Stevens v. Zappos.com., Inc. (In re Zappos.com., Inc.)

• Citation: 888 F.3d 1020
• Decision Date: 08 March 2018
• Docket Number: No. 16-16860,16-16860
• Parties: IN RE ZAPPOS.COM, INC., Customer Data Security Breach Litigation, Theresa Stevens; Kristin O'Brien; Terri Wadsworth; Dahlia Habashy; Patti Hasner; Shari Simon ; Stephanie Priera; Kathryn Vorhoff; Denise Relethford; Robert Ree, Plaintiffs–Appellants, v. Zappos.com., Inc., Defendant–Appellee.
• Court: United States Courts of Appeals. United States Court of Appeals (9th Circuit)

888 F.3d 1020

IN RE ZAPPOS.COM, INC., Customer Data Security Breach Litigation,

Theresa Stevens; Kristin O'Brien; Terri Wadsworth; Dahlia Habashy; Patti Hasner; Shari Simon ; Stephanie Priera; Kathryn Vorhoff; Denise Relethford; Robert Ree, Plaintiffs–Appellants,

v.Zappos.com., Inc., Defendant–Appellee.

No. 16-16860

United States Court of Appeals, Ninth Circuit.

Argued and Submitted December 5, 2017 San Francisco, California

Filed March 8, 2018

Amended April 20, 2018

Douglas Gregory Blankinship (argued), Finkelstein Blankinship Frei–Pearson and Garber LLP, White Plains, New York; David C. O'Mara, The O'Mara Law Firm P.C., Reno, Nevada; Ben Barnow, Barnow and Associates P.C., Chicago, Illinois; Richard L. Coffman, The Coffman Law Firm, Beaumont, Texas; Marc L. Godino, Glancy Binkow & Goldberg LLP, Los Angeles, California; for Plaintiffs–Appellants.

Stephen J. Newman (argued), David W. Moon, Brian C. Frontino, and Julia B. Strickland, Stroock & Stroock & Lavan LLP, Los Angeles, California; Robert McCoy, Kaempfer Crowell, Las Vegas, Nevada; for Defendant–Appellee.

Before: John B. Owens and Michelle T. Friedland, Circuit Judges, and Elaine E. Bucklo,^* District Judge.

ORDER

The opinion filed on March 8, 2018, and appearing at 884 F.3d 893, is amended as follows. On page 899:

Replace with But it could not offer any support for that contention. After our opinion was initially filed, Zappos sought rehearing on this issue, urging us to read Rockwell International Corp. v. United States , 549 U.S. 457, 473, 127 S.Ct. 1397, 167 L.Ed.2d 190 (2007), and Northstar Financial Advisors Inc. v. Schwab Investments , 779 F.3d 1036, 1044 (9th Cir. 2015), to require that we assess standing at the time Plaintiffs filed their operative Third Amended Complaint, rather than their original Complaints. But whether we look at the original Complaints or Plaintiffs' Third Amended Complaint, the allegations about the increased risk of harm Plaintiffs face are relevantly the same—in the Complaints, Plaintiffs allege that the Zappos data breach places them at imminent risk of identity theft. Zappos argues that this allegation is implausible, but it does so by relying on facts outside the Complaints (or contentions about the absence of certain facts), which makes its argument one that may be appropriate for summary judgment but not one that may support a facial challenge to standing at the motion to dismiss stage>.

Following in the above replacement text, insert a footnote these cases is also unconvincing, as these cases do not actually address whether standing is measured at the time of an initial complaint or at the time of an amended complaint, as opposed to whether the allegations in an amended complaint may sometimes be considered in evaluating whether there was standing at the time the case was originally filed or whether an amended complaint may be considered a supplemental pleading under Federal Rule of Civil Procedure 15(d).>.

Following in the above replacement text, insert a footnote Plaintiff Robert Ree does not clearly allege a risk of future identity theft. But even assuming Ree would not have had standing on his own based on his original Complaint, only one Plaintiff needs to have standing for a class action to proceed. See Bates v. United Parcel Serv., Inc. , 511 F.3d 974, 985 (9th Cir. 2007) (en banc).>.

In the current footnote 11, delete ; Mollan v. Torrance , 22 U.S. 537, 9 Wheat. 537, 6 L.Ed. 154 (1824).>.

With these amendments, the panel has unanimously voted to deny appellee's petition for rehearing. Judge Owens and Judge Friedland have voted to deny the petition for rehearing en banc. Judge Bucklo recommends denial of the petition for rehearing en banc. The full court has been advised of the petition for rehearing en banc, and no judge has requested a vote on whether to rehear the matter en banc. Fed. R. App. P. 35.

The petitions for rehearing and rehearing en banc are DENIED . No further petitions shall be entertained.

OPINION

FRIEDLAND, Circuit Judge:

In January 2012, hackers breached the servers of online retailer Zappos.com, Inc. ("Zappos") and allegedly stole the names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information of more than 24 million Zappos customers. Several of those customers filed putative class actions in federal courts across the country, asserting that Zappos had not adequately protected their personal information. Their lawsuits were consolidated for pretrial proceedings.

Although some of the plaintiffs alleged that the hackers used stolen information about them to conduct subsequent financial transactions, the plaintiffs who are the focus of this appeal ("Plaintiffs") did not. This appeal concerns claims based on the hacking incident itself, not any subsequent illegal activity.

The district court dismissed Plaintiffs' claims for lack of Article III standing. In this appeal, Plaintiffs contend that the district court erred in doing so, and they press several potential bases for standing, including that the Zappos data breach put them at risk of identity theft.

We addressed standing in an analogous context in Krottner v. Starbucks Corp. , 628 F.3d 1139 (9th Cir. 2010). There, we held that employees of Starbucks had standing to sue the company based on the risk of identity theft they faced after a company laptop containing their personal information was stolen. Id. at 1140, 1143. We reject Zappos's argument that Krottner is no longer good law after Clapper v. Amnesty International USA , 568 U.S. 398, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013), and hold that, under Krottner , Plaintiffs have sufficiently alleged standing based on the risk of identity theft.¹

I.

When they bought merchandise on Zappos's website, customers provided personal identifying information ("PII"), including their names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information. Sometime before January 16, 2012, hackers targeted Zappos's servers, stealing the PII of more than 24 million of its customers, including their full credit card numbers.² On January 16, Zappos sent an email to its customers, notifying them of the theft of their PII. The company recommended "that they reset their Zappos.com account passwords and change the passwords 'on any other web site where [they] use the same or a similar password.' " Some customers responded almost immediately by filing putative class actions in federal district courts across the country.

In these suits, Plaintiffs alleged an "imminent" risk of identity theft or fraud from the Zappos breach. Relying on definitions from the United States Government Accountability Office ("GAO"), they characterized "identity theft" and "identity fraud" as "encompassing various types of criminal activities, such as when PII is used to commit fraud or other crimes," including "credit card fraud, phone or utilities fraud, bank fraud and government fraud."³

The Judicial Panel on Multidistrict Litigation transferred several putative class action lawsuits alleging harms from the Zappos data breach to the District of Nevada for pretrial proceedings. After several years of pleadings-stage litigation, including a hiatus for mediation, the district court granted in part and denied in part Zappos's motion to dismiss the Third Amended Consolidated Complaint ("Complaint") and granted Zappos's motion to strike the Complaint's class allegations. The court distinguished between two groups of plaintiffs: (1) plaintiffs named only in the Third Amended Complaint who alleged that they had already suffered financial losses from identity theft caused by Zappos's breach, and (2) plaintiffs named in earlier complaints who did not allege having already suffered financial losses from identity theft.

The district court ruled that the first group of plaintiffs had Article III standing because they alleged "that actual fraud occurred as a direct result of the breach." But the court ruled that the second group of plaintiffs (again, here referred to as "Plaintiffs") lacked Article III standing and dismissed their claims without leave to amend because Plaintiffs had "failed to allege instances of actual identity theft or fraud." The parties then agreed to dismiss all remaining claims with prejudice, and Plaintiffs appealed.

II.

We review the district court's standing determination de novo. See Maya v. Centex Corp. , 658 F.3d 1060, 1067 (9th Cir. 2011). To have Article III standing,

a plaintiff must show (1) it has suffered an "injury in fact" that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.

Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc. , 528 U.S. 167, 180–81, 120 S.Ct. 693, 145 L.Ed.2d 610 (2000) ; see also Spokeo, Inc. v. Robins , ––– U.S. ––––, 136 S.Ct. 1540, 1547, 194 L.Ed.2d 635 (2016). A plaintiff threatened with future injury has standing to sue "if the threatened injury is 'certainly impending,' or there is a 'substantial risk that the harm will occur.' " Susan B. Anthony List v. Driehaus , ––– U.S. ––––, 134 S.Ct. 2334, 2341, 189 L.Ed.2d 246 (2014) (quoting Clapper v. Amnesty Int'l USA , 568 U.S. 398, 414 & n.5, 133 S.Ct. 1138, 185 (L.Ed.2d 264 2013) ) (internal quotation marks omitted).

III.

We addressed the Article III standing of victims of data theft in Krottner v. Starbucks Corp. , 628 F.3d 1139 (9th Cir. 2010). In Krottner , a thief stole a laptop containing "the unencrypted names, addresses, and social security numbers of approximately 97,000 Starbucks employees." Id. at 1140. "Starbucks sent a letter to ... affected employees alerting them to the theft and stating that Starbucks had no indication that the private information...