Ninth Circuit Reverses District Court Decision in Zappos Consumer Data Breach Case
Time 2 Minute Read
Categories: Enforcement, Security Breach

On March 8, 2018, the Ninth Circuit Court of Appeals (“Ninth Circuit”) reversed a decision from the United States District Court for the District of Nevada. The trial court found that one subclass of plaintiffs in In re Zappos.Com, Inc. Customer Data Security Breach Litigation, had not sufficiently alleged injury in fact to establish Article III standing. The opinion focused on consumers who did not allege that any fraudulent charges had been made using their identities, despite hackers accessing their names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information in a 2012 data breach. 

As a threshold matter, this was the first occasion the Ninth Circuit had to find that its 2010 data breach standing precedent in Krottner v. Starbucks could be reconciled with the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International. In Krottner, the Ninth Circuit found that the theft of a laptop containing consumers’ personally identifying information raised a “credible threat of real and immediate harm.” In Clapper, the U.S. Supreme Court held that the “objectively reasonable likelihood” that plaintiffs’ communications would be swept up in FISA surveillance did not rise to level of a “certainly impending injury” necessary to establish Article III standing.

The Ninth Circuit noted the series of inferences alleged by the Clapper plaintiffs, where none of their communications had yet been intercepted, much less under the specific statute that plaintiffs were challenging. In Krottner, however, the thief had acquired all of the information necessary to steal the plaintiffs’ identities once he or she accessed the stolen laptop. Similarly, in In re Zappos, the Ninth Circuit reasoned that plaintiffs had alleged that hackers had accessed enough data to enable the hackers to steal their identities.

The Ninth Circuit left open the possibility that plaintiffs might not be able to present sufficient evidence to support standing at summary judgment. But it joined a growing list of federal circuit courts finding that Article III standing in consumer data breach litigation can be “based on the hacking incident itself, not any subsequent illegal activity.”

Tags: Class Action, Litigation, Nevada, Ninth Circuit, Personal Data
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 2 Minute Read
Illinois’ Damages Limitation for Biometric Privacy Violations Applies Retroactively  

On April 1, 2026, the U.S. Court of Appeals for the Seventh Circuit held that the 2024 amendment to Illinois’ Biometric Information Privacy Act, limiting damages, applies retroactively to pending cases.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Connecticut AG Clarifies AI Compliance Obligations Under CTDPA

The Connecticut Attorney General recently issued a legal memorandum regarding the application of existing Connecticut laws, such as the Connecticut Data Privacy Act, to the use of artificial intelligence.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Trends in Employment Litigation Filings: Retailers Take Notice
By and

The results are in: attorneys are filing more employment law cases in court.  Indeed, year-end reporting from legal databases like LexMachina confirm that the pace of filing new employment discrimination cases reached its highest level in 2025, surpassing 20,000 new filings nationwide.  Though overtime and minimum wage lawsuits under the Fair Labor Standards Act (FLSA) have continued to decline since 2015, discrimination cases under laws like Title VII of the Civil Rights Act of 1964 and the Americans with Disabilities Act are on the rise.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 1 Minute Read
What to Watch for in 2026: Court Rejects Privilege Claim Over AI-Generated Documents
By

A recent federal court decision determined that documents created by a criminal defendant using AI and subsequently shared with legal counsel were not shielded by attorney-client privilege or the work product doctrine. In USA v. Heppner, Judge Jed S. Rakoff of the U.S. District Court for the Southern District of New York compelled the disclosure of 31 documents created with Anthropic’s Claude. This order was issued despite the defendant including information from counsel in the AI tool’s input and later providing the resulting outputs to his attorneys. The ruling offers early judicial perspective on privilege concerns involving AI-generated materials, an area where case law remains sparse.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page