On March 8, a Ninth Circuit panel held that fear of identity theft in the wake of a data breach satisfies the standing requirements of Article III of the United States Constitution. In so holding, the Ninth Circuit confirmed that its prior data breach standing precedent in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) remained good law despite the Supreme Court’s 2013 holding in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013). As we previously reported, the district court relied on Clapper’s holding that any alleged “future harm” be “certainly impending” and that “allegations of possible future injury are not sufficient” to hold that fear of future identity theft or future fraudulent charges was insufficient to meet Article III’s standing requirement. The Ninth Circuit reversed, distinguishing Clapper’s standing analysis as “especially rigorous” because it arose in the “national security context.”
The court reasoned that, like the employees whose unencrypted social security numbers were allegedly contained on the stolen laptop at issue in Krottner, the customers at issue here faced a “substantial risk” of identity theft due to the alleged release of their billing information, including credit and debit card numbers. Rejecting defendant’s argument that too much time had passed since the breach for any alleged harm to be imminent, the court held that standing is determined at the time the complaint is filed – not as of the present.
In holding that fear of identity theft satisfies the requirements of Article III of the Constitution, the Ninth Circuit joins the District of Columbia, Sixth, and Seventh Circuits as plaintiffs’ forums of choice for data breach class actions. By contrast, the Eighth and Fourth Circuits, have taken a narrower approach to the standing issue. The Supreme Court has – as recently as February 20 — declined petitions for certiorari to review and resolve the circuit split. Will the defendant in this case seek Supreme Court review and, if so, will the result be different this time? Stay tuned for more developments.
In re Zappos.com, Inc., Customer Data Sec. Breach Litig., No. 16-16860 (9th Cir. March 8, 2018).