In 2012, Zappos, an online shoe retailer and Amazon acquisition, experienced a data breach where hackers stole the personal identifiable information (“PII”) of more than 24 million customers. Zappos was required to notify its customers of the breach, which resulted in various lawsuits being filed against Zappos by its customers. The lawsuit separated these claims into two major groups: customers whose PII was lost and whose identities were actually stolen because of the breach (“Group 1”), and customers whose PII was lost but who suffered no identity theft and claimed that the breach increased their risk of future identity theft (“Group 2”).
No Harm, No Foul?
Originally, the U.S. District Court handling the case dismissed claims from Group 2 customers who had not actually claimed that their identify was stolen as a result of the Zappos breach (but who believed they were now at higher risk of future identity theft). The District Court found that allegations of possible future harm resulting from stolen information alone did not provide a basis for these customers to sue Zappos, as they had not yet experienced a concrete and particularized injury (identity theft in this case). The harm was not imminent. In re: Zappos.com, Inc., Customer Data Security Breach Litigation, 3:12-cv-00325-RCJ-VPC, Dkt. 235 (D. Nev. June 1, 2015).
These Group 2 customers alleged that because of the loss of their PII in the breach, their identities were now at higher risk of being stolen. They blamed Zappos for disregarding their privacy rights by “intentionally, willfully, recklessly, or negligently failing to take the necessary precautions required to safeguard and protect their PII from unauthorized disclosure.” The Group 2 customers argued that they provided Zappos with certain personal information when making purchases (name, shipping and billing addresses, credit and debit information) in reliance on Zappos’ data security representations.
If the Shoe Fits…
On March 8, 2018, the U.S. Court of Appeals for the Ninth Circuit found that the “imminent” risk of identity theft as a result of the loss of PII in the Zappos breach was enough to allow the Group 2 customers, who had not yet been the victims of identity fraud, to proceed with their suit against Zappos based on the risk of future identity theft being “fairly traceable” to Zappos’ failure to prevent the breach. In re Zappos.com, Inc., No. 16-16860, 2018 WL 1189643, (9th Cir. Mar. 8, 2018).
What Does This Mean for My Business?
Businesses that collect information for customers (even to fulfil orders) must safeguard such information and have processes in place to protect inadvertent disclosure. While businesses may have a privacy policy addressing this, it is important to continually monitor and update these agreements for adjustments in internal practices, changes in the technology, or regulatory changes regarding the collection and storage of such information. Documentation of the process is not enough; companies must actively safeguard customer information through ever-evolving technology standards and security measures to limit unauthorized access to customer information.
Claims made regarding data practices (e.g. “we take your personal information very seriously”) should be carefully crafted in conjunction with legal counsel. A comprehensive data privacy policy is crucial to have in place along with an action plan to immediately address notification requirements and promptly take indicated actions in the event of a data breach.
Failure to comply with privacy and data security laws can result in government-imposed civil and criminal sanctions, and significant fines and damage awards resulting from private lawsuits. Failure to properly address these issues can also damage a company’s reputation and customers’ confidence and trust, leading to lost sales, depreciating market share, and reduction in stockholder value.
If you have any questions regarding data security and privacy, please contact your H&C attorney or a member of the Corporate Department.
Brendan Lund
Mark Heyl
Sepi Ghiasvand