In Zappos, the 9th Circuit went further than other courts in justifying standing based on the experiences of other plaintiffs who, unlike appellants, had alleged harm. Because other plaintiffs alleged that their accounts or identities had been commandeered by hackers, the court concluded that the appellants in Zappos -- who did not allege any such harm -- could be subject to fraud or identity theft. This kind of bootstapping -- where those with no injury are afforded standing to sue because of others, who alleged harmed -- suggests a much looser standard for Article III analysis than the U.S. Supreme Court directed in Clapper, which is the most recent case to squarely address standing based on the alleged threat of future harm. It also is inconsistent with the 8th Circuit's decision in SuperValu, where the appellate court affirmed dismissal of the claims of 15 plaintiffs who had not been victims of identity theft while finding that a 16th plaintiff, who had been a victim of identity theft, had standing.

While the 9th Circuit's ruling is consistent with the views articulated by lower courts in the 9th Circuit in security breach cases, it directly conflicts with the rulings of other circuits.

Zappos invites the U.S. Supreme Court to resolve disagreement among the circuits.