Two More Federal Data Breach Cases Decided, With Different Outcomes on Standing

On June 1, 2015, a federal judge in the District of Nevada dismissed a putative class action stemming from a 2012 breach of Zappos's servers containing customer information. In re Zappos.com, Inc. Although account numbers, passwords, email addresses and physical addresses, and the last four digits of credit card numbers were involved, none of the plaintiffs alleged they suffered any actual misuse of their data or harm therefrom. The court held that the plaintiffs could not show that they faced an immediate threat of harm, particularly as three-and-a-half years had passed since the breach occurred, and that they therefore lacked standing to sue. The court also rejected the plaintiffs' argument that the value of their data had been diminished given that plaintiffs nowhere alleged that they attempted to sell their information and were "rebuffed because of a lower price-point attributable to the security breach."

On June 15, 2015, a decision by the Central District of California came out the other way. In Corona v. Sony Pictures Entm't, Inc., former employees of Sony brought suit against the company stemming from the November 2014 cyber-attack on Sony's network that impacted the data of at least 15,000 current and former employees. The court held that plaintiffs had standing based on their allegations that plaintiffs' data was posted on file-sharing websites for identity thieves to download and that some information had been used to send threatening emails to employees.

© Arnold & Porter Kaye Scholer LLP 2015 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.