The U.S. Court of Appeals for the Ninth Circuit reversed a lower court’s dismissal of a consumer data-breach class action against online retailer Zappos.com, a victim of a cybersecurity breach, in part because Zappos recommended after the breach that its customers whose personal information was compromised change their passwords.
According to the Ninth Circuit, Zappos’ recommendation was effectively an admission that its customers faced a risk of fraud from the breach that was sufficient to give them standing to sue under Article III of the U.S. Constitution. The Zappos decision highlights a growing split among courts of appeals as to whether a corporate cybersecurity-breach victim’s efforts to assist its customers in the wake of the breach should weigh in favor of those customers’ standing to sue.
