Ninth Circuit Revives Data Breach Class Action, Finds Risk of Identity Theft Without Actual Harm Sufficient to Establish Standing
Client Alert | 2 min read | 03.12.18
On March 8, 2018, the U.S. Court of Appeals for the Ninth Circuit revived claims related to a 2012 data breach affecting the internet retailer Zappos.com, holding that the plaintiffs sufficiently established Article III standing based on the future risk of identity theft, regardless of whether the plaintiffs suffered actual harm. Given the number of cases filed in the Ninth Circuit, this decision is likely to have a significant impact on data breach litigation. The various circuits are currently split on the standard for establishing Article III standing in data breach litigation, a split that will likely continue until the Supreme Court addresses the issue.
At issue in the case, In re Zappos.com, was whether the plaintiffs had Article III standing to bring claims based on a January 2012 data breach where hackers allegedly stole the personal information of more than 24 million Zappos.com Inc. (Zappos) customers—names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information. While a group of plaintiffs in the class action alleged that the hackers actually conducted financial transactions using the stolen information, the plaintiffs at issue in this appeal did not allege any actual injury.
In deciding the case, the Ninth Circuit relied on its 2010 ruling in Krottner v. Starbucks Corp., where it held that various Starbucks employees had alleged a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data. In relying on Krottner, the Ninth Circuit rejected Zappos’ argument that Krottner is no longer good law after the Supreme Court’s decision in Clapper v. Amnesty International USA, determining instead that Krottner is not clearly irreconcilable with Clapper and therefore remains binding. According to the Ninth Circuit, the plaintiffs’ alleged injury in Krottner did not rely on a “speculative multi-link chain of inferences,” unlike in Clapper. As the Ninth Circuit stated in Krottner, the threat would have been far less credible if no laptop had been stolen and the plaintiffs had sued based on the risk that it would be stolen at some point in the future.
Notably, the Ninth Circuit’s decision may make certain Payment Card Industry (PCI) cases more difficult to defend because the decision accepts that the information involved in the breach—notably, credit and debit card information and passwords—may suffice to allege potential harm, even where social security numbers are not involved. Moreover, the court’s decision that standing is to be evaluated as of the filing of the complaint may preclude district courts from considering post-filing developments, such as the cancellation of credit cards, when determining standing, although this information would remain relevant for other types of motions.
Another important takeaway is the Ninth Circuit’s reliance on the advice Zappos communicated to affected customers in its breach notice. The court noted that “the information taken in the data breach still gave hackers the means to commit fraud or identity theft, as Zappos itself effectively acknowledged by urging affected customers to change their passwords on any other account where they may have used ‘the same or a similar password.’” Because the Ninth Circuit arguably “punished” Zappos for the warnings in its breach notice, companies should re-assess the language in their standard notices to determine whether similar language could be later construed as evidence in favor of a class plaintiff.
Insights
Client Alert | 4 min read | 08.07.25
On July 25, 2025, the Eleventh Circuit Court of Appeals issued its decision in United States ex. rel. Sedona Partners LLC v. Able Moving & Storage Inc. et al., holding that a district court cannot ignore new factual allegations included in an amended complaint filed by a False Claims Act qui tam relator based on the fact that those additional facts were learned in discovery, even while a motion to dismiss for failure to comply with the heightened pleading standard under Federal Rule of Civil Procedure 9(b) is pending. Under Rule 9(b), allegations of fraud typically must include factual support showing the who, what, where, why, and how of the fraud to survive a defendant’s motion to dismiss. And while that standard has not changed, Sedona gives room for a relator to file first and seek out discovery in order to amend an otherwise deficient complaint and survive a motion to dismiss, at least in the Eleventh Circuit. Importantly, however, the Eleventh Circuit clarified that a district court retains the discretion to dismiss a relator’s complaint before or after discovery has begun, meaning that district courts are not required to permit discovery at the pleading stage. Nevertheless, the Sedona decision is an about-face from precedent in the Eleventh Circuit, and many other circuits, where, historically, facts learned during discovery could not be used to circumvent Rule 9(b) by bolstering a relator’s factual allegations while a motion to dismiss was pending. While the long-term effects of the decision remain to be seen, in the short term the decision may encourage relators to engage in early discovery in hopes of learning facts that they can use to survive otherwise meritorious motions to dismiss.
Client Alert | 4 min read | 08.06.25
FinCEN Delays Implementation Date and Reopens AML/CFT Rule for Investment Advisers
Client Alert | 4 min read | 08.06.25
Series of Major Data Breaches Targeting the Insurance Industry
Client Alert | 11 min read | 08.06.25