Continuing the split among federal courts, the Ninth Circuit found that plaintiffs in a consumer data breach class action against Zappos have Article III standing based on the hacking incident, not subsequent criminal activity. (Read opinion here In re Zappos.Com., Inc. Customer Data Security Breach Litigation (01565871xAE57E). Standing is determined at the time of the breach, not when the lawsuit is filed.
The decision reversed a ruling from the U.S. District Court of Nevada. In so doing, the Ninth Circuit ruled that its 2010 decision in Krottner v. Starbucks Corp. is compatible with Clapper v. Amnesty International issued by the U.S. Supreme Court in 2013. Both cases addressed whether a reasonable likelihood of future harm is enough to establish standing: Krottner found there was; Clapper did not.
In the March 8, 2018 Zappos case, the Ninth Circuit ruled that the “imminent” risk of identity theft is enough to establish standing by those customers who had not yet been the victim of fraud.
Along with the Ninth Circuit, the Sixth, Seventh and D.C. circuits have found that a risk of future harm from the theft of consumer data is enough for standing. The Second, Third, Fourth and Eighth circuits have reached opposite conclusions in similar data breach disputes.