In granting a motion to dismiss a data breach putative class action lawsuit, the District of Nevada joined the majority of federal district courts in holding that plaintiffs whose personal information was stolen lack Article III standing to sue in federal court. The case derived from a 2012 breach of Zappos.com, Inc.’s servers in which hackers stole 24 million customers’ personal information.
Zappos moved to dismiss the case for lack of standing because, it alleged, there were no actual damages resulting from the data breach and thus no injury to its customers. The plaintiffs advanced several theories to prove injury: (a) damage to the intrinsic value of their data, (b) an increased risk of identity theft, and (c) costs to mitigate future risk of identity theft. The court rejected each argument.
Focusing primarily on the increased risk argument, the court followed Ninth Circuit precedent in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) to hold that there was no credible threat of harm which was both real and immediate since “not one” of the plaintiffs alleged any actual injury from the data breach. Out of the 24 million customers affected by the data breach, only 12 sought damages in the case, of whom only three purchased credit monitoring services for fear of future identity theft. The possibility that identity theft or other fraud could occur at some undetermined future time “relegate[d] Plaintiffs’ injuries to the realm of speculation,” and therefore precluded standing. The passage of nearly 3.5 years since the breach without any harm materializing only buttressed the court’s opinion. The court also discarded plaintiffs’ mitigation theory because, under Clapper, a plaintiff cannot “manufacture standing” by incurring mitigation costs against hypothetical future harm.
In dismissing this putative data breach class action for lack of standing, the Nevada federal district court departed from the views of California federal district courts, which have allowed data breach class actions to proceed notwithstanding Article III challenges. This opinion suggests that, even in the favorable Ninth Circuit, data breach plaintiffs may face significant standing hurdles.
In re Zappos.com, Inc., Customer Data Sec. Breach Litig., No. 12-00325 (D. Nev. June 1, 2015).