9th Circuit Holds That Victims of Data Breach Can Sue Based on Substantial Risk of Identity Theft of Fraud

News stories of data breaches have become all too common these days. From retail giant Target’s colossal data breach of 70 million of its customers during the 2013 holiday season, to the Equifax credit reporting data breach that impacted almost 148 million consumers, to Facebook's negligence in safeguarding the personal data of 50 million users, to the Hudson's Bay Company (think Saks and Lord & Taylor) breach affecting more than 5 million customer debit and credit cards, now more than ever the conveniences provided by our digital world put the security of our personal information at risk. 

How can victims of data breaches respond?  There are recommended security steps to take depending on the data exposed.  You may need to change the login ID and password at the hacked website, monitor your bank accounts and credit reports, or cancel and request new credit cards.  In addition, consumers may be able to bring lawsuits against the company that exposed your data. 

The question of who can bring a suit in response to a data breach has been debated and litigated in a number of courts.  One question debated is whether the data must have been used to commit identity theft or fraud or cause financial losses, or whether the potential for identify theft or losses is enough.  The U.S. Court of Appeals for the Ninth Circuit recently held in In re Zappos.com, Inc. Customer Data Security Breach Litigation that a substantial risk of identify fraud or theft can be a sufficient harm (standing) to bring a lawsuit. 

In 2012, hackers breached Zappos’s servers and gained access to names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information of more than 24 million customers.  Customers impacted by the data breach sued Zappos.  The U.S. District Court for Nevada dismissed the claims of customers who had not alleged that they had already suffered financial losses (those alleging the risk of future identify theft and losses), but allowed the claims of those who had alleged they suffered financial losses to continue.

The Ninth Circuit disagreed, and held that the plaintiffs' allegations of substantial risk of identify fraud or theft were sufficient to show standing because they alleged a credible threat of real and immediate harm.

The Ninth Circuit’s decision seems to recognize that the sensitivity of the information stolen, i.e. whether it can be used to commit identify theft, plays a part in whether or not the plaintiffs can bring a claim.  The Zappos plaintiffs alleged that the data stolen in the Zappos breach gave hackers the means to commit identify theft and fraud.  The Ninth Circuit found this to be credible, relying on the facts that some consumers had already suffered identify theft, and Zappos urged customers to change their passwords at Zappos and any other account where they used the same or a similar password.

The Ninth Circuit’s decision recognizes that the risk of identity theft and fraud resulting from a data hack of sensitive information is very real, and consumers have been injured whether or not they immediately suffer financial losses from identity theft.  After all, hackers who steal consumers’ data do so with the intention of exploiting it for their own personal gain, not simply for the thrill of stealing it. 


For more information as to your rights, please contact Wolf Popper LLP at www.wolfpopper.com