Elawyers Elawyers
Washington| Change

IN RE ZAPPOS.COM, INC., CUSTOMER DATA SECURITY BREACH LITIGATION, 108 F.Supp.3d 949 (2015)

Court: District Court, D. Nevada Number: infdco20150603c11 Visitors: 22
Filed: Jun. 01, 2015
Latest Update: Jun. 01, 2015
Summary: ORDER ROBERT C. JONES , District Judge . This multidistrict litigation case arises out of a security breach of Zappos.com's customer data. Pending before the Court is a Motion to Dismiss, (ECF No. 217), filed by Amazon.com, Inc. doing business as Zappos.com ("Zappos"). Also pending is Zappos's Motion to Strike Prayers for Punitive Damages and Restitution. (ECF No. 219). Zappos has also filed a Motion for Leave to File Excess Pages. (ECF No. 218). The Court has considered all of the briefing
More

ORDER

This multidistrict litigation case arises out of a security breach of Zappos.com's customer data. Pending before the Court is a Motion to Dismiss, (ECF No. 217), filed by Amazon.com, Inc. doing business as Zappos.com ("Zappos"). Also pending is Zappos's Motion to Strike Prayers for Punitive Damages and Restitution. (ECF No. 219). Zappos has also filed a Motion for Leave to File Excess Pages. (ECF No. 218). The Court has considered all of the briefing on the pending Motions. For the reasons contained herein, the Motion to Dismiss is GRANTED, and the Motion to Strike is DENIED as moot.

I. FACTS AND PROCEDURAL HISTORY

On January 15, 2012, Zappos's servers located in Kentucky and Nevada were targeted by a hacker or group of hackers. The servers contained the personal identifying information of approximately 24 million Zappos's customers. On January 16, 2012, Zappos sent an email to its customers notifying them that its servers had been breached and that data had been stolen, including customers' names, account numbers, passwords, email addresses, billing and shipping addresses, phone numbers, and the last four digits of their credit cards used to make purchases. Shortly thereafter, a number of lawsuits were filed against Zappos seeking damages.

On June 14, 2012, the U.S. Judicial Panel on Multidistrict Litigation ("JPML") granted Zappos's motion to create the present case pursuant to 28 U.S.C. § 1407, transferring six extra-district actions to this District, consolidating them with three actions from this District, and assigning the consolidated case to this Court. (Transfer Order, ECF No. 1). Zappos moved to compel arbitration and stay the case. While that motion was pending, the JPML transferred an additional action to be consolidated with the instant case. (Conditional Transfer Order, ECF No. 5). The Court denied the motion to compel arbitration because the arbitration contract was "browsewrap" not requiring any objective manifestation of assent (as opposed to a "clickwrap" agreement), and there was no evidence that Plaintiffs had knowledge of the offer such that assent could be implied merely by use of the website. (See Sept. 27, 2012 Order 7-10, ECF No. 21).

Plaintiffs then amended their pleadings into two separate consolidated class action complaints, and Zappos filed a motion to dismiss the amended complaints for lack of standing and for failure to state a claim. (ECF No. 62). On September 9, 2013, the Court granted in part and denied in part Zappos's motion. (ECF No. 114). Thereafter, Plaintiffs Preira, Ree, Simon, Hasner, Habashy, and Nobles ("the Preira Plaintiffs") filed their Second Amended Consolidated Complaint (the "Preira SAC"). (ECF No. 118). And Plaintiffs Stevens, Penson, Elliot, Brown, Seal, Relethford, and Braxton (the "Stevens Plaintiffs") filed their Second Amended Consolidated Class Action Complaint (the "Stevens SAC"). (ECF No. 119).

On November 4, 2013, Zappos moved for dismissal of the Preira SAC and the Stevens SAC. (ECF No. 122). Zappos also moved to strike Plaintiffs' prayers for punitive damages and restitution. (ECF No. 124). While those motions were pending, the parties engaged in mediation in an attempt to reach a settlement. The parties stipulated to stay the proceedings various times, each time representing to the Court that settlement negotiations were progressing. (See ECF Nos. 192, 196, 201). After the third stipulation to stay, which was filed on September 17, 2014, and in reliance on the parties' representation that a settlement agreement was close, the Court entered an order denying Zappos's still pending motion to dismiss and motion to strike without prejudice. (ECF No. 202).

Despite the progress made during mediation as to class-wide relief, a final agreement could not be reached between the parties due to a disagreement over attorneys' fees. However, Plaintiffs filed a motion on December 4, 2014 to enforce a supposed settlement. (ECF No. 207), claiming that a cap on the fees class counsel would request was not material to the settlement. After responding to Plaintiffs' arguments regarding whether an enforceable settlement had been reached, Zappos renewed its previous dismissal arguments by filing the instant Motions on January 30, 2015. (ECF Nos. 217, 219). Plaintiffs then requested an extension of time to oppose the Motions pending the Court's determination of the motion to enforce. On March 27, 2015, the Court, finding that no final settlement had been reached, denied the motion to enforce and ordered Plaintiffs to respond to the instant Motions so that the case might proceed. Accordingly, the Court now considers the merits of Zappos's Motion to Dismiss the Preira and Stevens SACs pursuant to Rule 12(b)(1) for lack of standing.

II. LEGAL STANDARD

"Lack of standing is a defect in subject-matter jurisdiction and may properly be challenged under Rule 12(b)(1)." Wright v. Incline Vill. Gen. Imp. Dist., 597 F.Supp.2d 1191, 1199 (D.Nev.2009) (citing Bender v. Williamsport Area Sch. Dist., 475 U.S. 534, 541, 106 S.Ct. 1326, 89 L.Ed.2d 501 (1986)). Zappos argues that the Preira and Stevens SACs fail to establish Plaintiffs' standing to sue. This is considered a "facial" challenge to subject-matter jurisdiction. Thornhill Publ'g Co. v. Gen. Tel. & Elec. Corp., 594 F.2d 730, 733 (9th Cir.1979). "In a facial attack, the challenger asserts that the allegations contained in a complaint are insufficient on their face to invoke federal jurisdiction." Safe Air for Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir.2004). If the movant's challenge is a facial one, then the "court must consider the allegations of the complaint to be true and construe them in the light most favorable to the plaintiff." Nevada ex rel. Colo. River Comm'n of Nev. v. Pioneer Cos., 245 F.Supp.2d 1120, 1124 (D.Nev.2003) (citing Love v. United States, 915 F.2d 1242, 1245 (9th Cir.1989)).

III. DISCUSSION

Zappos contends that Plaintiffs lack standing in this case because they have not alleged any actual damages arising from the data breach. Plaintiffs contend that their injury stems from an increased risk that they will become victims of identity theft or other fraudulent activities because their personal information has been jeopardized. None of the Plaintiffs, however, allege that they have suffered such harm as of yet. Moreover, only three of the twelve named Plaintiffs have taken the additional step of purchasing credit monitoring services to protect against the allegedly increased threat of fraud. In addition to the increased threat of harm, Plaintiffs further argue that they have standing based on damage to the intrinsic value of their data.

The Court was presented with similar arguments when ruling on Zappos's previous motion to dismiss. At that time, the Court determined that Plaintiffs' allegations "that they have had to pay money to monitor their credit scores and secure their financial information due to the increased risk of criminal fraud" were sufficient to establish standing. (Sept. 9, 2013 Order 5). However, given developments in the caselaw dealing with standing of data-breach victims, and because Article III standing is an "indispensable part of a plaintiff's case" rather than a pleading requirement, the Court finds it appropriate to review its prior ruling. Lujan v. Defenders of Wildlife, 504 U.S. 555, 561, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992).

"Standing under Article III of the Constitution requires that an injury be concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling." Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 149, 130 S.Ct. 2743, 177 L.Ed.2d 461 (2010). When a party's allegations of injury rest on future harm, standing arises only if that harm is "certainly impending," Clapper v. Amnesty Int'l USA, ___ U.S. ___, 133 S.Ct. 1138, 1147, 185 L.Ed.2d 264 (2013) (internal quotation marks and citation omitted), "or there is a `substantial risk' that the harm will occur." Susan B. Anthony List v. Driehaus, ___ U.S. ___, 134 S.Ct. 2334, 2342, 189 L.Ed.2d 246 (2014) (citation omitted). Allegations "of possible future injury are not sufficient." Clapper, 133 S.Ct. at 1147 (quotation marks and citation omitted).

The party invoking federal jurisdiction has the burden of establishing actual or imminent injury. Defenders of Wildlife, 504 U.S. at 561, 112 S.Ct. 2130. In a class action, the named plaintiffs attempting to represent the class "must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent." Warth v. Seldin, 422 U.S. 490, 502, 95 S.Ct. 2197, 45 L.Ed.2d 343 (1975). "[I]f none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class." O'Shea v. Littleton, 414 U.S. 488, 494, 94 S.Ct. 669, 38 L.Ed.2d 674 (1974).

1. Decreased value in Plaintiffs' personal information

The Court deals first with Plaintiffs' last theory of standing. Plaintiffs attempt to establish standing by arguing that the data breach resulted in a devaluation of their personal information. Plaintiffs allege that a "robust market" exists for the sale and purchase of consumer data such as the personal information that was stolen during the breach, the value of this data apparently being appraised at between $30.49 and $44.62. (Stevens SAC ¶¶ 51-52). Plaintiffs claim that the Zappos security breach deprived them of the "substantial value" of their personal information, which they are entitled to recover. (Id. ¶ 54).

The Court does not buy this argument. Even assuming that Plaintiffs' data has value on the black market, Plaintiffs do not allege any facts explaining how their personal information became less valuable as a result of the breach or that they attempted to sell their information and were rebuffed because of a lower price-point attributable to the security breach. See Galaria v. Nationwide Mut. Ins. Co., 998 F.Supp.2d 646, 660 (S.D.Ohio 2014) (rejecting a similar argument because the named plaintiffs failed to allege that the data security breach actually prevented them from selling their information at the price they claimed the data was worth); see also In re Sci. Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litg., 45 F.Supp.3d 14, 30 (D.D.C.2014) (same). Thus, the Court finds that these allegations do not establish standing.

2. Increased threat of future harm

Plaintiffs' purported standing rests largely on the theory that they suffer an increased threat of future identity theft and fraud as a result of Zappos's security breach. Courts are divided on what constitutes sufficient injury-in-fact to establish standing in the context of a data security breach. The division arises, at least in part, from the Supreme Court's recent holding in Clapper v. Amnesty International.

In Clapper, the plaintiffs, a group of lawyers, challenged the constitutionality of a section of the Foreign Intelligence Surveillance Act ("FISA") that authorizes surveillance of individuals who are not United States persons and are believed to be located outside of the United States. 133 S.Ct. at 1142. The plaintiffs alleged that their work required them to engage in sensitive international communication with individuals that they suspected were targets of surveillance under FISA. Id. There was no evidence, however, that their communications had been targeted or that the Government would imminently target their communications. Nevertheless, the plaintiffs claimed that their injury arose from an increased risk that their communications could be monitored in the future.

The Court held that the alleged harm was entirely speculative and did not support standing since the future injury was not "certainly impending." Id. at 1148. The Court explained that the plaintiffs' arguments "rest[ed] on their highly speculative fear" that (1) the Government would decide to target non-U.S. persons with whom they communicate; (2) that in doing so, the Government would choose to invoke its authority under FISA rather than some other method of surveillance; (3) that the Article III judges who serve on the Foreign Intelligence Surveillance Court would conclude the surveillance comported with the Fourth Amendment; (4) that the Government would succeed in intercepting communications of plaintiffs' contacts; and (5) plaintiffs would be parties to the particular communications intercepted by the Government. Id.

This "highly attenuated chain of possibilities," the Court concluded, did not satisfy "the requirement that injury must be certainly impending." Id. The Court was also not willing "to abandon [its] usual reluctance to endorse standing theories that rest on speculation about the decisions of independent actors," id. at 1150, and it rejected the Second Circuit's reasoning that standing could be based on "an objectively reasonable likelihood" that the plaintiffs' communications with their foreign contacts would be intercepted in the future, id. at 1147.

The majority of courts dealing with data-breach cases post-Clapper have held that absent allegations of actual identity theft or other fraud, the increased risk of such harm alone is insufficient to satisfy Article III standing. See, e.g., Green v. eBay Inc., No. CIV.A.14-1688, 2015 WL 2066531, at *5 (E.D.La. May 4, 2015) (finding no standing where plaintiff's data was accessed during a security breach because there were no allegations that the information had been used or any indication that its use was imminent); Storm v. Paytime, Inc., 90 F.Supp.3d 359, 366, No. 14-cv-1138, 2015 WL 1119724, at *6 (M.D.Pa. Mar. 13, 2015) (finding no standing where plaintiffs did not allege that they actually suffered any form of identity theft as a result of the defendant's data breach); Peters v. St. Joseph Servs. Corp., 74 F.Supp.3d 847, 853-54, 2015 WL 589561, *4-*5 (S.D.Tex.2015) (finding no standing where plaintiff did not allege actual identity theft or fraud despite the possibility "that fraudulent use of her personal information could go undetected for long periods of time"); Galaria, 998 F.Supp.2d at 654 (finding no standing where plaintiffs alleged their personal information was stolen and disseminated but did not allege that their data had been misused); In re SAIC, 45 F.Supp.3d at 26 (finding no standing where plaintiffs allegations of potential identity theft, which had not yet occurred, were "entirely dependent on the actions of an unknown third party"); Lewert v. P.F. Chang's China Bistro, Inc., No. 14-cv-4787, 2014 WL 7005097, at *3 (N.D.Ill. Dec. 10, 2014) (finding no standing where plaintiffs did not allege that identity theft had occurred but only that it "may happen in coming years"); Remijas v. Neiman Marcus Grp., LLC, No. 14c1735, 2014 WL 4627893, at *3 (N.D.Ill. Sept. 16, 2014) (finding no standing where plaintiffs' alleged injury was not "concrete" because it was based on "potential future fraudulent charges"); Burton v. MAPCO Exp., Inc., 47 F.Supp.3d 1279, 1280-81 (N.D.Ala.2014) (finding no standing despite plaintiff's allegations of unauthorized charges on his debit card because plaintiff did not allege that he actually had to pay for the charges); U.S. Hotel & Resort Mgmt., Inc. v. Onity, Inc., No. CIV.13-1499, 2014 WL 3748639, at *5 (D.Minn. July 30, 2014) (recognizing that "[i]n the `lost data' context ... a majority of the courts ... hold that plaintiffs whose confidential data has been exposed, or possibly exposed by theft or a breach of an inadequate computer security system, but who have not yet had their identity stolen or their data otherwise actually abused, lack standing to sue the party who failed to protect their data"); In re Barnes & Noble Pin Pad Litig., No. 12-cv-8617, 2013 WL 4759588, at *3 (N.D.Ill. Sept. 3, 2013) ("Merely alleging an increased risk of identity theft or fraud is insufficient to establish standing.").

Courts in the Ninth Circuit, however, have held the opposite.1 See In re Adobe Sys., Inc. Privacy Litig., 66 F.Supp.3d 1197, 1214 (N.D.Cal.2014) (finding standing where hacker "spent several weeks" in Adobe's servers collecting customers' information despite no allegations that the plaintiffs' data had been misused); In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F.Supp.2d 942, 962 (S.D.Cal.2014) (finding standing where the plaintiffs "alleged a `credible threat' of impending harm" based on a data breach). These cases were decided in light of the Ninth Circuit's holding in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir.2010).

In Krottner, employees of Starbucks sued the company when a laptop containing unencrypted names, addresses, and social security numbers of approximately 97,000 employees was stolen. 628 F.3d at 1140. Although some of the plaintiffs enrolled in credit monitoring services, they did not allege that any theft or other fraud actually occurred. Id. at 1142. Starbucks challenged the employees' standing since their allegations of harm were based solely on an "increased risk of future identity theft." Id. The court found the allegations sufficient to confer standing, holding that "[i]f a plaintiff faces `a credible threat of harm' and that harm is `both real and immediate, not conjectural or hypothetical,' the plaintiff has met the injury-in-fact requirement for standing under Article III." Id. at 1143.

While other courts have criticized this test for being too lax post-Clapper, see Peters, 74 F.Supp.3d at 855-56, 2015 WL 589561, at *6-*7 (recognizing the pre-Clapper split among the Third, Seventh, and Ninth Circuits on the issue of standing but finding that Clapper "[a]rguably ... resolved the circuit split" and claiming that the Clapper "holding compels the conclusion" that plaintiffs lack standing to the extent the claims "are premised on the heightened risk of future identity theft/ fraud"); Galaria, 998 F.Supp.2d at 656 (finding that the reasoning in Clapper "seems to preclude the Ninth Circuit's even lower `not merely speculative' standard for injury-in-fact" articulated in Krottner); In re SAIC, 45 F.Supp.3d at 28 (impliedly accusing Krottner of being "thinly reasoned" and stating that, post-Clapper, the "`credible threat of harm' standard is clearly not supportable"), the Adobe and Sony courts found that Clapper did not overrule Krottner and that, in fact, Clapper and Krottner are quite compatible.

In Sony, the court found that "although the Supreme Court's word choice in Clapper differed from the Ninth Circuit's word choice in Krottner, stating that the harm must be `certainly impending,' rather than `real and immediate,' the Supreme Court's decision in Clapper did not set forth a new Article III framework, nor did the Supreme Court's decision overrule previous precedent requiring that the harm be `real and immediate.'" 996 F.Supp.2d at 961.

Likewise, the Adobe court reasoned that "Clapper did not change the law governing Article III standing." 66 F.Supp.3d at 1213. "Clapper merely held that the Second Circuit had strayed from [the] well-established standing principles by accepting a too-speculative theory of future injury." Id. The court recognized the unique context in which Clapper was decided — a constitutional challenge to a national defense law — and concluded that Krottner and Clapper are not "clearly irreconcilable." Id. at 1214. The court determined that the "difference in wording [between the two tests] is not substantial and that "Krottner's phrasing is closer to Clapper's `certainly impending' language than it is to the Second Circuit's `objectively reasonable likelihood' standard that the Supreme Court reversed in Clapper."" Id.

This Court agrees that Clapper does not necessarily overrule Krottner. The Krottner test is composed of two parts: (1) the plaintiff must face "a credible threat of harm," and (2) "that harm [must be] `both real and immediate.'" 628 F.3d at 1143. Both parts of the test must be met before the future harm equates to an injury-in-fact. Thus, it is not enough that a plaintiff face a credible threat of harm if that harm is not real, i.e. concrete, and immediate, i.e. certainly impending. Krottner, therefore, may be interpreted to require the same immediacy of harm that the Supreme Court emphasized in Clapper.

Furthermore, the Supreme Court explained post-Clapper that "[a]n allegation of future injury may suffice if the threatened injury is `certainly impending' or there is a `substantial risk' that the harm will occur." Driehaus, 134 S.Ct. at 2341 (emphasis added). So to the extent that the Krottner test is not as rigid as the standard articulated in Clapper, surely it embodies Driehaus's "substantial risk" language.2 Accordingly, this Court finds itself bound by Krottner. See In re Adobe, 66 F.Supp.3d at 1214-15.

However, just because Krottner is controlling does not consequently mean that its outcome dictates the Court's conclusion as to standing here, due to the unique posture of this case. Immediacy is a common theme found in cases that discuss standing based on an alleged future harm. See Nelsen v. King Cnty., 895 F.2d 1248, 1254 (9th Cir.1990) (denying standing where plaintiffs failed to show "a credible threat of immediate future harm"). It is not enough that a credible threat may occur at some point in the future; rather, the threat must be impending. See Defenders of Wildlife, 504 U.S. at 564, 112 S.Ct. 2130 (holding that a general intent to observe an endangered species in the future did not satisfy the immediacy requirement). It therefore follows that even if a plaintiff faces a real threat, she has no standing until that threat is immediate. See Whitmore v. Arkansas, 495 U.S. 149, 158, 110 S.Ct. 1717, 109 L.Ed.2d 135 (1990) (stating that "[a]llegations of possible future injury do not satisfy the requirements of Article III").

Similarly, a risk is surely not substantial unless the plaintiff can allege that the feared harm will likely be avoided only with judicial intervention. See Monsanto Co., 561 U.S. at 152, 130 S.Ct. 2743 (finding that plaintiffs would have been subjected to a substantial risk of future harm were it not for the district court's "elimination of [the] likelihood"). But where a credible threat will come to pass only if an independent third party takes specific action that would culminate in harm to the plaintiff, the alleged injury is less likely to confer standing. See Clapper, 133 S.Ct. at 1150.

Enter the facts of this case. Zappos's servers were breached in January 2012. Plaintiffs allege that the personal information of 24 million Zappos's customers was stolen. Of those 24 million customers, only twelve are before the Court seeking damages against Zappos. Of those twelve, only three determined that the increased threat of identity theft and fraud was sufficiently severe to purchase credit monitoring services. Of those three, not one alleges to have detected any irregularity whatsoever in regards to unauthorized purchases or other manifestations that their personal information has been misused. Yet Plaintiffs still claim that the threat they face is immediate, though there is no indication when or if that threat will materialize.

Given the stipulated stays and other delays in this case, the Court must decide whether the alleged threat of future harm is properly considered certainly impending three-and-a-half years after the breach occurred. Even if Plaintiffs' risk of identity theft and fraud was substantial and immediate in 2012, the passage of time without a single report from Plaintiffs that they in fact suffered the harm they fear must mean something. Determining what the lapsed time means, however, requires the Court to engage in speculation — precisely what the Supreme Court has counseled against. Clapper, 133 S.Ct. at 1149-50 (refusing standing based on speculation). It could signify that Plaintiffs are in the clear, meaning that the data obtained by the hacker was not useful in effectuating acts of theft or fraud. Or it could mean that the hacker is simply sitting on the information until the time is "right," which could be a few more years down the road. Or the lapsed time might mean a number of other scenarios. It is simply unclear.

If the Court assumes that the hacker or some other nefarious third-party remains in possession of Plaintiffs' personal information, then the threat may as yet be credible. In fact, Plaintiffs claim that cybercriminals "often hold onto stolen personal and financial information for several years before using and/or selling the information to other identity thieves," (Preira SAC ¶ 21; Stevens SAC ¶ 42), indicating that the alleged harm is not merely speculative despite the years that have passed without an occurrence of theft or fraud. But a harm that is "not merely speculative" does not constitute an injury-in-fact sufficient to confer standing. See Galaria, 998 F.Supp.2d at 656.

Indeed, there must be a point at which a future threat can no longer be considered certainly impending or immediate, despite its still being credible; otherwise, an "objectively reasonable likelihood" of harm would be enough to establish standing. See id. (citing Clapper, 133 S.Ct. at 1147). After all, the plaintiffs in Clapper engaged in the exact type of communication that could be monitored under FISA, making their allegations of future harm quite credible even if not certainly impending. Clapper, 133 S.Ct. at 1148-50. The more time that passes without the alleged future harm actually occurring undermines any argument that the threat of that harm is immediate, impending, or otherwise substantial. See Storm, 90 F.Supp.3d at 366, 2015 WL 1119724, at *6 ("Indeed, putting aside the legal standard for imminence, a layperson with a common sense notion of `imminent' would find this lapse of time, without any identity theft, to undermine the notion that identity theft would happen in the near future.").

The Court therefore finds that the increased threat of identity theft and fraud stemming from the Zappos's security breach does not constitute an injury-in-fact sufficient to confer standing. The years that have passed without Plaintiffs making a single allegation of theft or fraud demonstrate that the risk is not immediate. Krottner, 628 F.3d at 1143. The possibility that the alleged harm could transpire in the as-of-yet undetermined future relegates Plaintiffs' injuries to the realm of speculation. See Green, 2015 WL 2066531, at *4 (finding the threat of identity theft and fraud not certainly impending because, rather than alleging actual theft or fraud, plaintiff claimed that he had to "be vigilant for many years in checking for fraud" because criminals "may hold the information for later use").

The degree of Plaintiffs' speculation is heightened further by the fact that the future harm is based entirely on the decisions or capabilities of an independent, and unidentified, actor. Clapper, 133 S.Ct. at 1150 (refusing to endorse standing that rests on speculation about the decisions of independent actors). Should the person or persons in possession of Plaintiffs' information choose not to misuse the data, then the harm Plaintiffs fear will never occur. Likewise, if the person or persons in possession of Plaintiffs' information are unable to use the data to wreak the havoc assumedly intended, then Plaintiffs' alleged damages would also not coalesce. See Peters, 74 F.Supp.3d at 854, 2015 WL 589561, at *5 (acknowledging that the risk of future harm to the victim of a data security breach is, "no doubt, indefinite," but finding that the plaintiff's allegations of future harm were based solely on conjecture). Plaintiffs' damages at this point rely almost entirely on conjecture. See Krottner, 628 F.3d at 1143 (holding that standing cannot be based on conjecture but must be real and immediate).

The Court also notes the factual differences between the instant case and the Adobe and Sony cases. In Adobe, the plaintiffs alleged that the hackers had spent several weeks targeting Adobe's systems and that the hackers used Adobe's own system to decrypt customer credit cards. 66 F.Supp.3d at 1214-15. Not only were entire credit card numbers obtained, but some of the stolen data began to surface on the Internet within a year of the breach. Id. The hackers had even utilized the information to discover vulnerabilities in Adobe's products. Id. It was therefore clear that the threat faced by the Adobe plaintiffs was certainly impending. In Sony, the named plaintiffs were deprived of services as a result of the security breach for which they had paid money, and at least some of the plaintiffs had experienced unauthorized charges to their credit cards and one plaintiff was forced to close two bank accounts. 996 F.Supp.2d at 956-57.

Unlike the plaintiffs in Adobe whose entire credit card numbers were stolen as a result of the security breach, Plaintiffs here allege that only their credit card "tails," the last four digits of a credit card, were accessed during Zappos's breach. Also unlike the plaintiffs in Adobe whose information began to surface on the Internet shortly after the breach, Plaintiffs here make no allegations that their data has appeared in any place where others might obtain and misuse it. Unlike the plaintiffs in Sony who experienced an actual loss, albeit temporarily, of the services for which they had paid Sony to provide, the usefulness of the goods Plaintiffs purchased from Zappos was in no way impacted by the security breach in this case. And unlike some of the plaintiffs in Sony who dealt with actual unauthorized charges on credit cards, Plaintiffs here do not allege one instance of financial fraud.

But perhaps the most distinguishing element between this case and Adobe and Sony is the amount of time from when the breach occurred to when the respective motions to dismiss were ruled upon. In Adobe, the data security breach occurred in July and August of 2013. 66 F.Supp.3d at 1206-08. The cases against Adobe were filed between November 2013 and January 2014. Id. The Court ruled on the motion to dismiss on September 4, 2014, just over a year from when the breach first occurred. So recently after the breach, and given that the plaintiffs' information had already begun showing up on the Internet, the court reached the reasonable conclusion that the threat of additional harm was imminent. Similarly, the court in Sony ruled on the issue of Article III standing on January 21, 2014, approximately two-and-a-half years after the breach in that case had occurred. 996 F.Supp.2d at 955. Given the actual financial damages allegedly experienced by the named plaintiffs, the threat of future additional harm remained imminent at that time. In this case, however, there are no allegations of actual financial harm or that Plaintiffs' personal information has been disseminated over the Internet.3 Instead, three-and-a-half years after Zappos's security breach Plaintiffs have not sought leave to amend their Complaints to include any facts relating to instances of actual identity theft or financial fraud.

Finally, even if Plaintiffs suffer identity theft or fraud at some point in the future, there may be a genuine issue regarding whether the Zappos's security breach is the reason for the damages then incurred. Peters, 74 F.Supp.3d at 854, 2015 WL 589561, at *5 ("It may even be impossible to determine whether the misused information was obtained from exposure caused by the Data Breach or from some other source."). While this is obviously a question for another day, the Court notes that Plaintiffs would of course have to show that any damage occurring in the future is fairly traceable to the Zappos's breach. Monsanto Co., 561 U.S. at 149, 130 S.Ct. 2743. Since today so much of our personal information is stored on servers just like the ones that were hacked in this case, it is not unrealistic to wonder whether Plaintiffs' hypothetical future harm could be traced to Zappos's breach. An inference could of course be drawn that the future harm arose from Zappos's breach, but it would be Plaintiffs' burden to establish that element of standing. Defenders of Wildlife, 504 U.S. at 561, 112 S.Ct. 2130. For all these reasons, the Court finds that Plaintiffs have not alleged a threat of future harm sufficiently imminent to confer standing under Clapper and Krottner.

3. Costs to mitigate

Plaintiffs Hasner, Preira, and Habashy next argue that even if the increased threat of future harm does not constitute an injury-in-fact, their purchasing of credit monitoring services does. However, in Clapper the Supreme Court rejected a similar argument raised by the plaintiffs there that they had standing because of expenditures made to protect the confidentiality of their communications. 133 S.Ct. at 1151. The Court explained that plaintiffs "cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending." Id. "If the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear." Id.

Courts have generally interpreted this holding to mean that "in order for costs incurred in an effort to mitigate the risk of future harm to constitute injury-in-fact, the future harm being mitigated must itself be imminent." In re Adobe, 66 F.Supp.3d at 1217; see also Storm, 90 F.Supp.3d at 367, 2015 WL 1119724, at *7 (finding no compensable injury when plaintiff incurred credit monitoring costs); In re SAIC, 45 F.Supp.3d at 26 ("The cost of credit monitoring and other preventative measures, therefore, cannot create standing."). The Court's finding here that the threat of future theft or fraud is not sufficiently imminent to confer standing compels the conclusion that incurring costs to mitigate that threat cannot serve as the basis for this action. See Clapper, 133 S.Ct. at 1151 ("Thus, allowing respondents to bring this action based on costs they incurred in response to a speculative threat would be tantamount to accepting a repackaged version of respondents' first failed theory of standing.").

The Court realizes that this is a frustrating result where Plaintiffs' fears of identity theft and fraud are rational, and it recognizes that purchasing monitoring services is a responsible response to a data breach. Nevertheless, costs incurred to prevent future harm is not enough to confer standing, Clapper, 133 S.Ct. at 1150-51, "even when such efforts are sensible," In re SAIC, 45 F.Supp.3d at 26. "There is, after all, nothing unreasonable about monitoring your credit after a data breach," but even when fears of future harm are not unfounded, plaintiffs simply "cannot create standing by `inflicting harm on themselves' to ward off an otherwise speculative injury." Id. (quoting Clapper, 133 S.Ct. at 1151).4

As one court reasoned:

Hackers are constantly seeking to gain access to the data banks of companies around the world. Sometimes, they are successful. Other times not. Despite many companies' best efforts and tremendous expense to secure and protect their data systems, an industrious hacker every so often may find a way to access their data. Millions of people, out of reasonable fear and prudence, may decide to incur credit monitoring costs and take other preventative steps, which the hacked companies often freely provide. However, for a court to require companies to pay damages to thousands [and in this case millions] of customers, when there is yet to be a single case of identity theft proven, strikes us as overzealous and unduly burdensome to business. There is simply no compensable injury yet, and courts cannot be in the business of prognosticating whether a particular hacker was sophisticated or malicious enough to both be able to successfully read and manipulate the data and engage in identity theft.

Storm, 90 F.Supp.3d at 367, 2015 WL 1119724, at *7. However, once a third party misuses a person's personal information, there is clearly an injury that can be compensated with money damages. Id. "In that situation, a plaintiff would be free to return to court and would have standing to recover her losses." Id.

To the extent that Plaintiffs allege that there are potential class members who have suffered identity theft or other fraud as a result of the Zappos's security breach, (see Preira SAC ¶¶ 5, 35), the Court agrees that those individuals would have standing. Yet Plaintiffs would not be the proper representatives of such a class, as they do not allege that they have suffered these same damages. Gen. Tel. Co. of Sw. v. Falcon, 457 U.S. 147, 156, 102 S.Ct. 2364, 72 L.Ed.2d 740 (1982) ("We have repeatedly held that a class representative must be part of the class and possess the same interest and suffer the same injury as the class members."). Moreover, even if this case were not dismissed for lack of standing, the Court would not certify a class as broadly defined as Plaintiffs propose specifically because a majority of the putative class cannot claim any measurable damages.

Therefore, based on the forgoing reasons, the Court is granting Zappos's Motion to Dismiss.5 But the Court is also granting Plaintiffs leave to amend their Complaints for a third time in the event an occurrence of actual misuse of the stolen data has transpired between the dates the Preira and Stevens SACs were filed and now. And although the Court finds no standing based on the facts as currently pleaded, the case will be dismissed without prejudice.

CONCLUSION

IT IS HEREBY ORDERED that Defendant's Motion to Dismiss (ECF No. 217) is GRANTED without prejudice. Plaintiffs are granted leave to amend their Complaints to allege instances of actual identity theft or fraud.

IT IS FURTHER ORDERED that Defendant's Motion to Strike (ECF No. 219) is DENIED as moot.

IT IS FURTHER ORDERED that Defendant's Motion for Leave (ECF No. 218) is GRANTED.

IT IS SO ORDERED.

FootNotes


1. Some courts outside the Ninth Circuit have also found standing in data breach cases where the plaintiffs do not allege actual identity theft or fraud, but those cases are relatively few. See Moyer v. Michaels Stores, Inc., No. 14C561, 2014 WL 3511500, at *6 (N.D.Ill. July 14, 2014) (concluding "that the elevated risk of identity theft stemming from the data breach at Michaels is sufficiently imminent to give Plaintiffs standing").
2. Clapper recognized that future harm could create standing if the harm posed a "substantial risk." 133 S.Ct. at 1150 n. 5; see also Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 153-54, 130 S.Ct. 2743, 177 L.Ed.2d 461 (2010) (using this test to determine standing). In acknowledging this alternative articulation, though presumably not an alternative test, the Court stated that the impending harm does not need to be "literally certain." Clapper, 133 S.Ct. at 1150 n. 5 Instead, the Court emphasized that "plaintiffs bear the burden of pleading and proving concrete facts showing that the defendant's actual action has caused the substantial risk of harm" and that plaintiffs "cannot rely on speculation about `the unfettered choices made by independent actors not before the court.'" Id. (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 562, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992)).
3. Plaintiffs Hasner and Noble do allege that after the breach, their AOL email accounts were accessed by a third party who sent unauthorized advertisements to others from the accounts. (Preira SAC ¶¶ 11, 16). The AOL accounts used the same passwords as Hasner's and Noble's Zappos accounts. Besides the advertisements, however, no additional misuse of the accounts or actual damages is alleged. Moreover, Hasner and Noble also took quick remedial measures by changing the passwords on their AOL accounts. (Id.).
4. The Court finds this to be true notwithstanding Zappos's questionable customer service in response to the data breach. Plaintiffs allege that once Zappos notified customers of the breach it "shut down its customer service phone lines for a week." (Preira SAC ¶ 4). Also perplexing, and undoubtedly offensive to its customers, is Zappos's apparent decision to not offer free credit monitoring services to its customers, which is a common gesture in these types of cases. Nevertheless, these deficiencies in Zappos's customer care do not establish standing where Plaintiffs fail to allege actual damages or an immediate threat of future harm.
5. Plaintiffs claim they have standing on the alternative theories that the breach caused them a loss of privacy and that it resulted in a diminished value of the services provided by Zappos. (Resp. 5, ECF No. 231). Neither of these arguments is persuasive. Even if Plaintiffs adequately allege a loss of privacy, they have failed to show how that loss amounts to a concrete and particularized injury. See O'Shea v. Littleton, 414 U.S. 488, 493, 94 S.Ct. 669, 38 L.Ed.2d 674 (1974) ("Abstract injury is not enough. It must be alleged that the plaintiff `has sustained or is immediately in danger of sustaining some direct injury' as a result of [the defendant's] conduct."). Plaintiffs do not claim that they have suffered any damages due to a loss of privacy, and so the Court finds that this theory is insufficient to establish standing. Furthermore, Plaintiffs' claims that they are harmed by an alleged decrease in the value of Zappos's services are unavailing. Plaintiffs do not explain how the data breach impacted the value of the goods they purchased from Zappos. Nor do Plaintiffs allege facts showing how the price they paid for such goods incorporated some particular sum that was understood by both parties to be allocated towards the protection of customer data. The Court finds that this theory of standing also fails. To the extent Plaintiffs claim to have standing arising from any other perceived harm, (see Resp. 5), the Court finds that each proposed theory fails because not one of them demonstrates that Plaintiffs have actually been damaged in a concrete and particularized way. See O'Shea, 414 U.S. at 493, 94 S.Ct. 669.
Source:  Leagle

Can't find what you're looking for?

Post a free question on our public forum.
Ask a Question
Search for lawyers by practice areas.
Find a Lawyer