On August 20, 2018, Zappos.com, Inc. petitioned the US Supreme Court for a writ of certiorari to decide whether individuals whose personal information is held in a database breached by hackers have Article III standing simply by virtue of the breach, without demonstrating concrete injury. Petitioners requested a ruling by the Supreme Court in order to resolve an apparent split between the Third, Sixth, Seventh, Ninth and D.C. Circuits, which have held that no concrete injury is needed, and the First, Second, Fourth and Eighth Circuits, which have held, in line with Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) that a concrete injury that is actual or imminent and not hypothetical is necessary to confer Article III standing in database breach cases.
In the Zappos case, hackers entered the online retailer’s database in January 2012, gaining access to the personally identifying information – including some credit card information — of 24 million individuals. Lawsuits were filed and consolidated thereafter, and on June 1, 2015, the United States District Court for the District of Nevada dismissed the claims for lack of standing because no actual injury was alleged. On May 6, 2016, the court allowed claims by two new plaintiffs to proceed, as they alleged that fraudulent charges had been made on their credit cards following the breach, but dismissed the case as to those plaintiffs who had not alleged actual injury.
On appeal, the Ninth Circuit allowed the uninjured plaintiffs’ putative class action to proceed. Zappos petitioned for a writ of certiorari, which was denied by the Supreme Court without opinion.
Denial of writ (docket) | Petition for writ of certiorari