Article

Ninth Circuit’s Zappos Decision is Cautionary Tale for Corporate Victims of Cyberattacks

Practices: Privacy & Cybersecurity

As the well-known proverb provides, “no good deed goes unpunished.” On March 8, 2018, the U.S. Court of Appeals for the Ninth Circuit unfortunately lent support to that theory when it reversed dismissal of a consumer data-breach class action against online retailer Zappos.com (Zappos), a victim of a cybersecurity breach, in part because Zappos recommended after the breach that its customers whose personal information was compromised change their passwords. According to the Ninth Circuit, Zappos’ recommendation was effectively an admission that its customers faced a risk of fraud from the breach that was sufficient to give them standing to sue under Article III of the U.S. Constitution. The Zappos decision highlights a growing split among courts of appeals as to whether a corporate cybersecurity-breach victim’s efforts to assist its customers in the wake of the breach should weigh in favor of those customers’ standing to sue. Continue to read the full article.