Continuing the growing trend of dismissing data breach cases when there is no evidence of actual harm, the United States District Court for the District of Nevada last week dismissed a class action case filed against Zappos related to a 2012 hacking incident. Following the hacking incident, Zappos provided notice of the data breach to over 24 million customers that their names, emails addresses, addresses, telephone numbers, last four digits of their credit card numbers and account numbers and passwords were compromised.
The judge dismissed the proposed class action lawsuit as the plaintiffs failed to allege an adequate injury in order to claim appropriate standing to sue Zappo’s under Article III. There were no allegations of actual identity theft or fraud against any of the customers in the Complaint, and therefore, the judge found that the plaintiffs did not have standing to sue, ruling consistently with the majority of Courts that have addressed the issue to date. The fact that none of the plaintiffs suffered any harm since the breach occurred in 2012 was further support of the dismissal. Although there are still a few outlying cases that hold to the contrary, this area of the law is becoming more settled in the wake of numerous data breaches.