FOR PUBLICATION
UNITED STATES COURT OF APPEALS
FOR THE NINTH CIRCUIT
IN RE ZAPPOS.COM, INC., CUSTOMER No. 16-16860
DATA SECURITY BREACH
LITIGATION, D.C. No.
3:12-cv-00325-
RCJ-VPC
THERESA STEVENS; KRISTIN
O’BRIEN; TERRI WADSWORTH;
DAHLIA HABASHY; PATTI HASNER; ORDER AND
SHARI SIMON; STEPHANIE PRIERA; AMENDED
KATHRYN VORHOFF; DENISE OPINION
RELETHFORD; ROBERT REE,
Plaintiffs-Appellants,
v.
ZAPPOS.COM., INC.,
Defendant-Appellee.
Appeal from the United States District Court
for the District of Nevada
Robert Clive Jones, Senior District Judge, Presiding
Argued and Submitted December 5, 2017
San Francisco, California
Filed March 8, 2018
Amended April 20, 2018
2 IN RE ZAPPOS.COM
Before: John B. Owens and Michelle T. Friedland, Circuit
Judges, and Elaine E. Bucklo, * District Judge.
Order;
Opinion by Judge Friedland
SUMMARY **
Article III Standing
The panel amended the opinion filed on March 8, 2018;
and reversed the district court’s dismissal, for lack of Article
III standing, of plaintiffs’ claims alleging that they were
harmed by hacking of their accounts at the online retailer
Zappos.com.
The panel held that under Krottner v. Starbucks Corp.,
628 F.3d 1139 (9th Cir. 2010), plaintiffs sufficiently alleged
standing based on the risk of identity theft. The panel
rejected Zappos’s argument that Krottner was no longer
good law after Clapper v. Amnesty International USA, 568
U.S. 398 (2013). The panel held that plaintiffs sufficiently
alleged an injury in fact under Krottner, based on a
substantial risk that the Zappos hackers will commit identity
fraud or identity theft. The panel further held that plaintiffs
sufficiently alleged that the risk of future harm they faced
was “fairly traceable” to the conduct being challenged; and
*
The Honorable Elaine E. Bucklo, United States District Judge for
the Northern District of Illinois, sitting by designation.
**
This summary constitutes no part of the opinion of the court. It
has been prepared by court staff for the convenience of the reader.
IN RE ZAPPOS.COM 3
the risk from the injury of identity theft was also redressable
by relief that could be obtained through this litigation.
The panel addressed an issue raised by sealed briefing in
a concurrently filed memorandum disposition.
COUNSEL
Douglas Gregory Blankinship (argued), Finkelstein
Blankinship Frei-Pearson and Garber LLP, White Plains,
New York; David C. O’Mara, The O’Mara Law Firm P.C.,
Reno, Nevada; Ben Barnow, Barnow and Associates P.C.,
Chicago, Illinois; Richard L. Coffman, The Coffman Law
Firm, Beaumont, Texas; Marc L. Godino, Glancy Binkow &
Goldberg LLP, Los Angeles, California; for Plaintiffs-
Appellants.
Stephen J. Newman (argued), David W. Moon, Brian C.
Frontino, and Julia B. Strickland, Stroock & Stroock &
Lavan LLP, Los Angeles, California; Robert McCoy,
Kaempfer Crowell, Las Vegas, Nevada; for Defendant-
Appellee.
4 IN RE ZAPPOS.COM
ORDER
The opinion filed on March 8, 2018, and appearing at
884 F.3d 893, is amended as follows. On page 899:
Replace with
.
Following in the
above replacement text, insert a footnote .
Following in the above
replacement text, insert a footnote .
In the current footnote 11, delete <; Mollan, 22 U.S. at
539.>.
With these amendments, the panel has unanimously
voted to deny appellee’s petition for rehearing. Judge
Owens and Judge Friedland have voted to deny the petition
for rehearing en banc. Judge Bucklo recommends denial of
the petition for rehearing en banc. The full court has been
advised of the petition for rehearing en banc, and no judge
has requested a vote on whether to rehear the matter en banc.
Fed. R. App. P. 35.
The petitions for rehearing and rehearing en banc are
DENIED. No further petitions shall be entertained.
6 IN RE ZAPPOS.COM
OPINION
FRIEDLAND, Circuit Judge:
In January 2012, hackers breached the servers of online
retailer Zappos.com, Inc. (“Zappos”) and allegedly stole the
names, account numbers, passwords, email addresses,
billing and shipping addresses, telephone numbers, and
credit and debit card information of more than 24 million
Zappos customers. Several of those customers filed putative
class actions in federal courts across the country, asserting
that Zappos had not adequately protected their personal
information. Their lawsuits were consolidated for pretrial
proceedings.
Although some of the plaintiffs alleged that the hackers
used stolen information about them to conduct subsequent
financial transactions, the plaintiffs who are the focus of this
appeal (“Plaintiffs”) did not. This appeal concerns claims
based on the hacking incident itself, not any subsequent
illegal activity.
The district court dismissed Plaintiffs’ claims for lack of
Article III standing. In this appeal, Plaintiffs contend that
the district court erred in doing so, and they press several
potential bases for standing, including that the Zappos data
breach put them at risk of identity theft.
We addressed standing in an analogous context in
Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010).
There, we held that employees of Starbucks had standing to
sue the company based on the risk of identity theft they faced
after a company laptop containing their personal information
was stolen. Id. at 1140, 1143. We reject Zappos’s argument
that Krottner is no longer good law after Clapper v. Amnesty
International USA, 568 U.S. 398 (2013), and hold that, under
IN RE ZAPPOS.COM 7
Krottner, Plaintiffs have sufficiently alleged standing based
on the risk of identity theft. 1
I.
When they bought merchandise on Zappos’s website,
customers provided personal identifying information
(“PII”), including their names, account numbers, passwords,
email addresses, billing and shipping addresses, telephone
numbers, and credit and debit card information. Sometime
before January 16, 2012, hackers targeted Zappos’s servers,
stealing the PII of more than 24 million of its customers,
including their full credit card numbers. 2 On January 16,
Zappos sent an email to its customers, notifying them of the
theft of their PII. The company recommended “that they
reset their Zappos.com account passwords and change the
passwords ‘on any other web site where [they] use the same
or a similar password.’” Some customers responded almost
immediately by filing putative class actions in federal district
courts across the country.
1
We address an issue raised by sealed briefing in a concurrently
filed memorandum disposition.
2
Although Zappos asserts in its briefs that the hackers stole only the
last four digits of customers’ credit card numbers, it has presented its
arguments as a facial, not a factual, attack on standing. See Safe Air for
Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004) (distinguishing
facial from factual attacks on standing). Where, as here, “a defendant in
its motion to dismiss under Federal Rule of Civil Procedure 12(b)(1)
asserts that the allegations in the complaint are insufficient to establish
subject matter jurisdiction as a matter of law (to be distinguished from a
claim that the allegations on which jurisdiction depends are not true as a
matter of fact), we take the allegations in the plaintiff’s complaint as
true.” Whisnant v. United States, 400 F.3d 1177, 1179 (9th Cir. 2005).
8 IN RE ZAPPOS.COM
In these suits, Plaintiffs alleged an “imminent” risk of
identity theft or fraud from the Zappos breach. Relying on
definitions from the United States Government
Accountability Office (“GAO”), they characterized “identity
theft” and “identity fraud” as “encompassing various types
of criminal activities, such as when PII is used to commit
fraud or other crimes,” including “credit card fraud, phone
or utilities fraud, bank fraud and government fraud.” 3
The Judicial Panel on Multidistrict Litigation transferred
several putative class action lawsuits alleging harms from
the Zappos data breach to the District of Nevada for pretrial
proceedings. After several years of pleadings-stage
litigation, including a hiatus for mediation, the district court
granted in part and denied in part Zappos’s motion to dismiss
the Third Amended Consolidated Complaint (“Complaint”)
and granted Zappos’s motion to strike the Complaint’s class
allegations. The court distinguished between two groups of
plaintiffs: (1) plaintiffs named only in the Third Amended
Complaint who alleged that they had already suffered
financial losses from identity theft caused by Zappos’s
breach, and (2) plaintiffs named in earlier complaints who
did not allege having already suffered financial losses from
identity theft.
3
Plaintiffs did not provide a precise cite but appear to be referring
to the description of identity theft in a report entitled Personal
Information, which explains that “[t]he term ‘identity theft’ is broad and
encompasses many types of criminal activities, including fraud on
existing accounts—such as unauthorized use of a stolen credit card
number—or fraudulent creation of new accounts—such as using stolen
data to open a credit card account in someone else’s name.” U.S. Gov’t
Accountability Office, GAO-07-737, Personal Information: Data
Breaches are Frequent, but Evidence of Resulting Identity Theft is
Limited; However, the Full Extent is Unknown 2 (2007).
IN RE ZAPPOS.COM 9
The district court ruled that the first group of plaintiffs
had Article III standing because they alleged “that actual
fraud occurred as a direct result of the breach.” But the court
ruled that the second group of plaintiffs (again, here referred
to as “Plaintiffs”) lacked Article III standing and dismissed
their claims without leave to amend because Plaintiffs had
“failed to allege instances of actual identity theft or fraud.”
The parties then agreed to dismiss all remaining claims with
prejudice, and Plaintiffs appealed.
II.
We review the district court’s standing determination de
novo. See Maya v. Centex Corp., 658 F.3d 1060, 1067 (9th
Cir. 2011). To have Article III standing,
a plaintiff must show (1) it has suffered an
“injury in fact” that is (a) concrete and
particularized and (b) actual or imminent, not
conjectural or hypothetical; (2) the injury is
fairly traceable to the challenged action of the
defendant; and (3) it is likely, as opposed to
merely speculative, that the injury will be
redressed by a favorable decision.
Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC),
Inc., 528 U.S. 167, 180–81 (2000); see also Spokeo, Inc. v.
Robins, 136 S. Ct. 1540, 1547 (2016). A plaintiff threatened
with future injury has standing to sue “if the threatened
injury is ‘certainly impending,’ or there is a ‘substantial risk
that the harm will occur.’” Susan B. Anthony List v.
Driehaus, 134 S. Ct. 2334, 2341 (2014) (quoting Clapper v.
Amnesty Int’l USA, 568 U.S. 398, 414 & n.5 (2013))
(internal quotation marks omitted).
10 IN RE ZAPPOS.COM
III.
We addressed the Article III standing of victims of data
theft in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir.
2010). In Krottner, a thief stole a laptop containing “the
unencrypted names, addresses, and social security numbers
of approximately 97,000 Starbucks employees.” Id. at 1140.
“Starbucks sent a letter to . . . affected employees alerting
them to the theft and stating that Starbucks had no indication
that the private information ha[d] been misused,” but
advising them to “monitor [their] financial accounts
carefully for suspicious activity and take appropriate steps to
protect [themselves] against potential identity theft.” Id. at
1140–41 (internal quotation marks omitted). Some
employees sued, and the only harm that most alleged was an
“increased risk of future identity theft.” Id. at 1142. We
determined this was sufficient for Article III standing,
holding that the plaintiffs had “alleged a credible threat of
real and immediate harm” because the laptop with their PII
had been stolen. Id. at 1143.
A.
Before analyzing whether Krottner controls this case, we
must determine whether Krottner remains good law after the
Supreme Court’s more recent decision in Clapper v.
Amnesty International USA, 568 U.S. 398 (2013), which
addressed a question of standing based on the risk of future
harm.
As a three-judge panel, we are bound by opinions of our
court on issues of federal law unless those opinions are
“clearly irreconcilable” with a later decision by the Supreme
Court. Miller v. Gammie, 335 F.3d 889, 900 (9th Cir. 2003)
(en banc). This is the first case to require us to consider
IN RE ZAPPOS.COM 11
whether Clapper and Krottner are clearly irreconcilable, and
we conclude that they are not.
The plaintiffs in Clapper challenged surveillance
procedures authorized by the Foreign Intelligence
Surveillance Act of 1978—specifically, in 50 U.S.C.
§ 1881a (2012) (amended 2018). 4 Clapper, 568 U.S. at 401.
The plaintiffs, who were “attorneys and human rights, labor,
legal, and media organizations whose work allegedly
require[d] them to engage in sensitive and sometimes
privileged telephone and e-mail communications with . . .
individuals located abroad,” sued for declaratory relief to
invalidate § 1881a and an injunction against surveillance
conducted pursuant to that section. Id. at 401, 406. The
plaintiffs argued that they had Article III standing to
challenge § 1881a “because there [was] an objectively
reasonable likelihood that their communications [would] be
acquired under § 1881a at some point in the future.” Id. at
401. The Supreme Court rejected this basis for standing,
explaining that “an objectively reasonable likelihood” of
injury was insufficient, and that the alleged harm needed to
“satisfy the well-established requirement that threatened
injury must be ‘certainly impending.’” Id. (quoting
Whitmore v. Arkansas, 495 U.S. 149, 158 (1990)).
4
50 U.S.C. § 1881a authorizes electronic surveillance of foreign
nationals located abroad under a reduced government burden compared
with traditional electronic foreign intelligence surveillance. Compare
50 U.S.C. § 1805 (2012) (amended 2018) (requiring “probable cause to
believe . . . the target of the electronic surveillance is a foreign power or
an agent of a foreign power”), with 50 U.S.C. § 1881a (requiring that
surveillance not intentionally target people in the United States or United
States nationals but not requiring any showing that the surveillance target
is a foreign power or agent of a foreign power).
12 IN RE ZAPPOS.COM
The Court then held that the plaintiffs’ theory of injury
was too speculative to constitute a “certainly impending”
injury. Id. at 410. The plaintiffs had not alleged that any of
their communications had yet been intercepted. Id. at 411.
The Court characterized their alleged injury as instead
resting on a series of inferences, including that:
(1) the Government will decide to target the
communications of non-U.S. persons with
whom they communicate; (2) in doing so, the
Government will choose to invoke its
authority under § 1881a rather than utilizing
another method of surveillance; (3) the
Article III judges who serve on the Foreign
Intelligence Surveillance Court will conclude
that the Government’s proposed surveillance
procedures satisfy § 1881a’s many
safeguards and are consistent with the Fourth
Amendment; (4) the Government will
succeed in intercepting the communications
of respondents’ contacts; and (5) respondents
will be parties to the particular
communications that the Government
intercepts.
Id. at 410. The Court declined to speculate about what it
described as independent choices by the government about
whom to target for surveillance and what basis to invoke for
such targeting, or about whether the Foreign Intelligence
Surveillance Court would approve any such surveillance. Id.
at 412–13. The plaintiffs’ multi-link chain of inferences was
thus “too speculative” to constitute a cognizable injury in
fact. Id. at 401.
IN RE ZAPPOS.COM 13
Unlike in Clapper, the plaintiffs’ alleged injury in
Krottner did not require a speculative multi-link chain of
inferences. See Krottner, 628 F.3d at 1143. The Krottner
laptop thief had all the information he needed to open
accounts or spend money in the plaintiffs’ names—actions
that Krottner collectively treats as “identity theft.” Id. at
1142. Moreover, Clapper’s standing analysis was
“especially rigorous” because the case arose in a sensitive
national security context involving intelligence gathering
and foreign affairs, and because the plaintiffs were asking
the courts to declare actions of the executive and legislative
branches unconstitutional. Clapper, 568 U.S. at 408
(quoting Raines v. Byrd, 521 U.S. 811, 819 (1997)).
Krottner presented no such national security or separation of
powers concerns.
And although the Supreme Court focused in Clapper on
whether the injury was “certainly impending,” it
acknowledged that other cases had focused on whether there
was a “substantial risk” of injury. 5 Id. at 414 & n.5. Since
Clapper, the Court reemphasized in Susan B. Anthony List v.
Driehaus, 134 S. Ct. 2334 (2014), that “[a]n allegation of
future injury may suffice if the threatened injury is ‘certainly
impending,’ or there is a ‘substantial risk that the harm will
occur.’” Id. at 2341 (quoting Clapper, 568 U.S. at 414 &
n.5) (internal quotation marks omitted).
5
The Court noted that the plaintiffs in Clapper had not alleged a
substantial risk because their theory of injury relied on too many
inferences. Clapper, 568 U.S. at 414 n.5.
14 IN RE ZAPPOS.COM
For all these reasons, we hold that Krottner is not clearly
irreconcilable with Clapper and thus remains binding. 6 See
Miller, 335 F.3d at 900.
B.
We also conclude that Krottner controls the result here.
In Krottner, we held that the plaintiffs had “alleged a
credible threat of real and immediate harm stemming from
the theft of a laptop containing their unencrypted personal
data.” 628 F.3d at 1143. The threat would have been “far
less credible,” we explained, “if no laptop had been stolen,
and [they] had sued based on the risk that it would be stolen
6
Our conclusion that Krottner is not clearly irreconcilable with
Clapper is consistent with post-Clapper decisions in our sister circuits
holding that data breaches in which hackers targeted PII created a risk of
harm sufficient to support standing. For example, the D.C. Circuit held
in Attias v. Carefirst, Inc., 865 F.3d 620 (D.C. Cir. 2017), cert. denied,
No. 17-641, 2018 WL 942459 (U.S. Feb. 20, 2018), that “[n]o long
sequence of uncertain contingencies involving multiple independent
actors has to occur before the plaintiffs [who were victims of a data
breach] will suffer any harm; a substantial risk of harm exists already,
simply by virtue of the hack and the nature of the data that the plaintiffs
allege was taken.” Id. at 629; see also Remijas v. Neiman Marcus Grp.,
LLC, 794 F.3d 688, 693 (7th Cir. 2015) (“Why else would hackers break
into a store’s database and steal consumers’ private information?
Presumably, the purpose of the hack is, sooner or later, to make
fraudulent charges or assume those consumers’ identities.”). The Eighth
Circuit did hold in In re SuperValu, Inc., Customer Data Security Breach
Litigation, 870 F.3d 763 (8th Cir. 2017), that allegations of the theft of
credit card information were insufficient to support standing. Id. at 771–
72. But no other PII, such as addresses, telephone numbers, or
passwords, was stolen in that case. See id. at 766, 770. The Eighth
Circuit acknowledged cases like Attias and Remijas but opined that
standing questions in data breach cases “ultimately turn[] on the
substance of the allegations before each court”—particularly, the types
of data allegedly stolen. Id. at 769.
IN RE ZAPPOS.COM 15
at some point in the future.” Id. But the sensitivity of the
personal information, combined with its theft, led us to
conclude that the plaintiffs had adequately alleged an injury
in fact supporting standing. Id. The sensitivity of the stolen
data in this case is sufficiently similar to that in Krottner to
require the same conclusion here.
Plaintiffs allege that the type of information accessed in
the Zappos breach can be used to commit identity theft,
including by placing them at higher risk of “phishing” and
“pharming,” which are ways for hackers to exploit
information they already have to get even more PII.
Plaintiffs also allege that their credit card numbers were
within the information taken in the breach—which was not
true in Krottner. 7 And Congress has treated credit card
numbers as sufficiently sensitive to warrant legislation
prohibiting merchants from printing such numbers on
receipts—specifically to reduce the risk of identity theft. See
15 U.S.C. § 1681c(g) (2012). Although there is no
allegation in this case that the stolen information included
social security numbers, as there was in Krottner, the
information taken in the data breach still gave hackers the
means to commit fraud or identity theft, as Zappos itself
effectively acknowledged by urging affected customers to
change their passwords on any other account where they
may have used “the same or a similar password.” 8
7
Plaintiffs include in the Complaint some emails sent to Zappos
from other customers saying that their credit cards were fraudulently
used following the breach.
8
We use the terms “identity fraud” and “identity theft” in
accordance with the GAO definition Plaintiffs rely on in the Complaint.
See supra note 3 and accompanying text.
16 IN RE ZAPPOS.COM
Indeed, the plaintiffs who alleged that the hackers had
already commandeered their accounts or identities using
information taken from Zappos specifically alleged that they
suffered financial losses because of the Zappos data breach
(which is why the district court held that they had standing).
Although those plaintiffs’ claims are not at issue in this
appeal, their alleged harm undermines Zappos’s assertion
that the data stolen in the breach cannot be used for fraud or
identity theft. In addition, two plaintiffs whose claims are at
issue in this appeal say that the hackers took over their AOL
accounts and sent advertisements to people in their address
books. 9 Though not a financial harm, these alleged attacks
further support Plaintiffs’ contention that the hackers
accessed information that could be used to help commit
identity fraud or identity theft. We thus conclude that
Plaintiffs have sufficiently alleged an injury in fact under
Krottner.
Zappos contends that even if the stolen data was as
sensitive as that in Krottner, too much time has passed since
the breach for any harm to be imminent. Zappos initially
contended on appeal that the relevant time at which to assess
standing was the present. But it could not offer any support
for that contention. After our opinion was initially filed,
Zappos sought rehearing on this issue, urging us to read
Rockwell International Corp. v. United States, 549 U.S. 457,
473 (2007), and Northstar Financial Advisors Inc. v. Schwab
Investments, 779 F.3d 1036, 1044 (9th Cir. 2015), to require
that we assess standing at the time Plaintiffs filed their
operative Third Amended Complaint, rather than their
9
The district court held that these plaintiffs nonetheless lacked
standing because they had not suffered “additional misuse” or “actual
damages” from the data breach.
IN RE ZAPPOS.COM 17
original Complaints. 10 But whether we look at the original
Complaints or Plaintiffs’ Third Amended Complaint, the
allegations about the increased risk of harm Plaintiffs face
are relevantly the same—in the Complaints, Plaintiffs allege
that the Zappos data breach places them at imminent risk of
identity theft. 11 Zappos argues that this allegation is
implausible, but it does so by relying on facts outside the
Complaints (or contentions about the absence of certain
facts), which makes its argument one that may be
appropriate for summary judgment but not one that may
support a facial challenge to standing at the motion to
dismiss stage 12
10
Zappos’s reliance on these cases is also unconvincing, as these
cases do not actually address whether standing is measured at the time
of an initial complaint or at the time of an amended complaint, as
opposed to whether the allegations in an amended complaint may
sometimes be considered in evaluating whether there was standing at the
time the case was originally filed or whether an amended complaint may
be considered a supplemental pleading under Federal Rule of Civil
Procedure 15(d).
11
Plaintiff Robert Ree does not clearly allege a risk of future identity
theft. But even assuming Ree would not have had standing on his own
based on his original Complaint, only one Plaintiff needs to have
standing for a class action to proceed. See Bates v. United Parcel Serv.,
Inc., 511 F.3d 974, 985 (9th Cir. 2007) (en banc).
12
Of course, as litigation proceeds beyond the pleadings stage, the
Complaint’s allegations will not sustain Plaintiffs’ standing on their own.
See Lujan v. Defs. of Wildlife, 504 U.S. 555, 561 (1992) (“[E]ach element
[of Article III standing] must be supported in the same way as any other
matter on which the plaintiff bears the burden of proof, i.e., with the
manner and degree of evidence required at the successive stages of the
litigation.”). In opposing a motion for summary judgment, for example,
Plaintiffs would need to come forward with evidence to support standing.
See id. But the passage of time does not change the relevant moment as
18 IN RE ZAPPOS.COM
Plaintiffs also specifically allege that “[a] person whose
PII has been obtained and compromised may not see the full
extent of identity theft or identity fraud for years.” And “it
may take some time for the victim to become aware of the
theft.”
Assessing the sum of their allegations in light of
Krottner, Plaintiffs have sufficiently alleged an injury in fact
based on a substantial risk that the Zappos hackers will
commit identity fraud or identity theft. 13
to which Plaintiffs must establish that they had standing or heighten
Plaintiffs’ burden in opposing the motion to dismiss. See id. A case may
also, of course, become moot as time progresses. But there is no reason
to doubt that Plaintiffs still have a live controversy against Zappos here.
Cf. Z Channel Ltd. P’ship v. Home Box Office, Inc., 931 F.2d 1338, 1341
(9th Cir. 1991) (“If [a plaintiff] is entitled to collect damages in the event
that it succeeds on the merits, the case does not become moot even
though declaratory and injunctive relief are no longer of any use.”).
13
This conclusion is consistent with the Fourth Circuit’s decision in
Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), cert. denied sub nom.
Beck v. Shulkin, 137 S. Ct. 2307 (2017). The plaintiffs in Beck, patients
with personal data on a laptop stolen from a hospital, did not allege that
the “thief intentionally targeted the personal information compromised
in the data breaches.” Id. at 274. The Fourth Circuit held that the
absence of such an allegation “render[ed] their contention of an
enhanced risk of future identity theft too speculative.” Id. Here, by
contrast, Plaintiffs allege that hackers specifically targeted their PII on
Zappos’s servers. It is true that in Beck the Fourth Circuit opined that
“‘as the breaches fade further into the past,’ the Plaintiffs’ threatened
injuries become more and more speculative.” Id. at 275 (quoting
Chambliss v. Carefirst, Inc., 189 F. Supp. 3d 564, 570 (D. Md. 2016),
and citing In re Zappos.com, Inc., 108 F. Supp. 3d 949, 958 (D. Nev.
2015)). But the time since the data breach appears to have mattered in
Beck because the court concluded that the plaintiffs lacked standing after
the breach in the first place, so it made sense to consider whether any
IN RE ZAPPOS.COM 19
C.
The remaining Article III standing requirements are also
satisfied. Plaintiffs sufficiently allege that the risk of future
harm they face is “‘fairly traceable’ to the conduct being
challenged”—here, Zappos’s failure to prevent the breach.
Wittman v. Personhuballah, 136 S. Ct. 1732, 1736 (2016)
(quoting Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61
(1992)).
That hackers might have stolen Plaintiffs’ PII in
unrelated breaches, and that Plaintiffs might suffer identity
theft or fraud caused by the data stolen in those other
breaches (rather than the data stolen from Zappos), is less
about standing and more about the merits of causation and
damages. As the Seventh Circuit recognized in Remijas v.
Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015),
that “some other store might [also] have caused the
plaintiffs’ private information to be exposed does nothing to
negate the plaintiffs’ standing to sue” for the breach in
question. 14 Id. at 696; cf. Price Waterhouse v. Hopkins,
subsequent events suggested a greater injury than was initially apparent.
See id. at 274.
14
Clapper is not to the contrary. In Clapper, the Supreme Court
held that, even assuming the plaintiffs were going to be surveilled, any
future surveillance could not be traced to the challenged statute because
the risk of being surveilled did not increase with the addition of the new
statutory tool. 568 U.S. at 413 (“[B]ecause respondents can only
speculate as to whether any (asserted) interception would be under
§ 1881a or some other authority, they cannot satisfy the ‘fairly traceable’
requirement.”). There were many surveillance options, all of which were
in the hands of one actor: the government. Thus, a plaintiff’s risk of
surveillance hinged on whether the government chose to surveil him in
the first place. In contrast, with each new hack comes a new hacker, each
of whom independently could choose to use the data to commit identity
20 IN RE ZAPPOS.COM
490 U.S. 228, 263 (1989) (O’Connor, J., concurring in the
judgment) (“[I]n multiple causation cases, . . . the common
law of torts has long shifted the burden of proof to multiple
defendants to prove that their negligent actions were not the
‘but-for’ cause of the plaintiff’s injury.” (citing Summers v.
Tice, 199 P.2d 1, 3–4 (Cal. 1948))), superseded on other
grounds by 42 U.S.C. § 2000e-2(m) (2012).
The injury from the risk of identity theft is also
redressable by relief that could be obtained through this
litigation. See Lujan, 504 U.S. at 561. If Plaintiffs succeed
on the merits, any proven injury could be compensated
through damages. See Remijas, 794 F.3d at 696–97. And at
least some of their requested injunctive relief would limit the
extent of the threatened injury by helping Plaintiffs to
monitor their credit and the like. 15 See Monsanto Co. v.
Geertson Seed Farms, 561 U.S. 139, 154–55 (2010).
IV.
For the foregoing reasons, we REVERSE the district
court’s judgment as to Plaintiffs’ standing and REMAND.
theft. This means that each hacking incident adds to the overall risk of
identity theft. And again, as explained above, the key injury recognized
in Krottner is the risk of being subject to identity theft, not actual identity
theft.
15
Plaintiffs need only one viable basis for standing. See Douglas
Cty. v. Babbitt, 48 F.3d 1495, 1500 (9th Cir. 1995). Because Plaintiffs
sufficiently allege standing from the risk of future identity theft, we do
not reach their other asserted bases for standing.