Not a Lexis Advance subscriber? Try it out for free.

Ree v. Zappos.com, Inc. (In re Zappos.com, Inc.)

United States Court of Appeals for the Ninth Circuit

December 5, 2017, Argued and Submitted, San Francisco, California; April 20, 2018, Amended

No. 16-16860

Opinion

 [*1023]  AMENDED OPINION

FRIEDLAND, Circuit Judge:

In January 2012, hackers breached the servers of online retailer Zappos.com, Inc. ("Zappos") and allegedly stole the names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information of more than 24 million Zappos customers. Several of those customers filed putative class actions in federal courts across the country, asserting that Zappos had not adequately protected their [**3]  personal information. Their lawsuits were consolidated for pretrial proceedings.

Although some of the plaintiffs alleged that the hackers used stolen information about them to conduct subsequent financial transactions, the plaintiffs who are the focus of this appeal ("Plaintiffs") did not. This appeal concerns claims based on the hacking incident itself, not any subsequent illegal activity.

The district court dismissed Plaintiffs' claims for lack of Article III standing. In this appeal, Plaintiffs contend that the district court erred in doing so, and they press several potential bases for standing, including that the Zappos data breach put them at risk of identity theft.

We addressed standing in an analogous context in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). There, we held that employees of Starbucks had standing to sue the company based on the risk of identity theft they faced after a company laptop containing their personal information was stolen. Id. at 1140, 1143. We reject Zappos's argument that Krottner is no longer good law after Clapper v. Amnesty International USA, 568 U.S. 398, 133 S. Ct. 1138, 185 L. Ed. 2d 264 (2013), and hold that, under Krottner, Plaintiffs have sufficiently alleged standing based on the risk of identity theft.3

When they bought merchandise on Zappos's website, customers provided personal identifying [**4]  information ("PII"), including their names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information. Sometime before January 16, 2012, hackers targeted Zappos's servers, stealing the PII of more than 24 million of its customers, including their full credit card numbers.4 On January 16, Zappos sent an email to its customers, notifying them of the theft of their PII. The company recommended "that they reset their Zappos.com account passwords and change the passwords 'on any other web site where [they] use the same or a similar password.'" Some customers responded almost immediately by filing putative class actions in federal district courts across the country.

Read The Full CaseNot a Lexis Advance subscriber? Try it out for free.

Full case includes Shepard's, Headnotes, Legal Analytics from Lex Machina, and more.

888 F.3d 1020 *; 2018 U.S. App. LEXIS 10031 **; 2018 WL 1189643

IN RE ZAPPOS.COM, INC., CUSTOMER DATA SECURITY BREACH LITIGATION, THERESA STEVENS; KRISTIN O'BRIEN; TERRI WADSWORTH; DAHLIA HABASHY; PATTI HASNER; SHARI SIMON; STEPHANIE PRIERA; KATHRYN VORHOFF; DENISE RELETHFORD; ROBERT REE, Plaintiffs-Appellants, v. ZAPPOS.COM., INC., Defendant-Appellee.

Subsequent History: US Supreme Court certiorari denied by Zappos.com, Inc. v. Stevens, 2019 U.S. LEXIS 2106 (U.S., Mar. 25, 2019)

Prior History:  [**1] Appeal from the United States District Court for the District of Nevada. D.C. No. 3:12-cv-00325-RCJ-VPC. Robert Clive Jones, Senior District Judge, Presiding.

Stevens v. Zappos.com, Inc. (In re Zappos.com, Inc., Customer Data Sec. Breach Litig.), 884 F.3d 893, 2018 U.S. App. LEXIS 5841 (9th Cir. Nev., Mar. 8, 2018)In re Zappos.com, 2016 U.S. Dist. LEXIS 60453 (D. Nev., May 6, 2016)

CORE TERMS

identity theft, plaintiffs', stolen, hackers, numbers, surveillance, communications, customers, passwords, theft, district court, laptop, card, injury in fact, speculative, Complaints, impending

Civil Procedure, Jurisdiction, Subject Matter Jurisdiction, Jurisdiction Over Actions, Responses, Defenses, Demurrers & Objections, Motions to Dismiss, Appeals, Standards of Review, De Novo Review, Preliminary Considerations, Justiciability, Standing, Standing, Injury in Fact, Constitutional Law, Case or Controversy, Elements, Particular Parties, Governments, Courts, Judicial Precedent, Banking Law, Consumer Protection, Fair Credit Reporting, Identity Theft, Burdens of Proof, Class Actions, Class Members, Named Members, Summary Judgment, Burdens of Proof, Nonmovant Persuasion & Proof