Law Review: Identity theft victims may sue for the hack
In January 2012, hackers breached the servers of online retailer Zappos.com and allegedly stole the names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit information of more than 24 million Zappos’ customers.
For those of you not fluent in Spanish, like me, Zappos is a corruption of the word zapatos meaning shoes in Spanish. Zappos was acquired by Amazon in 2009 for 1.2 billion dollars. A lot of zapatos …
When customers bought shoes, handbags or other clothing on the Zappos website, they provided personal identifying information including full credit card numbers, or so it was alleged. After the hack, Zappos sent an email to its customers notifying them of the theft of their personal information, recommending that they reset their Zappos.com account passwords and change the passwords on other websites where they use the same password.
Some customers responded almost immediately … by filing class action lawsuits in federal district courts across the country. It’s the American Way.
The plaintiffs were broken into two groups, those who were victimized by the hackers using the stolen information and those whose concern and lawsuit was based on the hacking incident itself, not any subsequent illegal activity by the hackers.
Today’s case analyzes the second class of plaintiffs — those who sued claiming Zappos did not adequately protect their identity, but who so far have not been victimized with improper use of the hacked information such as illegally purchased goods on personal accounts.
As all of us could be victims of identity theft by criminal hackers, this federal court of appeals decision should be of interest.
The legal issue in our case entitled In re Zappos.com, Inc., was whether the plaintiffs whose identity had been stolen but to date not used, had “standing” to sue, which requires the following:
“a plaintiff must show (1) it has suffered in ‘injury in fact’ that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.”
There must be a “substantial risk that the harm will occur”
As most of you are aware, some years ago, a thief stole a laptop containing the unencrypted names, addresses and social security numbers of approximately 97,000 Starbucks employees. Starbucks immediately sent a letter notifying its employees, but that did not stop many from suing alleging that they had “a credible threat of real and imminent harm,” because the laptop with their personal information had been stolen.
The Starbucks court found that the data breach alone created a risk of harm and therefore a right to sue.
The Ninth District Court of Appeals overturned the trial court, ruling that the Zappos plaintiffs, like the Starbucks employees, were entitled to sue. Because of the theft of their sensitive personal information, the plaintiffs had adequately alleged an injury or likelihood of injury. As the court noted, “why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or to assume those customers’ identities.”
There is “substantial risk that the Zappos hackers will commit identity fraud or identity theft.” Plaintiffs prevail over Zappos.
Jim Porter is an attorney with Porter Simon licensed in California and Nevada, with offices in Truckee and Tahoe City, California, and Reno, Nevada. Jim’s practice areas include: real estate, development, construction, business, HOA’s, contracts, personal injury, accidents, mediation and other transactional matters. He may be reached at email@example.com or http://www.portersimon.com. Like us on Facebook.