MDL No. 2357 - IN RE: Zappos.com, Inc., Customer Data Security Breach Litigation, No. 3:2012cv00325 - Document 235 (D. Nev. 2015)

Court Description: ORDER granting without prejudice 217 Motion to Dismiss, granting Plaintiffs leave to amend their complaints; denying as moot 219 Motion to Strike; granting 218 Motion for Leave. Signed by Judge Robert C. Jones on 6/1/2015. (Copies have been distributed pursuant to the NEF - KR)
Download PDF
MDL No. 2357 - IN RE: Zappos.com, Inc., Customer Data Security Breach Litigation Doc. 235 1 2 3 UNITED STATES DISTRICT COURT 4 DISTRICT OF NEVADA 5 6 In re ZAPPOS.COM, INC., CUSTOMER DATA SECURITY BREACH LITIGATION 3:12-cv-00325-RCJ-VPC MDL No. 2357 7 ORDER 8 9 This multidistrict litigation case arises out of a security breach of Zappos.com’s customer 10 data. Pending before the Court is a Motion to Dismiss, (ECF No. 217), filed by Amazon.com, 11 Inc. doing business as Zappos.com (“Zappos”). Also pending is Zappos’s Motion to Strike 12 Prayers for Punitive Damages and Restitution. (ECF No. 219). Zappos has also filed a Motion 13 for Leave to File Excess Pages. (ECF No. 218). The Court has considered all of the briefing on 14 the pending Motions. For the reasons contained herein, the Motion to Dismiss is GRANTED, 15 and the Motion to Strike is DENIED as moot. 16 I. 17 FACTS AND PROCEDURAL HISTORY On January 15, 2012, Zappos’s servers located in Kentucky and Nevada were targeted by 18 a hacker or group of hackers. The servers contained the personal identifying information of 19 approximately 24 million Zappos’s customers. On January 16, 2012, Zappos sent an email to its 20 customers notifying them that its servers had been breached and that data had been stolen, 21 including customers’ names, account numbers, passwords, email addresses, billing and shipping 22 addresses, phone numbers, and the last four digits of their credit cards used to make purchases. 23 Shortly thereafter, a number of lawsuits were filed against Zappos seeking damages. 24 1 Dockets.Justia.com 1 On June 14, 2012, the U.S. Judicial Panel on Multidistrict Litigation (“JPML”) granted 2 Zappos’s motion to create the present case pursuant to 28 U.S.C. § 1407, transferring six 3 extra-district actions to this District, consolidating them with three actions from this District, and 4 assigning the consolidated case to this Court. (Transfer Order, ECF No. 1). Zappos moved to 5 compel arbitration and stay the case. While that motion was pending, the JPML transferred an 6 additional action to be consolidated with the instant case. (Conditional Transfer Order, ECF No. 7 5). The Court denied the motion to compel arbitration because the arbitration contract was 8 “browsewrap” not requiring any objective manifestation of assent (as opposed to a “clickwrap” 9 agreement), and there was no evidence that Plaintiffs had knowledge of the offer such that assent 10 11 could be implied merely by use of the website. (See Sept. 27, 2012 Order 7–10, ECF No. 21). Plaintiffs then amended their pleadings into two separate consolidated class action 12 complaints, and Zappos filed a motion to dismiss the amended complaints for lack of standing 13 and for failure to state a claim. (ECF No. 62). On September 9, 2013, the Court granted in part 14 and denied in part Zappos’s motion. (ECF No. 114). Thereafter, Plaintiffs Preira, Ree, Simon, 15 Hasner, Habashy, and Nobles (“the Preira Plaintiffs”) filed their Second Amended Consolidated 16 Complaint (the “Preira SAC”). (ECF No. 118). And Plaintiffs Stevens, Penson, Elliot, Brown, 17 Seal, Relethford, and Braxton (the “Stevens Plaintiffs”) filed their Second Amended 18 Consolidated Class Action Complaint (the “Stevens SAC”). (ECF No. 119). 19 On November 4, 2013, Zappos moved for dismissal of the Preira SAC and the Stevens 20 SAC. (ECF No. 122). Zappos also moved to strike Plaintiffs’ prayers for punitive damages and 21 restitution. (ECF No. 124). While those motions were pending, the parties engaged in mediation 22 in an attempt to reach a settlement. The parties stipulated to stay the proceedings various times, 23 each time representing to the Court that settlement negotiations were progressing. (See ECF Nos. 24 2 1 192, 196, 201). After the third stipulation to stay, which was filed on September 17, 2014, and in 2 reliance on the parties’ representation that a settlement agreement was close, the Court entered 3 an order denying Zappos’s still pending motion to dismiss and motion to strike without 4 prejudice. (ECF No. 202). Despite the progress made during mediation as to class-wide relief, a final agreement 5 6 could not be reached between the parties due to a disagreement over attorneys’ fees. However, 7 Plaintiffs filed a motion on December 4, 2014 to enforce a supposed settlement. (ECF No. 207), 8 claiming that a cap on the fees class counsel would request was not material to the settlement. 9 After responding to Plaintiffs’ arguments regarding whether an enforceable settlement had been 10 reached, Zappos renewed its previous dismissal arguments by filing the instant Motions on 11 January 30, 2015. (ECF Nos. 217, 219). Plaintiffs then requested an extension of time to oppose 12 the Motions pending the Court’s determination of the motion to enforce. On March 27, 2015, 13 the Court, finding that no final settlement had been reached, denied the motion to enforce and 14 ordered Plaintiffs to respond to the instant Motions so that the case might proceed. Accordingly, 15 the Court now considers the merits of Zappos’s Motion to Dismiss the Preira and Stevens SACs 16 pursuant to Rule 12(b)(1) for lack of standing. 17 II. LEGAL STANDARD 18 “Lack of standing is a defect in subject-matter jurisdiction and may properly be 19 challenged under Rule 12(b)(1).” Wright v. Incline Vill. Gen. Imp. Dist., 597 F. Supp. 2d 1191, 20 1199 (D. Nev. 2009) (citing Bender v. Williamsport Area Sch. Dist., 475 U.S. 534, 541 (1986)). 21 Zappos argues that the Preira and Stevens SACs fail to establish Plaintiffs’ standing to sue. This 22 is considered a “facial” challenge to subject-matter jurisdiction. Thornhill Publ’g Co. v. Gen. Tel. 23 & Elec. Corp., 594 F.2d 730, 733 (9th Cir. 1979). “In a facial attack, the challenger asserts that 24 3 1 the allegations contained in a complaint are insufficient on their face to invoke federal 2 jurisdiction.” Safe Air for Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004). If the 3 movant’s challenge is a facial one, then the “court must consider the allegations of the complaint 4 to be true and construe them in the light most favorable to the plaintiff.” Nevada ex rel. Colo. 5 River Comm’n of Nev. v. Pioneer Cos., 245 F. Supp. 2d 1120, 1124 (D. Nev. 2003) (citing Love 6 v. United States, 915 F.2d 1242, 1245 (9th Cir. 1989)). 7 III. 8 9 DISCUSSION Zappos contends that Plaintiffs lack standing in this case because they have not alleged any actual damages arising from the data breach. Plaintiffs contend that their injury stems from 10 an increased risk that they will become victims of identity theft or other fraudulent activities 11 because their personal information has been jeopardized. None of the Plaintiffs, however, allege 12 that they have suffered such harm as of yet. Moreover, only three of the twelve named Plaintiffs 13 have taken the additional step of purchasing credit monitoring services to protect against the 14 allegedly increased threat of fraud. In addition to the increased threat of harm, Plaintiffs further 15 argue that they have standing based on damage to the intrinsic value of their data. 16 The Court was presented with similar arguments when ruling on Zappos’s previous 17 motion to dismiss. At that time, the Court determined that Plaintiffs’ allegations “that they have 18 had to pay money to monitor their credit scores and secure their financial information due to the 19 increased risk of criminal fraud” were sufficient to establish standing. (Sept. 9, 2013 Order 5). 20 However, given developments in the caselaw dealing with standing of data-breach victims, and 21 because Article III standing is an “indispensable part of a plaintiff’s case” rather than a pleading 22 requirement, the Court finds it appropriate to review its prior ruling. Lujan v. Defenders of 23 Wildlife, 504 U.S. 555, 561 (1992). 24 4 1 “Standing under Article III of the Constitution requires that an injury be concrete, 2 particularized, and actual or imminent; fairly traceable to the challenged action; and redressable 3 by a favorable ruling.” Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 149 (2010). When 4 a party’s allegations of injury rest on future harm, standing arises only if that harm is “certainly 5 impending,” Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (internal quotation marks and 6 citation omitted), “or there is a ‘substantial risk’ that the harm will occur.” Susan B. Anthony List 7 v. Driehaus, 134 S. Ct. 2334, 2342 (2014) (citation omitted). Allegations “of possible future 8 injury are not sufficient.” Clapper, 133 S. Ct. at 1147 (quotation marks and citation omitted). 9 The party invoking federal jurisdiction has the burden of establishing actual or imminent 10 injury. Defenders of Wildlife, 504 U.S. at 561. In a class action, the named plaintiffs attempting 11 to represent the class “must allege and show that they personally have been injured, not that 12 injury has been suffered by other, unidentified members of the class to which they belong and 13 which they purport to represent.” Warth v. Seldin, 422 U.S. 490, 502 (1975). “[I]f none of the 14 named plaintiffs purporting to represent a class establishes the requisite of a case or controversy 15 with the defendants, none may seek relief on behalf of himself or any other member of the 16 class.” O’Shea v. Littleton, 414 U.S. 488, 494 (1974). 17 18 1. Decreased value in Plaintiffs’ personal information The Court deals first with Plaintiffs’ last theory of standing. Plaintiffs attempt to 19 establish standing by arguing that the data breach resulted in a devaluation of their personal 20 information. Plaintiffs allege that a “robust market” exists for the sale and purchase of consumer 21 data such as the personal information that was stolen during the breach, the value of this data 22 apparently being appraised at between $ 30.49 and $44.62. (Stevens SAC ¶¶ 51–52). Plaintiffs 23 24 5 1 claim that the Zappos security breach deprived them of the “substantial value” of their personal 2 information, which they are entitled to recover. (Id. ¶ 54). 3 The Court does not buy this argument. Even assuming that Plaintiffs’ data has value on 4 the black market, Plaintiffs do not allege any facts explaining how their personal information 5 became less valuable as a result of the breach or that they attempted to sell their information and 6 were rebuffed because of a lower price-point attributable to the security breach. See Galaria v. 7 Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 660 (S.D. Ohio 2014) (rejecting a similar 8 argument because the named plaintiffs failed to allege that the data security breach actually 9 prevented them from selling their information at the price they claimed the data was worth); see 10 also In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litg., 45 F. Supp. 3d 14, 11 30 (D.D.C. 2014) (same). Thus, the Court finds that these allegations do not establish standing. 12 13 2. Increased threat of future harm Plaintiffs’ purported standing rests largely on the theory that they suffer an increased 14 threat of future identity theft and fraud as a result of Zappos’s security breach. Courts are 15 divided on what constitutes sufficient injury-in-fact to establish standing in the context of a data 16 security breach. The division arises, at least in part, from the Supreme Court’s recent holding in 17 Clapper v. Amnesty International. 18 In Clapper, the plaintiffs, a group of lawyers, challenged the constitutionality of a section 19 of the Foreign Intelligence Surveillance Act (“FISA”) that authorizes surveillance of individuals 20 who are not United States persons and are believed to be located outside of the United States. 21 133 S. Ct. at 1142. The plaintiffs alleged that their work required them to engage in sensitive 22 international communication with individuals that they suspected were targets of surveillance 23 under FISA. Id. There was no evidence, however, that their communications had been targeted 24 6 1 or that the Government would imminently target their communications. Nevertheless, the 2 plaintiffs claimed that their injury arose from an increased risk that their communications could 3 be monitored in the future. 4 The Court held that the alleged harm was entirely speculative and did not support 5 standing since the future injury was not “certainly impending.” Id. at 1148. The Court explained 6 that the plaintiffs’ arguments “rest[ed] on their highly speculative fear” that (1) the Government 7 would decide to target non-U.S. persons with whom they communicate; (2) that in doing so, the 8 Government would choose to invoke its authority under FISA rather than some other method of 9 surveillance; (3) that the Article III judges who serve on the Foreign Intelligence Surveillance 10 Court would conclude the surveillance comported with the Fourth Amendment; (4) that the 11 Government would succeed in intercepting communications of plaintiffs’ contacts; and (5) 12 plaintiffs would be parties to the particular communications intercepted by the Government. Id. 13 This “highly attenuated chain of possibilities,” the Court concluded, did not satisfy “the 14 requirement that injury must be certainly impending.” Id. The Court was also not willing “to 15 abandon [its] usual reluctance to endorse standing theories that rest on speculation about the 16 decisions of independent actors,” id. at 1150, and it rejected the Second Circuit’s reasoning that 17 standing could be based on “an objectively reasonable likelihood” that the plaintiffs’ 18 communications with their foreign contacts would be intercepted in the future, id. at 1147. 19 The majority of courts dealing with data-breach cases post-Clapper have held that absent 20 allegations of actual identity theft or other fraud, the increased risk of such harm alone is 21 insufficient to satisfy Article III standing. See, e.g., Green v. eBay Inc., No. CIV.A.14-1688, 22 2015 WL 2066531, at *5 (E.D. La. May 4, 2015) (finding no standing where plaintiff’s data was 23 accessed during a security breach because there were no allegations that the information had 24 7 1 been used or any indication that its use was imminent); Storm v. Paytime, Inc., ---F. Supp. 3d---, 2 No. 14-cv-1138, 2015 WL 1119724, at *6 (M.D. Pa. Mar. 13, 2015) (finding no standing where 3 plaintiffs did not allege that they actually suffered any form of identity theft as a result of the 4 defendant’s data breach); Peters v. St. Joseph Servs. Corp., ---F. Supp. 3d---, No. 4:14-cv-2872, 5 2015 WL 589561, *4–*5 (S.D. Tex. Feb. 11, 2015) (finding no standing where plaintiff did not 6 allege actual identity theft or fraud despite the possibility “that fraudulent use of her personal 7 information could go undetected for long periods of time”); Galaria, 998 F. Supp. 2d at 654 8 (finding no standing where plaintiffs alleged their personal information was stolen and 9 disseminated but did not allege that their data had been misused); In re SAIC, 45 F. Supp. 3d at 10 26 (finding no standing where plaintiffs allegations of potential identity theft, which had not yet 11 occurred, were “entirely dependent on the actions of an unknown third party”); Lewert v. P.F. 12 Chang’s China Bistro, Inc., No. 14-cv-4787, 2014 WL 7005097, at *3 (N.D. Ill. Dec. 10, 2014) 13 (finding no standing where plaintiffs did not allege that identity theft had occurred but only that 14 it “may happen in coming years”); Remijas v. Neiman Marcus Grp., LLC, No. 14c1735, 2014 15 WL 4627893, at *3 (N.D. Ill. Sept. 16, 2014) (finding no standing where plaintiffs’ alleged 16 injury was not “concrete” because it was based on “potential future fraudulent charges”); Burton 17 v. MAPCO Exp., Inc., No. 5:13-cv-00919-MHH, 2014 WL 4686479, at *1 (N.D. Ala. Sept. 12, 18 2014) (finding no standing despite plaintiff’s allegations of unauthorized charges on his debit 19 card because plaintiff did not allege that he actually had to pay for the charges); U.S. Hotel & 20 Resort Mgmt., Inc. v. Onity, Inc., No. CIV.13-1499, 2014 WL 3748639, at *5 (D. Minn. July 30, 21 2014) (recognizing that “[i]n the ‘lost data’ context . . . a majority of the courts . . . hold that 22 plaintiffs whose confidential data has been exposed, or possibly exposed by theft or a breach of 23 an inadequate computer security system, but who have not yet had their identity stolen or their 24 8 1 data otherwise actually abused, lack standing to sue the party who failed to protect their data”); 2 In re Barnes & Noble Pin Pad Litig., No. 12-cv-8617, 2013 WL 4759588, at *3 (N.D. Ill. Sept. 3 3, 2013) (“Merely alleging an increased risk of identity theft or fraud is insufficient to establish 4 standing.”). Courts in the Ninth Circuit, however, have held the opposite.1 See In re Adobe Sys., Inc. 5 6 Privacy Litig., ---F. Supp. 3d---, No. 13-cv-05226-LHK, 2014 WL 4379916, at *8 (N.D. Cal. 7 Sept. 4, 2014) (finding standing where hacker “spent several weeks” in Adobe’s servers 8 collecting customers’ information despite no allegations that the plaintiffs’ data had been 9 misused); In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 10 942, 962 (S.D. Cal. 2014) (finding standing where the plaintiffs “alleged a ‘credible threat’ of 11 impending harm” based on a data breach). These cases were decided in light of the Ninth 12 Circuit’s holding in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). 13 In Krottner, employees of Starbucks sued the company when a laptop containing 14 unencrypted names, addresses, and social security numbers of approximately 97,000 employees 15 was stolen. 628 F.3d at 1140. Although some of the plaintiffs enrolled in credit monitoring 16 services, they did not allege that any theft or other fraud actually occurred. Id. at 1142. 17 Starbucks challenged the employees’ standing since their allegations of harm were based solely 18 on an “increased risk of future identity theft.” Id. The court found the allegations sufficient to 19 confer standing, holding that “[i]f a plaintiff faces ‘a credible threat of harm’ and that harm is 20 ‘both real and immediate, not conjectural or hypothetical,’ the plaintiff has met the injury-in-fact 21 requirement for standing under Article III.” Id. at 1143. 22 1 23 24 Some courts outside the Ninth Circuit have also found standing in data breach cases where the plaintiffs do not allege actual identity theft or fraud, but those cases are relatively few. See Moyer v. Michaels Stores, Inc., No. 14C561, 2014 WL 3511500, at *6 (N.D. Ill. July 14, 2014) (concluding “that the elevated risk of identity theft stemming from the data breach at Michaels is sufficiently imminent to give Plaintiffs standing”). 9 1 While other courts have criticized this test for being too lax post-Clapper, see Peters, 2 2015 WL 589561, at *6–*7 (recognizing the pre-Clapper split among the Third, Seventh, and 3 Ninth Circuits on the issue of standing but finding that Clapper “[a]rguably . . . resolved the 4 circuit split” and claiming that the Clapper “holding compels the conclusion” that plaintiffs lack 5 standing to the extent the claims “are premised on the heightened risk of future identity 6 theft/fraud”); Galaria, 998 F. Supp. 2d at 656 (finding that the reasoning in Clapper “seems to 7 preclude the Ninth Circuit’s even lower ‘not merely speculative’ standard for injury-in-fact” 8 articulated in Krottner); In re SAIC, 45 F. Supp. 3d at 28 (impliedly accusing Krottner of being 9 “thinly reasoned” and stating that, post-Clapper, the “‘credible threat of harm’ standard is clearly 10 not supportable”), the Adobe and Sony courts found that Clapper did not overrule Krottner and 11 that, in fact, Clapper and Krottner are quite compatible. 12 In Sony, the court found that “although the Supreme Court’s word choice in Clapper 13 differed from the Ninth Circuit’s word choice in Krottner, stating that the harm must be 14 ‘certainly impending,’ rather than ‘real and immediate,’ the Supreme Court’s decision in Clapper 15 did not set forth a new Article III framework, nor did the Supreme Court’s decision overrule 16 previous precedent requiring that the harm be ‘real and immediate.’” 996 F. Supp. 2d at 961. 17 Likewise, the Adobe court reasoned that “Clapper did not change the law governing 18 Article III standing.” 2014 WL 4379916, at *7. “Clapper merely held that the Second Circuit 19 had strayed from [the] well-established standing principles by accepting a too-speculative theory 20 of future injury.” Id. The court recognized the unique context in which Clapper was decided—a 21 constitutional challenge to a national defense law—and concluded that Krottner and Clapper are 22 not “clearly irreconcilable.” Id. at *8. The court determined that the “difference in wording 23 [between the two tests] is not substantial and that “Krottner’s phrasing is closer to Clapper’s 24 10 1 ‘certainly impending’ language than it is to the Second Circuit’s ‘objectively reasonable 2 likelihood’ standard that the Supreme Court reversed in Clapper.” Id. This Court agrees that Clapper does not necessarily overrule Krottner. The Krottner test 3 4 is composed of two parts: (1) the plaintiff must face “a credible threat of harm,” and (2) “that 5 harm [must be] ‘both real and immediate.’” 628 F.3d at 1143. Both parts of the test must be met 6 before the future harm equates to an injury-in-fact. Thus, it is not enough that a plaintiff face a 7 credible threat of harm if that harm is not real, i.e. concrete, and immediate, i.e. certainly 8 impending. Krottner, therefore, may be interpreted to require the same immediacy of harm that 9 the Supreme Court emphasized in Clapper. Furthermore, the Supreme Court explained post-Clapper that “[a]n allegation of future 10 11 injury may suffice if the threatened injury is ‘certainly impending’ or there is a ‘substantial risk’ 12 that the harm will occur.” Driehaus, 134 S. Ct. at 2341 (emphasis added). So to the extent that 13 the Krottner test is not as rigid as the standard articulated in Clapper, surely it embodies 14 Driehaus’s “substantial risk” language.2 Accordingly, this Court finds itself bound by Krottner. 15 See In re Adobe, 2014 WL 4379916, at *8. 16 However, just because Krottner is controlling does not consequently mean that its 17 outcome dictates the Court’s conclusion as to standing here, due to the unique posture of this 18 case. Immediacy is a common theme found in cases that discuss standing based on an alleged 19 future harm. See Nelsen v. King Cnty., 895 F.2d 1248, 1254 (9th Cir. 1990) (denying standing 20 where plaintiffs failed to show “a credible threat of immediate future harm”). It is not enough 21 2 22 23 24 Clapper recognized that future harm could create standing if the harm posed a “substantial risk.” 133 S. Ct. at 1150 n.5; see also Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 153–54 (2010) (using this test to determine standing). In acknowledging this alternative articulation, though presumably not an alternative test, the Court stated that the impending harm does not need to be “literally certain.” Clapper, 133 S. Ct. at 1150 n.5. Instead, the Court emphasized that “plaintiffs bear the burden of pleading and proving concrete facts showing that the defendant’s actual action has caused the substantial risk of harm” and that plaintiffs “cannot rely on speculation about ‘the unfettered choices made by independent actors not before the court.’” Id. (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 562 (1992)). 11 1 that a credible threat may occur at some point in the future; rather, the threat must be impending. 2 See Defenders of Wildlife, 504 U.S. at 564 (holding that a general intent to observe an 3 endangered species in the future did not satisfy the immediacy requirement). It therefore follows 4 that even if a plaintiff faces a real threat, she has no standing until that threat is immediate. See 5 Whitmore v. Arkansas, 495 U.S. 149, 158 (1990) (stating that “[a]llegations of possible future 6 injury do not satisfy the requirements of Article III”). 7 Similarly, a risk is surely not substantial unless the plaintiff can allege that the feared 8 harm will likely be avoided only with judicial intervention. See Monsanto Co., 561 U.S. at 152 9 (finding that plaintiffs would have been subjected to a substantial risk of future harm were it not 10 for the district court’s “elimination of [the] likelihood”). But where a credible threat will come 11 to pass only if an independent third party takes specific action that would culminate in harm to 12 the plaintiff, the alleged injury is less likely to confer standing. See Clapper, 133 S. Ct. at 1150. 13 Enter the facts of this case. Zappos’s servers were breached in January 2012. Plaintiffs 14 allege that the personal information of 24 million Zappos’s customers was stolen. Of those 24 15 million customers, only twelve are before the Court seeking damages against Zappos. Of those 16 twelve, only three determined that the increased threat of identity theft and fraud was sufficiently 17 severe to purchase credit monitoring services. Of those three, not one alleges to have detected 18 any irregularity whatsoever in regards to unauthorized purchases or other manifestations that 19 their personal information has been misused. Yet Plaintiffs still claim that the threat they face is 20 immediate, though there is no indication when or if that threat will materialize. 21 Given the stipulated stays and other delays in this case, the Court must decide whether 22 the alleged threat of future harm is properly considered certainly impending three-and-a-half 23 years after the breach occurred. Even if Plaintiffs’ risk of identity theft and fraud was substantial 24 12 1 and immediate in 2012, the passage of time without a single report from Plaintiffs that they in 2 fact suffered the harm they fear must mean something. Determining what the lapsed time means, 3 however, requires the Court to engage in speculation—precisely what the Supreme Court has 4 counseled against. Clapper, 133 S. Ct. at 1149–50 (refusing standing based on speculation). It 5 could signify that Plaintiffs are in the clear, meaning that the data obtained by the hacker was not 6 useful in effectuating acts of theft or fraud. Or it could mean that the hacker is simply sitting on 7 the information until the time is “right,” which could be a few more years down the road. Or the 8 lapsed time might mean a number of other scenarios. It is simply unclear. 9 If the Court assumes that the hacker or some other nefarious third-party remains in 10 possession of Plaintiffs’ personal information, then the threat may as yet be credible. In fact, 11 Plaintiffs claim that cybercriminals “often hold onto stolen personal and financial information for 12 several years before using and/or selling the information to other identity thieves,” (Preira SAC ¶ 13 21; Stevens SAC ¶ 42), indicating that the alleged harm is not merely speculative despite the 14 years that have passed without an occurrence of theft or fraud. But a harm that is “not merely 15 speculative” does not constitute an injury-in-fact sufficient to confer standing. See Galaria, 998 16 F. Supp. 2d at 656. 17 Indeed, there must be a point at which a future threat can no longer be considered 18 certainly impending or immediate, despite its still being credible; otherwise, an “objectively 19 reasonable likelihood” of harm would be enough to establish standing. See id. (citing Clapper, 20 133 S. Ct. at 1147). After all, the plaintiffs in Clapper engaged in the exact type of 21 communication that could be monitored under FISA, making their allegations of future harm 22 quite credible even if not certainly impending. Clapper, 133 S. Ct. at 1148–50. The more time 23 that passes without the alleged future harm actually occurring undermines any argument that the 24 13 1 threat of that harm is immediate, impending, or otherwise substantial. See Storm, 2015 WL 2 1119724, at *6 (“Indeed, putting aside the legal standard for imminence, a layperson with a 3 common sense notion of ‘imminent’ would find this lapse of time, without any identity theft, to 4 undermine the notion that identity theft would happen in the near future.”). 5 The Court therefore finds that the increased threat of identity theft and fraud stemming 6 from the Zappos’s security breach does not constitute an injury-in-fact sufficient to confer 7 standing. The years that have passed without Plaintiffs making a single allegation of theft or 8 fraud demonstrate that the risk is not immediate. Krottner, 628 F.3d at 1143. The possibility that 9 the alleged harm could transpire in the as-of-yet undetermined future relegates Plaintiffs’ injuries 10 to the realm of speculation. See Green, 2015 WL 2066531, at *4 (finding the threat of identity 11 theft and fraud not certainly impending because, rather than alleging actual theft or fraud, 12 plaintiff claimed that he had to “be vigilant for many years in checking for fraud” because 13 criminals “may hold the information for later use”). 14 The degree of Plaintiffs’ speculation is heightened further by the fact that the future harm 15 is based entirely on the decisions or capabilities of an independent, and unidentified, actor. 16 Clapper, 133 S. Ct. at 1150 (refusing to endorse standing that rests on speculation about the 17 decisions of independent actors). Should the person or persons in possession of Plaintiffs’ 18 information choose not to misuse the data, then the harm Plaintiffs fear will never occur. 19 Likewise, if the person or persons in possession of Plaintiffs’ information are unable to use the 20 data to wreak the havoc assumedly intended, then Plaintiffs’ alleged damages would also not 21 coalesce. See Peters, 2015 WL 589561, at *5 (acknowledging that the risk of future harm to the 22 victim of a data security breach is, “no doubt, indefinite,” but finding that the plaintiff’s 23 allegations of future harm were based solely on conjecture). Plaintiffs’ damages at this point rely 24 14 1 almost entirely on conjecture. See Krottner, 628 F.3d at 1143 (holding that standing cannot be 2 based on conjecture but must be real and immediate). 3 The Court also notes the factual differences between the instant case and the Adobe and 4 Sony cases. In Adobe, the plaintiffs alleged that the hackers had spent several weeks targeting 5 Adobe’s systems and that the hackers used Adobe’s own system to decrypt customer credit 6 cards. 2014 WL 4379916, at *8. Not only were entire credit card numbers obtained, but some of 7 the stolen data began to surface on the Internet within a year of the breach. Id. The hackers had 8 even utilized the information to discover vulnerabilities in Adobe’s products. Id. It was therefore 9 clear that the threat faced by the Adobe plaintiffs was certainly impending. In Sony, the named 10 plaintiffs were deprived of services as a result of the security breach for which they had paid 11 money, and at least some of the plaintiffs had experienced unauthorized charges to their credit 12 cards and one plaintiff was forced to close two bank accounts. 996 F. Supp. 2d at 956–57. 13 Unlike the plaintiffs in Adobe whose entire credit card numbers were stolen as a result of 14 the security breach, Plaintiffs here allege that only their credit card “tails,” the last four digits of 15 a credit card, were accessed during Zappos’s breach. Also unlike the plaintiffs in Adobe whose 16 information began to surface on the Internet shortly after the breach, Plaintiffs here make no 17 allegations that their data has appeared in any place where others might obtain and misuse it. 18 Unlike the plaintiffs in Sony who experienced an actual loss, albeit temporarily, of the services 19 for which they had paid Sony to provide, the usefulness of the goods Plaintiffs purchased from 20 Zappos was in no way impacted by the security breach in this case. And unlike some of the 21 plaintiffs in Sony who dealt with actual unauthorized charges on credit cards, Plaintiffs here do 22 not allege one instance of financial fraud. 23 24 15 But perhaps the most distinguishing element between this case and Adobe and Sony is the 1 2 amount of time from when the breach occurred to when the respective motions to dismiss were 3 ruled upon. In Adobe, the data security breach occurred in July and August of 2013. 2014 WL 4 4379916, at *2. The cases against Adobe were filed between November 2013 and January 2014. 5 Id. The Court ruled on the motion to dismiss on September 4, 2014, just over a year from when 6 the breach first occurred. So recently after the breach, and given that the plaintiffs’ information 7 had already begun showing up on the Internet, the court reached the reasonable conclusion that 8 the threat of additional harm was imminent. Similarly, the court in Sony ruled on the issue of 9 Article III standing on January 21, 2014, approximately two-and-a-half years after the breach in 10 that case had occurred. 996 F. Supp. 2d at 955. Given the actual financial damages allegedly 11 experienced by the named plaintiffs, the threat of future additional harm remained imminent at 12 that time. In this case, however, there are no allegations of actual financial harm or that 13 Plaintiffs’ personal information has been disseminated over the Internet.3 Instead, three-and-a- 14 half years after Zappos’s security breach Plaintiffs have not sought leave to amend their 15 Complaints to include any facts relating to instances of actual identity theft or financial fraud. 16 Finally, even if Plaintiffs suffer identity theft or fraud at some point in the future, there 17 may be a genuine issue regarding whether the Zappos’s security breach is the reason for the 18 damages then incurred. Peters, 2015 WL 589561, at *5 (“It may even be impossible to determine 19 whether the misused information was obtained from exposure caused by the Data Breach or from 20 some other source.”). While this is obviously a question for another day, the Court notes that 21 Plaintiffs would of course have to show that any damage occurring in the future is fairly 22 23 24 3 Plaintiffs Hasner and Noble do allege that after the breach, their AOL email accounts were accessed by a third party who sent unauthorized advertisements to others from the accounts. (Preira SAC ¶¶ 11, 16). The AOL accounts used the same passwords as Hasner’s and Noble’s Zappos accounts. Besides the advertisements, however, no additional misuse of the accounts or actual damages is alleged. Moreover, Hasner and Noble also took quick remedial measures by changing the passwords on their AOL accounts. (Id.). 16 1 traceable to the Zappos’s breach. Monsanto Co., 561 U.S. at 149. Since today so much of our 2 personal information is stored on servers just like the ones that were hacked in this case, it is not 3 unrealistic to wonder whether Plaintiffs’ hypothetical future harm could be traced to Zappos’s 4 breach. An inference could of course be drawn that the future harm arose from Zappos’s breach, 5 but it would be Plaintiffs’ burden to establish that element of standing. Defenders of Wildlife, 6 504 U.S. at 561. For all these reasons, the Court finds that Plaintiffs have not alleged a threat of 7 future harm sufficiently imminent to confer standing under Clapper and Krottner. 8 9 2. Costs to mitigate Plaintiffs Hasner, Preira, and Habashy next argue that even if the increased threat of 10 future harm does not constitute an injury-in-fact, their purchasing of credit monitoring services 11 does. However, in Clapper the Supreme Court rejected a similar argument raised by the 12 plaintiffs there that they had standing because of expenditures made to protect the confidentiality 13 of their communications. 133 S. Ct. at 1151. The Court explained that plaintiffs “cannot 14 manufacture standing merely by inflicting harm on themselves based on their fears of 15 hypothetical future harm that is not certainly impending.” Id. “If the law were otherwise, an 16 enterprising plaintiff would be able to secure a lower standard for Article III standing simply by 17 making an expenditure based on a nonparanoid fear.” Id. 18 Courts have generally interpreted this holding to mean that “in order for costs incurred in 19 an effort to mitigate the risk of future harm to constitute injury-in-fact, the future harm being 20 mitigated must itself be imminent.” In re Adobe, 2014 WL 4379916, at *9; see also Storm, 2015 21 WL 1119724, at *7 (finding no compensable injury when plaintiff incurred credit monitoring 22 costs); In re SAIC, 45 F. Supp. 3d at 26 (“The cost of credit monitoring and other preventative 23 measures, therefore, cannot create standing.”). The Court’s finding here that the threat of future 24 17 1 theft or fraud is not sufficiently imminent to confer standing compels the conclusion that 2 incurring costs to mitigate that threat cannot serve as the basis for this action. See Clapper, 133 3 S. Ct. at 1151 (“Thus, allowing respondents to bring this action based on costs they incurred in 4 response to a speculative threat would be tantamount to accepting a repackaged version of 5 respondents’ first failed theory of standing.”). The Court realizes that this is a frustrating result where Plaintiffs’ fears of identity theft 6 7 and fraud are rational, and it recognizes that purchasing monitoring services is a responsible 8 response to a data breach. Nevertheless, costs incurred to prevent future harm is not enough to 9 confer standing, Clapper, 133 S. Ct. at 1150–51, “even when such efforts are sensible,” In re 10 SAIC, 45 F. Supp. 3d at 26. “There is, after all, nothing unreasonable about monitoring your 11 credit after a data breach,” but even when fears of future harm are not unfounded, plaintiffs 12 simply “cannot create standing by ‘inflicting harm on themselves’ to ward off an otherwise 13 speculative injury.” Id. (quoting Clapper, 133 S. Ct. at 1151).4 14 As one court reasoned: 15 Hackers are constantly seeking to gain access to the data banks of companies around the world. Sometimes, they are successful. Other times not. Despite many companies’ best efforts and tremendous expense to secure and protect their data systems, an industrious hacker every so often may find a way to access their data. Millions of people, out of reasonable fear and prudence, may decide to incur credit monitoring costs and take other preventative steps, which the hacked companies often freely provide. However, for a court to require companies to pay damages to thousands [and in this case millions] of customers, when there is yet to be a single case of identity theft proven, strikes us as overzealous and unduly burdensome to business. There is simply no compensable injury yet, and courts cannot be in the business of prognosticating whether a particular hacker was sophisticated or malicious enough to both be able to successfully read and manipulate the data and engage in identity theft. 16 17 18 19 20 21 22 23 24 4 The Court finds this to be true notwithstanding Zappos’s questionable customer service in response to the data breach. Plaintiffs allege that once Zappos notified customers of the breach it “shut down its customer service phone lines for a week.” (Preira SAC ¶ 4). Also perplexing, and undoubtedly offensive to its customers, is Zappos’s apparent decision to not offer free credit monitoring services to its customers, which is a common gesture in these types of cases. Nevertheless, these deficiencies in Zappos’s customer care do not establish standing where Plaintiffs fail to allege actual damages or an immediate threat of future harm. 18 1 Storm, 2015 WL 1119724, at *7. However, once a third party misuses a person’s personal 2 information, there is clearly an injury that can be compensated with money damages. Id. “In that 3 situation, a plaintiff would be free to return to court and would have standing to recover her 4 losses.” Id. 5 To the extent that Plaintiffs allege that there are potential class members who have 6 suffered identity theft or other fraud as a result of the Zappos’s security breach, (see Preira SAC 7 ¶¶ 5, 35), the Court agrees that those individuals would have standing. Yet Plaintiffs would not 8 be the proper representatives of such a class, as they do not allege that they have suffered these 9 same damages. Gen. Tel. Co. of Sw. v. Falcon, 457 U.S. 147, 156 (1982) (“We have repeatedly 10 held that a class representative must be part of the class and possess the same interest and suffer 11 the same injury as the class members.”). Moreover, even if this case were not dismissed for lack 12 of standing, the Court would not certify a class as broadly defined as Plaintiffs propose 13 specifically because a majority of the putative class cannot claim any measurable damages. 14 Therefore, based on the forgoing reasons, the Court is granting Zappos’s Motion to 15 Dismiss.5 But the Court is also granting Plaintiffs leave to amend their Complaints for a third 16 time in the event an occurrence of actual misuse of the stolen data has transpired between the 17 18 5 19 20 21 22 23 24 Plaintiffs claim they have standing on the alternative theories that the breach caused them a loss of privacy and that it resulted in a diminished value of the services provided by Zappos. (Resp. 5, ECF No. 231). Neither of these arguments is persuasive. Even if Plaintiffs adequately allege a loss of privacy, they have failed to show how that loss amounts to a concrete and particularized injury. See O’Shea v. Littleton, 414 U.S. 488, 493 (1974) (“Abstract injury is not enough. It must be alleged that the plaintiff ‘has sustained or is immediately in danger of sustaining some direct injury’ as a result of [the defendant’s] conduct.”). Plaintiffs do not claim that they have suffered any damages due to a loss of privacy, and so the Court finds that this theory is insufficient to establish standing. Furthermore, Plaintiffs’ claims that they are harmed by an alleged decrease in the value of Zappos’s services are unavailing. Plaintiffs do not explain how the data breach impacted the value of the goods they purchased from Zappos. Nor do Plaintiffs allege facts showing how the price they paid for such goods incorporated some particular sum that was understood by both parties to be allocated towards the protection of customer data. The Court finds that this theory of standing also fails. To the extent Plaintiffs claim to have standing arising from any other perceived harm, (see Resp. 5), the Court finds that each proposed theory fails because not one of them demonstrates that Plaintiffs have actually been damaged in a concrete and particularized way. See O’Shea, 414 U.S. at 493. 19 1 dates the Preira and Stevens SACs were filed and now. And although the Court finds no 2 standing based on the facts as currently pleaded, the case will be dismissed without prejudice. 3 CONCLUSION 4 IT IS HEREBY ORDERED that Defendant’s Motion to Dismiss (ECF No. 217) is 5 GRANTED without prejudice. Plaintiffs are granted leave to amend their Complaints to allege 6 instances of actual identity theft or fraud. 7 8 9 10 11 IT IS FURTHER ORDERED that Defendant’s Motion to Strike (ECF No. 219) is DENIED as moot. IT IS FURTHER ORDERED that Defendant’s Motion for Leave (ECF No. 218) is GRANTED. IT IS SO ORDERED. 12 13 Dated: June 1, 2015 Dated: _______________________ 14 15 _____________________________________ ROBERT C. JONES United States District Judge 16 17 18 19 20 21 22 23 24 20