MDL No. 2357 - IN RE: Zappos.com, Inc., Customer Data Security Breach Litigation
Filing
235
ORDER granting without prejudice 217 Motion to Dismiss, granting Plaintiffs leave to amend their complaints; denying as moot 219 Motion to Strike; granting 218 Motion for Leave. Signed by Judge Robert C. Jones on 6/1/2015. (Copies have been distributed pursuant to the NEF - KR)
1
2
3
UNITED STATES DISTRICT COURT
4
DISTRICT OF NEVADA
5
6
In re ZAPPOS.COM, INC., CUSTOMER
DATA SECURITY BREACH LITIGATION
3:12-cv-00325-RCJ-VPC
MDL No. 2357
7
ORDER
8
9
This multidistrict litigation case arises out of a security breach of Zappos.com’s customer
10
data. Pending before the Court is a Motion to Dismiss, (ECF No. 217), filed by Amazon.com,
11
Inc. doing business as Zappos.com (“Zappos”). Also pending is Zappos’s Motion to Strike
12
Prayers for Punitive Damages and Restitution. (ECF No. 219). Zappos has also filed a Motion
13
for Leave to File Excess Pages. (ECF No. 218). The Court has considered all of the briefing on
14
the pending Motions. For the reasons contained herein, the Motion to Dismiss is GRANTED,
15
and the Motion to Strike is DENIED as moot.
16
I.
17
FACTS AND PROCEDURAL HISTORY
On January 15, 2012, Zappos’s servers located in Kentucky and Nevada were targeted by
18
a hacker or group of hackers. The servers contained the personal identifying information of
19
approximately 24 million Zappos’s customers. On January 16, 2012, Zappos sent an email to its
20
customers notifying them that its servers had been breached and that data had been stolen,
21
including customers’ names, account numbers, passwords, email addresses, billing and shipping
22
addresses, phone numbers, and the last four digits of their credit cards used to make purchases.
23
Shortly thereafter, a number of lawsuits were filed against Zappos seeking damages.
24
1
1
On June 14, 2012, the U.S. Judicial Panel on Multidistrict Litigation (“JPML”) granted
2
Zappos’s motion to create the present case pursuant to 28 U.S.C. § 1407, transferring six
3
extra-district actions to this District, consolidating them with three actions from this District, and
4
assigning the consolidated case to this Court. (Transfer Order, ECF No. 1). Zappos moved to
5
compel arbitration and stay the case. While that motion was pending, the JPML transferred an
6
additional action to be consolidated with the instant case. (Conditional Transfer Order, ECF No.
7
5). The Court denied the motion to compel arbitration because the arbitration contract was
8
“browsewrap” not requiring any objective manifestation of assent (as opposed to a “clickwrap”
9
agreement), and there was no evidence that Plaintiffs had knowledge of the offer such that assent
10
11
could be implied merely by use of the website. (See Sept. 27, 2012 Order 7–10, ECF No. 21).
Plaintiffs then amended their pleadings into two separate consolidated class action
12
complaints, and Zappos filed a motion to dismiss the amended complaints for lack of standing
13
and for failure to state a claim. (ECF No. 62). On September 9, 2013, the Court granted in part
14
and denied in part Zappos’s motion. (ECF No. 114). Thereafter, Plaintiffs Preira, Ree, Simon,
15
Hasner, Habashy, and Nobles (“the Preira Plaintiffs”) filed their Second Amended Consolidated
16
Complaint (the “Preira SAC”). (ECF No. 118). And Plaintiffs Stevens, Penson, Elliot, Brown,
17
Seal, Relethford, and Braxton (the “Stevens Plaintiffs”) filed their Second Amended
18
Consolidated Class Action Complaint (the “Stevens SAC”). (ECF No. 119).
19
On November 4, 2013, Zappos moved for dismissal of the Preira SAC and the Stevens
20
SAC. (ECF No. 122). Zappos also moved to strike Plaintiffs’ prayers for punitive damages and
21
restitution. (ECF No. 124). While those motions were pending, the parties engaged in mediation
22
in an attempt to reach a settlement. The parties stipulated to stay the proceedings various times,
23
each time representing to the Court that settlement negotiations were progressing. (See ECF Nos.
24
2
1
192, 196, 201). After the third stipulation to stay, which was filed on September 17, 2014, and in
2
reliance on the parties’ representation that a settlement agreement was close, the Court entered
3
an order denying Zappos’s still pending motion to dismiss and motion to strike without
4
prejudice. (ECF No. 202).
Despite the progress made during mediation as to class-wide relief, a final agreement
5
6
could not be reached between the parties due to a disagreement over attorneys’ fees. However,
7
Plaintiffs filed a motion on December 4, 2014 to enforce a supposed settlement. (ECF No. 207),
8
claiming that a cap on the fees class counsel would request was not material to the settlement.
9
After responding to Plaintiffs’ arguments regarding whether an enforceable settlement had been
10
reached, Zappos renewed its previous dismissal arguments by filing the instant Motions on
11
January 30, 2015. (ECF Nos. 217, 219). Plaintiffs then requested an extension of time to oppose
12
the Motions pending the Court’s determination of the motion to enforce. On March 27, 2015,
13
the Court, finding that no final settlement had been reached, denied the motion to enforce and
14
ordered Plaintiffs to respond to the instant Motions so that the case might proceed. Accordingly,
15
the Court now considers the merits of Zappos’s Motion to Dismiss the Preira and Stevens SACs
16
pursuant to Rule 12(b)(1) for lack of standing.
17
II.
LEGAL STANDARD
18
“Lack of standing is a defect in subject-matter jurisdiction and may properly be
19
challenged under Rule 12(b)(1).” Wright v. Incline Vill. Gen. Imp. Dist., 597 F. Supp. 2d 1191,
20
1199 (D. Nev. 2009) (citing Bender v. Williamsport Area Sch. Dist., 475 U.S. 534, 541 (1986)).
21
Zappos argues that the Preira and Stevens SACs fail to establish Plaintiffs’ standing to sue. This
22
is considered a “facial” challenge to subject-matter jurisdiction. Thornhill Publ’g Co. v. Gen. Tel.
23
& Elec. Corp., 594 F.2d 730, 733 (9th Cir. 1979). “In a facial attack, the challenger asserts that
24
3
1
the allegations contained in a complaint are insufficient on their face to invoke federal
2
jurisdiction.” Safe Air for Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004). If the
3
movant’s challenge is a facial one, then the “court must consider the allegations of the complaint
4
to be true and construe them in the light most favorable to the plaintiff.” Nevada ex rel. Colo.
5
River Comm’n of Nev. v. Pioneer Cos., 245 F. Supp. 2d 1120, 1124 (D. Nev. 2003) (citing Love
6
v. United States, 915 F.2d 1242, 1245 (9th Cir. 1989)).
7
III.
8
9
DISCUSSION
Zappos contends that Plaintiffs lack standing in this case because they have not alleged
any actual damages arising from the data breach. Plaintiffs contend that their injury stems from
10
an increased risk that they will become victims of identity theft or other fraudulent activities
11
because their personal information has been jeopardized. None of the Plaintiffs, however, allege
12
that they have suffered such harm as of yet. Moreover, only three of the twelve named Plaintiffs
13
have taken the additional step of purchasing credit monitoring services to protect against the
14
allegedly increased threat of fraud. In addition to the increased threat of harm, Plaintiffs further
15
argue that they have standing based on damage to the intrinsic value of their data.
16
The Court was presented with similar arguments when ruling on Zappos’s previous
17
motion to dismiss. At that time, the Court determined that Plaintiffs’ allegations “that they have
18
had to pay money to monitor their credit scores and secure their financial information due to the
19
increased risk of criminal fraud” were sufficient to establish standing. (Sept. 9, 2013 Order 5).
20
However, given developments in the caselaw dealing with standing of data-breach victims, and
21
because Article III standing is an “indispensable part of a plaintiff’s case” rather than a pleading
22
requirement, the Court finds it appropriate to review its prior ruling. Lujan v. Defenders of
23
Wildlife, 504 U.S. 555, 561 (1992).
24
4
1
“Standing under Article III of the Constitution requires that an injury be concrete,
2
particularized, and actual or imminent; fairly traceable to the challenged action; and redressable
3
by a favorable ruling.” Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 149 (2010). When
4
a party’s allegations of injury rest on future harm, standing arises only if that harm is “certainly
5
impending,” Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (internal quotation marks and
6
citation omitted), “or there is a ‘substantial risk’ that the harm will occur.” Susan B. Anthony List
7
v. Driehaus, 134 S. Ct. 2334, 2342 (2014) (citation omitted). Allegations “of possible future
8
injury are not sufficient.” Clapper, 133 S. Ct. at 1147 (quotation marks and citation omitted).
9
The party invoking federal jurisdiction has the burden of establishing actual or imminent
10
injury. Defenders of Wildlife, 504 U.S. at 561. In a class action, the named plaintiffs attempting
11
to represent the class “must allege and show that they personally have been injured, not that
12
injury has been suffered by other, unidentified members of the class to which they belong and
13
which they purport to represent.” Warth v. Seldin, 422 U.S. 490, 502 (1975). “[I]f none of the
14
named plaintiffs purporting to represent a class establishes the requisite of a case or controversy
15
with the defendants, none may seek relief on behalf of himself or any other member of the
16
class.” O’Shea v. Littleton, 414 U.S. 488, 494 (1974).
17
18
1. Decreased value in Plaintiffs’ personal information
The Court deals first with Plaintiffs’ last theory of standing. Plaintiffs attempt to
19
establish standing by arguing that the data breach resulted in a devaluation of their personal
20
information. Plaintiffs allege that a “robust market” exists for the sale and purchase of consumer
21
data such as the personal information that was stolen during the breach, the value of this data
22
apparently being appraised at between $ 30.49 and $44.62. (Stevens SAC ¶¶ 51–52). Plaintiffs
23
24
5
1
claim that the Zappos security breach deprived them of the “substantial value” of their personal
2
information, which they are entitled to recover. (Id. ¶ 54).
3
The Court does not buy this argument. Even assuming that Plaintiffs’ data has value on
4
the black market, Plaintiffs do not allege any facts explaining how their personal information
5
became less valuable as a result of the breach or that they attempted to sell their information and
6
were rebuffed because of a lower price-point attributable to the security breach. See Galaria v.
7
Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 660 (S.D. Ohio 2014) (rejecting a similar
8
argument because the named plaintiffs failed to allege that the data security breach actually
9
prevented them from selling their information at the price they claimed the data was worth); see
10
also In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litg., 45 F. Supp. 3d 14,
11
30 (D.D.C. 2014) (same). Thus, the Court finds that these allegations do not establish standing.
12
13
2. Increased threat of future harm
Plaintiffs’ purported standing rests largely on the theory that they suffer an increased
14
threat of future identity theft and fraud as a result of Zappos’s security breach. Courts are
15
divided on what constitutes sufficient injury-in-fact to establish standing in the context of a data
16
security breach. The division arises, at least in part, from the Supreme Court’s recent holding in
17
Clapper v. Amnesty International.
18
In Clapper, the plaintiffs, a group of lawyers, challenged the constitutionality of a section
19
of the Foreign Intelligence Surveillance Act (“FISA”) that authorizes surveillance of individuals
20
who are not United States persons and are believed to be located outside of the United States.
21
133 S. Ct. at 1142. The plaintiffs alleged that their work required them to engage in sensitive
22
international communication with individuals that they suspected were targets of surveillance
23
under FISA. Id. There was no evidence, however, that their communications had been targeted
24
6
1
or that the Government would imminently target their communications. Nevertheless, the
2
plaintiffs claimed that their injury arose from an increased risk that their communications could
3
be monitored in the future.
4
The Court held that the alleged harm was entirely speculative and did not support
5
standing since the future injury was not “certainly impending.” Id. at 1148. The Court explained
6
that the plaintiffs’ arguments “rest[ed] on their highly speculative fear” that (1) the Government
7
would decide to target non-U.S. persons with whom they communicate; (2) that in doing so, the
8
Government would choose to invoke its authority under FISA rather than some other method of
9
surveillance; (3) that the Article III judges who serve on the Foreign Intelligence Surveillance
10
Court would conclude the surveillance comported with the Fourth Amendment; (4) that the
11
Government would succeed in intercepting communications of plaintiffs’ contacts; and (5)
12
plaintiffs would be parties to the particular communications intercepted by the Government. Id.
13
This “highly attenuated chain of possibilities,” the Court concluded, did not satisfy “the
14
requirement that injury must be certainly impending.” Id. The Court was also not willing “to
15
abandon [its] usual reluctance to endorse standing theories that rest on speculation about the
16
decisions of independent actors,” id. at 1150, and it rejected the Second Circuit’s reasoning that
17
standing could be based on “an objectively reasonable likelihood” that the plaintiffs’
18
communications with their foreign contacts would be intercepted in the future, id. at 1147.
19
The majority of courts dealing with data-breach cases post-Clapper have held that absent
20
allegations of actual identity theft or other fraud, the increased risk of such harm alone is
21
insufficient to satisfy Article III standing. See, e.g., Green v. eBay Inc., No. CIV.A.14-1688,
22
2015 WL 2066531, at *5 (E.D. La. May 4, 2015) (finding no standing where plaintiff’s data was
23
accessed during a security breach because there were no allegations that the information had
24
7
1
been used or any indication that its use was imminent); Storm v. Paytime, Inc., ---F. Supp. 3d---,
2
No. 14-cv-1138, 2015 WL 1119724, at *6 (M.D. Pa. Mar. 13, 2015) (finding no standing where
3
plaintiffs did not allege that they actually suffered any form of identity theft as a result of the
4
defendant’s data breach); Peters v. St. Joseph Servs. Corp., ---F. Supp. 3d---, No. 4:14-cv-2872,
5
2015 WL 589561, *4–*5 (S.D. Tex. Feb. 11, 2015) (finding no standing where plaintiff did not
6
allege actual identity theft or fraud despite the possibility “that fraudulent use of her personal
7
information could go undetected for long periods of time”); Galaria, 998 F. Supp. 2d at 654
8
(finding no standing where plaintiffs alleged their personal information was stolen and
9
disseminated but did not allege that their data had been misused); In re SAIC, 45 F. Supp. 3d at
10
26 (finding no standing where plaintiffs allegations of potential identity theft, which had not yet
11
occurred, were “entirely dependent on the actions of an unknown third party”); Lewert v. P.F.
12
Chang’s China Bistro, Inc., No. 14-cv-4787, 2014 WL 7005097, at *3 (N.D. Ill. Dec. 10, 2014)
13
(finding no standing where plaintiffs did not allege that identity theft had occurred but only that
14
it “may happen in coming years”); Remijas v. Neiman Marcus Grp., LLC, No. 14c1735, 2014
15
WL 4627893, at *3 (N.D. Ill. Sept. 16, 2014) (finding no standing where plaintiffs’ alleged
16
injury was not “concrete” because it was based on “potential future fraudulent charges”); Burton
17
v. MAPCO Exp., Inc., No. 5:13-cv-00919-MHH, 2014 WL 4686479, at *1 (N.D. Ala. Sept. 12,
18
2014) (finding no standing despite plaintiff’s allegations of unauthorized charges on his debit
19
card because plaintiff did not allege that he actually had to pay for the charges); U.S. Hotel &
20
Resort Mgmt., Inc. v. Onity, Inc., No. CIV.13-1499, 2014 WL 3748639, at *5 (D. Minn. July 30,
21
2014) (recognizing that “[i]n the ‘lost data’ context . . . a majority of the courts . . . hold that
22
plaintiffs whose confidential data has been exposed, or possibly exposed by theft or a breach of
23
an inadequate computer security system, but who have not yet had their identity stolen or their
24
8
1
data otherwise actually abused, lack standing to sue the party who failed to protect their data”);
2
In re Barnes & Noble Pin Pad Litig., No. 12-cv-8617, 2013 WL 4759588, at *3 (N.D. Ill. Sept.
3
3, 2013) (“Merely alleging an increased risk of identity theft or fraud is insufficient to establish
4
standing.”).
Courts in the Ninth Circuit, however, have held the opposite.1 See In re Adobe Sys., Inc.
5
6
Privacy Litig., ---F. Supp. 3d---, No. 13-cv-05226-LHK, 2014 WL 4379916, at *8 (N.D. Cal.
7
Sept. 4, 2014) (finding standing where hacker “spent several weeks” in Adobe’s servers
8
collecting customers’ information despite no allegations that the plaintiffs’ data had been
9
misused); In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d
10
942, 962 (S.D. Cal. 2014) (finding standing where the plaintiffs “alleged a ‘credible threat’ of
11
impending harm” based on a data breach). These cases were decided in light of the Ninth
12
Circuit’s holding in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010).
13
In Krottner, employees of Starbucks sued the company when a laptop containing
14
unencrypted names, addresses, and social security numbers of approximately 97,000 employees
15
was stolen. 628 F.3d at 1140. Although some of the plaintiffs enrolled in credit monitoring
16
services, they did not allege that any theft or other fraud actually occurred. Id. at 1142.
17
Starbucks challenged the employees’ standing since their allegations of harm were based solely
18
on an “increased risk of future identity theft.” Id. The court found the allegations sufficient to
19
confer standing, holding that “[i]f a plaintiff faces ‘a credible threat of harm’ and that harm is
20
‘both real and immediate, not conjectural or hypothetical,’ the plaintiff has met the injury-in-fact
21
requirement for standing under Article III.” Id. at 1143.
22
1
23
24
Some courts outside the Ninth Circuit have also found standing in data breach cases where the plaintiffs do not
allege actual identity theft or fraud, but those cases are relatively few. See Moyer v. Michaels Stores, Inc., No.
14C561, 2014 WL 3511500, at *6 (N.D. Ill. July 14, 2014) (concluding “that the elevated risk of identity theft
stemming from the data breach at Michaels is sufficiently imminent to give Plaintiffs standing”).
9
1
While other courts have criticized this test for being too lax post-Clapper, see Peters,
2
2015 WL 589561, at *6–*7 (recognizing the pre-Clapper split among the Third, Seventh, and
3
Ninth Circuits on the issue of standing but finding that Clapper “[a]rguably . . . resolved the
4
circuit split” and claiming that the Clapper “holding compels the conclusion” that plaintiffs lack
5
standing to the extent the claims “are premised on the heightened risk of future identity
6
theft/fraud”); Galaria, 998 F. Supp. 2d at 656 (finding that the reasoning in Clapper “seems to
7
preclude the Ninth Circuit’s even lower ‘not merely speculative’ standard for injury-in-fact”
8
articulated in Krottner); In re SAIC, 45 F. Supp. 3d at 28 (impliedly accusing Krottner of being
9
“thinly reasoned” and stating that, post-Clapper, the “‘credible threat of harm’ standard is clearly
10
not supportable”), the Adobe and Sony courts found that Clapper did not overrule Krottner and
11
that, in fact, Clapper and Krottner are quite compatible.
12
In Sony, the court found that “although the Supreme Court’s word choice in Clapper
13
differed from the Ninth Circuit’s word choice in Krottner, stating that the harm must be
14
‘certainly impending,’ rather than ‘real and immediate,’ the Supreme Court’s decision in Clapper
15
did not set forth a new Article III framework, nor did the Supreme Court’s decision overrule
16
previous precedent requiring that the harm be ‘real and immediate.’” 996 F. Supp. 2d at 961.
17
Likewise, the Adobe court reasoned that “Clapper did not change the law governing
18
Article III standing.” 2014 WL 4379916, at *7. “Clapper merely held that the Second Circuit
19
had strayed from [the] well-established standing principles by accepting a too-speculative theory
20
of future injury.” Id. The court recognized the unique context in which Clapper was decided—a
21
constitutional challenge to a national defense law—and concluded that Krottner and Clapper are
22
not “clearly irreconcilable.” Id. at *8. The court determined that the “difference in wording
23
[between the two tests] is not substantial and that “Krottner’s phrasing is closer to Clapper’s
24
10
1
‘certainly impending’ language than it is to the Second Circuit’s ‘objectively reasonable
2
likelihood’ standard that the Supreme Court reversed in Clapper.” Id.
This Court agrees that Clapper does not necessarily overrule Krottner. The Krottner test
3
4
is composed of two parts: (1) the plaintiff must face “a credible threat of harm,” and (2) “that
5
harm [must be] ‘both real and immediate.’” 628 F.3d at 1143. Both parts of the test must be met
6
before the future harm equates to an injury-in-fact. Thus, it is not enough that a plaintiff face a
7
credible threat of harm if that harm is not real, i.e. concrete, and immediate, i.e. certainly
8
impending. Krottner, therefore, may be interpreted to require the same immediacy of harm that
9
the Supreme Court emphasized in Clapper.
Furthermore, the Supreme Court explained post-Clapper that “[a]n allegation of future
10
11
injury may suffice if the threatened injury is ‘certainly impending’ or there is a ‘substantial risk’
12
that the harm will occur.” Driehaus, 134 S. Ct. at 2341 (emphasis added). So to the extent that
13
the Krottner test is not as rigid as the standard articulated in Clapper, surely it embodies
14
Driehaus’s “substantial risk” language.2 Accordingly, this Court finds itself bound by Krottner.
15
See In re Adobe, 2014 WL 4379916, at *8.
16
However, just because Krottner is controlling does not consequently mean that its
17
outcome dictates the Court’s conclusion as to standing here, due to the unique posture of this
18
case. Immediacy is a common theme found in cases that discuss standing based on an alleged
19
future harm. See Nelsen v. King Cnty., 895 F.2d 1248, 1254 (9th Cir. 1990) (denying standing
20
where plaintiffs failed to show “a credible threat of immediate future harm”). It is not enough
21
2
22
23
24
Clapper recognized that future harm could create standing if the harm posed a “substantial risk.” 133 S. Ct. at 1150
n.5; see also Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 153–54 (2010) (using this test to determine
standing). In acknowledging this alternative articulation, though presumably not an alternative test, the Court stated
that the impending harm does not need to be “literally certain.” Clapper, 133 S. Ct. at 1150 n.5. Instead, the Court
emphasized that “plaintiffs bear the burden of pleading and proving concrete facts showing that the defendant’s
actual action has caused the substantial risk of harm” and that plaintiffs “cannot rely on speculation about ‘the
unfettered choices made by independent actors not before the court.’” Id. (quoting Lujan v. Defenders of Wildlife,
504 U.S. 555, 562 (1992)).
11
1
that a credible threat may occur at some point in the future; rather, the threat must be impending.
2
See Defenders of Wildlife, 504 U.S. at 564 (holding that a general intent to observe an
3
endangered species in the future did not satisfy the immediacy requirement). It therefore follows
4
that even if a plaintiff faces a real threat, she has no standing until that threat is immediate. See
5
Whitmore v. Arkansas, 495 U.S. 149, 158 (1990) (stating that “[a]llegations of possible future
6
injury do not satisfy the requirements of Article III”).
7
Similarly, a risk is surely not substantial unless the plaintiff can allege that the feared
8
harm will likely be avoided only with judicial intervention. See Monsanto Co., 561 U.S. at 152
9
(finding that plaintiffs would have been subjected to a substantial risk of future harm were it not
10
for the district court’s “elimination of [the] likelihood”). But where a credible threat will come
11
to pass only if an independent third party takes specific action that would culminate in harm to
12
the plaintiff, the alleged injury is less likely to confer standing. See Clapper, 133 S. Ct. at 1150.
13
Enter the facts of this case. Zappos’s servers were breached in January 2012. Plaintiffs
14
allege that the personal information of 24 million Zappos’s customers was stolen. Of those 24
15
million customers, only twelve are before the Court seeking damages against Zappos. Of those
16
twelve, only three determined that the increased threat of identity theft and fraud was sufficiently
17
severe to purchase credit monitoring services. Of those three, not one alleges to have detected
18
any irregularity whatsoever in regards to unauthorized purchases or other manifestations that
19
their personal information has been misused. Yet Plaintiffs still claim that the threat they face is
20
immediate, though there is no indication when or if that threat will materialize.
21
Given the stipulated stays and other delays in this case, the Court must decide whether
22
the alleged threat of future harm is properly considered certainly impending three-and-a-half
23
years after the breach occurred. Even if Plaintiffs’ risk of identity theft and fraud was substantial
24
12
1
and immediate in 2012, the passage of time without a single report from Plaintiffs that they in
2
fact suffered the harm they fear must mean something. Determining what the lapsed time means,
3
however, requires the Court to engage in speculation—precisely what the Supreme Court has
4
counseled against. Clapper, 133 S. Ct. at 1149–50 (refusing standing based on speculation). It
5
could signify that Plaintiffs are in the clear, meaning that the data obtained by the hacker was not
6
useful in effectuating acts of theft or fraud. Or it could mean that the hacker is simply sitting on
7
the information until the time is “right,” which could be a few more years down the road. Or the
8
lapsed time might mean a number of other scenarios. It is simply unclear.
9
If the Court assumes that the hacker or some other nefarious third-party remains in
10
possession of Plaintiffs’ personal information, then the threat may as yet be credible. In fact,
11
Plaintiffs claim that cybercriminals “often hold onto stolen personal and financial information for
12
several years before using and/or selling the information to other identity thieves,” (Preira SAC ¶
13
21; Stevens SAC ¶ 42), indicating that the alleged harm is not merely speculative despite the
14
years that have passed without an occurrence of theft or fraud. But a harm that is “not merely
15
speculative” does not constitute an injury-in-fact sufficient to confer standing. See Galaria, 998
16
F. Supp. 2d at 656.
17
Indeed, there must be a point at which a future threat can no longer be considered
18
certainly impending or immediate, despite its still being credible; otherwise, an “objectively
19
reasonable likelihood” of harm would be enough to establish standing. See id. (citing Clapper,
20
133 S. Ct. at 1147). After all, the plaintiffs in Clapper engaged in the exact type of
21
communication that could be monitored under FISA, making their allegations of future harm
22
quite credible even if not certainly impending. Clapper, 133 S. Ct. at 1148–50. The more time
23
that passes without the alleged future harm actually occurring undermines any argument that the
24
13
1
threat of that harm is immediate, impending, or otherwise substantial. See Storm, 2015 WL
2
1119724, at *6 (“Indeed, putting aside the legal standard for imminence, a layperson with a
3
common sense notion of ‘imminent’ would find this lapse of time, without any identity theft, to
4
undermine the notion that identity theft would happen in the near future.”).
5
The Court therefore finds that the increased threat of identity theft and fraud stemming
6
from the Zappos’s security breach does not constitute an injury-in-fact sufficient to confer
7
standing. The years that have passed without Plaintiffs making a single allegation of theft or
8
fraud demonstrate that the risk is not immediate. Krottner, 628 F.3d at 1143. The possibility that
9
the alleged harm could transpire in the as-of-yet undetermined future relegates Plaintiffs’ injuries
10
to the realm of speculation. See Green, 2015 WL 2066531, at *4 (finding the threat of identity
11
theft and fraud not certainly impending because, rather than alleging actual theft or fraud,
12
plaintiff claimed that he had to “be vigilant for many years in checking for fraud” because
13
criminals “may hold the information for later use”).
14
The degree of Plaintiffs’ speculation is heightened further by the fact that the future harm
15
is based entirely on the decisions or capabilities of an independent, and unidentified, actor.
16
Clapper, 133 S. Ct. at 1150 (refusing to endorse standing that rests on speculation about the
17
decisions of independent actors). Should the person or persons in possession of Plaintiffs’
18
information choose not to misuse the data, then the harm Plaintiffs fear will never occur.
19
Likewise, if the person or persons in possession of Plaintiffs’ information are unable to use the
20
data to wreak the havoc assumedly intended, then Plaintiffs’ alleged damages would also not
21
coalesce. See Peters, 2015 WL 589561, at *5 (acknowledging that the risk of future harm to the
22
victim of a data security breach is, “no doubt, indefinite,” but finding that the plaintiff’s
23
allegations of future harm were based solely on conjecture). Plaintiffs’ damages at this point rely
24
14
1
almost entirely on conjecture. See Krottner, 628 F.3d at 1143 (holding that standing cannot be
2
based on conjecture but must be real and immediate).
3
The Court also notes the factual differences between the instant case and the Adobe and
4
Sony cases. In Adobe, the plaintiffs alleged that the hackers had spent several weeks targeting
5
Adobe’s systems and that the hackers used Adobe’s own system to decrypt customer credit
6
cards. 2014 WL 4379916, at *8. Not only were entire credit card numbers obtained, but some of
7
the stolen data began to surface on the Internet within a year of the breach. Id. The hackers had
8
even utilized the information to discover vulnerabilities in Adobe’s products. Id. It was therefore
9
clear that the threat faced by the Adobe plaintiffs was certainly impending. In Sony, the named
10
plaintiffs were deprived of services as a result of the security breach for which they had paid
11
money, and at least some of the plaintiffs had experienced unauthorized charges to their credit
12
cards and one plaintiff was forced to close two bank accounts. 996 F. Supp. 2d at 956–57.
13
Unlike the plaintiffs in Adobe whose entire credit card numbers were stolen as a result of
14
the security breach, Plaintiffs here allege that only their credit card “tails,” the last four digits of
15
a credit card, were accessed during Zappos’s breach. Also unlike the plaintiffs in Adobe whose
16
information began to surface on the Internet shortly after the breach, Plaintiffs here make no
17
allegations that their data has appeared in any place where others might obtain and misuse it.
18
Unlike the plaintiffs in Sony who experienced an actual loss, albeit temporarily, of the services
19
for which they had paid Sony to provide, the usefulness of the goods Plaintiffs purchased from
20
Zappos was in no way impacted by the security breach in this case. And unlike some of the
21
plaintiffs in Sony who dealt with actual unauthorized charges on credit cards, Plaintiffs here do
22
not allege one instance of financial fraud.
23
24
15
But perhaps the most distinguishing element between this case and Adobe and Sony is the
1
2
amount of time from when the breach occurred to when the respective motions to dismiss were
3
ruled upon. In Adobe, the data security breach occurred in July and August of 2013. 2014 WL
4
4379916, at *2. The cases against Adobe were filed between November 2013 and January 2014.
5
Id. The Court ruled on the motion to dismiss on September 4, 2014, just over a year from when
6
the breach first occurred. So recently after the breach, and given that the plaintiffs’ information
7
had already begun showing up on the Internet, the court reached the reasonable conclusion that
8
the threat of additional harm was imminent. Similarly, the court in Sony ruled on the issue of
9
Article III standing on January 21, 2014, approximately two-and-a-half years after the breach in
10
that case had occurred. 996 F. Supp. 2d at 955. Given the actual financial damages allegedly
11
experienced by the named plaintiffs, the threat of future additional harm remained imminent at
12
that time. In this case, however, there are no allegations of actual financial harm or that
13
Plaintiffs’ personal information has been disseminated over the Internet.3 Instead, three-and-a-
14
half years after Zappos’s security breach Plaintiffs have not sought leave to amend their
15
Complaints to include any facts relating to instances of actual identity theft or financial fraud.
16
Finally, even if Plaintiffs suffer identity theft or fraud at some point in the future, there
17
may be a genuine issue regarding whether the Zappos’s security breach is the reason for the
18
damages then incurred. Peters, 2015 WL 589561, at *5 (“It may even be impossible to determine
19
whether the misused information was obtained from exposure caused by the Data Breach or from
20
some other source.”). While this is obviously a question for another day, the Court notes that
21
Plaintiffs would of course have to show that any damage occurring in the future is fairly
22
23
24
3
Plaintiffs Hasner and Noble do allege that after the breach, their AOL email accounts were accessed by a third
party who sent unauthorized advertisements to others from the accounts. (Preira SAC ¶¶ 11, 16). The AOL accounts
used the same passwords as Hasner’s and Noble’s Zappos accounts. Besides the advertisements, however, no
additional misuse of the accounts or actual damages is alleged. Moreover, Hasner and Noble also took quick
remedial measures by changing the passwords on their AOL accounts. (Id.).
16
1
traceable to the Zappos’s breach. Monsanto Co., 561 U.S. at 149. Since today so much of our
2
personal information is stored on servers just like the ones that were hacked in this case, it is not
3
unrealistic to wonder whether Plaintiffs’ hypothetical future harm could be traced to Zappos’s
4
breach. An inference could of course be drawn that the future harm arose from Zappos’s breach,
5
but it would be Plaintiffs’ burden to establish that element of standing. Defenders of Wildlife,
6
504 U.S. at 561. For all these reasons, the Court finds that Plaintiffs have not alleged a threat of
7
future harm sufficiently imminent to confer standing under Clapper and Krottner.
8
9
2. Costs to mitigate
Plaintiffs Hasner, Preira, and Habashy next argue that even if the increased threat of
10
future harm does not constitute an injury-in-fact, their purchasing of credit monitoring services
11
does. However, in Clapper the Supreme Court rejected a similar argument raised by the
12
plaintiffs there that they had standing because of expenditures made to protect the confidentiality
13
of their communications. 133 S. Ct. at 1151. The Court explained that plaintiffs “cannot
14
manufacture standing merely by inflicting harm on themselves based on their fears of
15
hypothetical future harm that is not certainly impending.” Id. “If the law were otherwise, an
16
enterprising plaintiff would be able to secure a lower standard for Article III standing simply by
17
making an expenditure based on a nonparanoid fear.” Id.
18
Courts have generally interpreted this holding to mean that “in order for costs incurred in
19
an effort to mitigate the risk of future harm to constitute injury-in-fact, the future harm being
20
mitigated must itself be imminent.” In re Adobe, 2014 WL 4379916, at *9; see also Storm, 2015
21
WL 1119724, at *7 (finding no compensable injury when plaintiff incurred credit monitoring
22
costs); In re SAIC, 45 F. Supp. 3d at 26 (“The cost of credit monitoring and other preventative
23
measures, therefore, cannot create standing.”). The Court’s finding here that the threat of future
24
17
1
theft or fraud is not sufficiently imminent to confer standing compels the conclusion that
2
incurring costs to mitigate that threat cannot serve as the basis for this action. See Clapper, 133
3
S. Ct. at 1151 (“Thus, allowing respondents to bring this action based on costs they incurred in
4
response to a speculative threat would be tantamount to accepting a repackaged version of
5
respondents’ first failed theory of standing.”).
The Court realizes that this is a frustrating result where Plaintiffs’ fears of identity theft
6
7
and fraud are rational, and it recognizes that purchasing monitoring services is a responsible
8
response to a data breach. Nevertheless, costs incurred to prevent future harm is not enough to
9
confer standing, Clapper, 133 S. Ct. at 1150–51, “even when such efforts are sensible,” In re
10
SAIC, 45 F. Supp. 3d at 26. “There is, after all, nothing unreasonable about monitoring your
11
credit after a data breach,” but even when fears of future harm are not unfounded, plaintiffs
12
simply “cannot create standing by ‘inflicting harm on themselves’ to ward off an otherwise
13
speculative injury.” Id. (quoting Clapper, 133 S. Ct. at 1151).4
14
As one court reasoned:
15
Hackers are constantly seeking to gain access to the data banks of companies
around the world. Sometimes, they are successful. Other times not. Despite
many companies’ best efforts and tremendous expense to secure and protect their
data systems, an industrious hacker every so often may find a way to access their
data. Millions of people, out of reasonable fear and prudence, may decide to
incur credit monitoring costs and take other preventative steps, which the hacked
companies often freely provide. However, for a court to require companies to pay
damages to thousands [and in this case millions] of customers, when there is yet
to be a single case of identity theft proven, strikes us as overzealous and unduly
burdensome to business. There is simply no compensable injury yet, and courts
cannot be in the business of prognosticating whether a particular hacker was
sophisticated or malicious enough to both be able to successfully read and
manipulate the data and engage in identity theft.
16
17
18
19
20
21
22
23
24
4
The Court finds this to be true notwithstanding Zappos’s questionable customer service in response to the data
breach. Plaintiffs allege that once Zappos notified customers of the breach it “shut down its customer service phone
lines for a week.” (Preira SAC ¶ 4). Also perplexing, and undoubtedly offensive to its customers, is Zappos’s
apparent decision to not offer free credit monitoring services to its customers, which is a common gesture in these
types of cases. Nevertheless, these deficiencies in Zappos’s customer care do not establish standing where Plaintiffs
fail to allege actual damages or an immediate threat of future harm.
18
1
Storm, 2015 WL 1119724, at *7. However, once a third party misuses a person’s personal
2
information, there is clearly an injury that can be compensated with money damages. Id. “In that
3
situation, a plaintiff would be free to return to court and would have standing to recover her
4
losses.” Id.
5
To the extent that Plaintiffs allege that there are potential class members who have
6
suffered identity theft or other fraud as a result of the Zappos’s security breach, (see Preira SAC
7
¶¶ 5, 35), the Court agrees that those individuals would have standing. Yet Plaintiffs would not
8
be the proper representatives of such a class, as they do not allege that they have suffered these
9
same damages. Gen. Tel. Co. of Sw. v. Falcon, 457 U.S. 147, 156 (1982) (“We have repeatedly
10
held that a class representative must be part of the class and possess the same interest and suffer
11
the same injury as the class members.”). Moreover, even if this case were not dismissed for lack
12
of standing, the Court would not certify a class as broadly defined as Plaintiffs propose
13
specifically because a majority of the putative class cannot claim any measurable damages.
14
Therefore, based on the forgoing reasons, the Court is granting Zappos’s Motion to
15
Dismiss.5 But the Court is also granting Plaintiffs leave to amend their Complaints for a third
16
time in the event an occurrence of actual misuse of the stolen data has transpired between the
17
18
5
19
20
21
22
23
24
Plaintiffs claim they have standing on the alternative theories that the breach caused them a loss of privacy and that
it resulted in a diminished value of the services provided by Zappos. (Resp. 5, ECF No. 231). Neither of these
arguments is persuasive. Even if Plaintiffs adequately allege a loss of privacy, they have failed to show how that
loss amounts to a concrete and particularized injury. See O’Shea v. Littleton, 414 U.S. 488, 493 (1974) (“Abstract
injury is not enough. It must be alleged that the plaintiff ‘has sustained or is immediately in danger of sustaining
some direct injury’ as a result of [the defendant’s] conduct.”). Plaintiffs do not claim that they have suffered any
damages due to a loss of privacy, and so the Court finds that this theory is insufficient to establish standing.
Furthermore, Plaintiffs’ claims that they are harmed by an alleged decrease in the value of Zappos’s services are
unavailing. Plaintiffs do not explain how the data breach impacted the value of the goods they purchased from
Zappos. Nor do Plaintiffs allege facts showing how the price they paid for such goods incorporated some particular
sum that was understood by both parties to be allocated towards the protection of customer data. The Court finds
that this theory of standing also fails. To the extent Plaintiffs claim to have standing arising from any other
perceived harm, (see Resp. 5), the Court finds that each proposed theory fails because not one of them demonstrates
that Plaintiffs have actually been damaged in a concrete and particularized way. See O’Shea, 414 U.S. at 493.
19
1
dates the Preira and Stevens SACs were filed and now. And although the Court finds no
2
standing based on the facts as currently pleaded, the case will be dismissed without prejudice.
3
CONCLUSION
4
IT IS HEREBY ORDERED that Defendant’s Motion to Dismiss (ECF No. 217) is
5
GRANTED without prejudice. Plaintiffs are granted leave to amend their Complaints to allege
6
instances of actual identity theft or fraud.
7
8
9
10
11
IT IS FURTHER ORDERED that Defendant’s Motion to Strike (ECF No. 219) is
DENIED as moot.
IT IS FURTHER ORDERED that Defendant’s Motion for Leave (ECF No. 218) is
GRANTED.
IT IS SO ORDERED.
12
13
Dated: June 1, 2015
Dated: _______________________
14
15
_____________________________________
ROBERT C. JONES
United States District Judge
16
17
18
19
20
21
22
23
24
20
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?