Earlier this week, the Supreme Court once again denied a petition for writ of certiorari to resolve the circuit split on standing in data breach class actions. Zappos.com, Inc. v. Stevens, No. 18-225, __ S. Ct. __ (Mar. 25, 2019). This decision was a setback for companies hoping to limit their liability in data breach cases and kept intact the Ninth Circuit’s decision that found plaintiffs have standing based on allegations that their information was stored in a breached database without any allegations that their information was misused. Of note, this is the third such refusal by the Supreme Court over the past year to resolve this threshold issue in data breach cases. With this most recent denial, a business’s legal exposure after a data breach will continue to depend on the laws of the circuit where the claims are filed.
Standing to pursue data breach claims is of great importance to retailers, as they are increasingly named as defendants in class action lawsuits filed by consumers whose information was allegedly compromised in the breach. From last April to June alone, data breaches and cyberattacks affected over 765 million people. Yet most of the affected consumers never experience identity theft or fraudulent charges. Is the mere fear of identity theft or fraudulent charges in the wake of a data breach enough to constitute an injury in fact giving rise to standing sue? Or should these actions be dismissed for lack of jurisdiction?
The Ninth Circuit has now joined the District of Columbia, Third, Sixth, and Seventh Circuits that have adopted a plaintiff-friendly view, holding that plaintiffs who alleged fear of future identity theft or fraudulent charges in the wake of a data breach satisfied the injury-in-fact requirement for standing under Article III. Even more alarming for retailers, is that Zappos did everything a responsible corporate citizen would do upon learning of a breach: immediately cut access between its systems and the outside world, suspended online ordering until customers’ passwords were reset, and notified its customers to change their passwords. These actions prevented widespread harm and, as a result, only a handful of customers out of 24 million reported concerns that their information was misused in the six years following the breach. The Supreme Court’s denial of Zappos’s petition leaves these circuit decisions in place that appear to ignore the fundamental requirements of Article III standing.
On the other hand, the First, Second, Fourth, and Eighth Circuits have adopted a defense-friendly view of standing. These circuits reason that fear of future harm as a result of a data breach is too speculative to meet Article III’s standing requirements, as interpreted by the Supreme Court. See, e.g., Clapper v. Amnesty International USA, 568 U.S. 398, 409 (2013) (standing under Article III requires that any alleged “future harm” be “certainly impending” and that “allegations of possible future injury are not sufficient”).
Unfortunately, it may be years until the Supreme Court has the appetite to clarify Article III’s standing requirements in data breach cases. In the absence of Supreme Court guidance on the standing issue, we anticipate that district courts within the District of Columbia, Third, Sixth, Seventh, and Ninth Circuits – which have ruled favorably for plaintiffs on the standing issue – will emerge as the forums of choice for data breach class actions. Retailers should be mindful of these unfavorable jurisdictions and where possible seek to consolidate data breach cases elsewhere.