The U.S. Supreme Court on Monday shot down an appeal from Zappos, allowing a lawsuit to move forward over a 2012 data breach. Hackers broke into the Amazon-owned company’s computer systems and accessed the personal information (including names, contact details and partial credit card numbers) of some 24 million customers, leaving them vulnerable to fraud and identity theft.
Zappos argued unsuccessfully in its appeal of the San Francisco-based federal appeals court ruling that there was no evidence of concrete injury to customers as a result of the breach. “The factual scenario this case presents — a database holding customers’ personal information is accessed, but virtually no identity theft or fraud results — is an increasingly common one,” the company wrote.
However, Zappos did admit that “around two dozen consumers said their data was misused following the breach,” but pointed out that it acted swiftly following the breach so that passwords could be reset, preventing serious harm.
Zappos’ customers argue that due to the sensitive nature of the data stolen by hackers, they are at substantial risk of having their personal information used for nefarious purposes at any time, even years later, and long before the fraud is discovered.
The rejection of Zappos’ appeal dealt a major blow to the business world, which is looking to limit its liability in such data breaches, which have become a common occurrence as companies increasingly seek and store customer information on their servers.
Prior to the San Francisco appeals court ruling, a federal judge in Nevada determined that only customers who claimed financial losses had legal standing to sue Zappos. The appeals court then reversed that decision, allowing all of the plaintiffs — whether or not they have traceable proof of actual injury — to pursue their litigation.
How Shoppers Want Retailers to Respond to Data Breaches
Court Reopens 2012 Zappos Data Breach Litigation
How to Keep Your Information Safe After the Saks, Lord & Taylor, Under Armour Data Hacks