If the Shoe Fits . . . File a Class Action? Zappos Data Breach Leads to Quick Lawsuit.

Less than 24 hours after the Zappos data breach was announced, a class action lawsuit was filed against Amazon.com (Zappos is owned by Amazon).  The Complaint [pdf] purports to be asserted on behalf of a putative class of 24 million customers whose information was exposed in the Zappos hacking incident.

While 24 million individuals, not to mention the name recognition and presumably healthy coffers of Amazon, has class action lawyers in a tizzy, is this simply an opportunistic and headline grabbing consumer action without much substance?  Let’s take a closer look.

In addition to state law negligence claims, the Complaint [pdf] alleges that Amazon is liable under the Fair Credit Reporting Act (“FCRA”) [pdf].  Whether Amazon is a Consumer Reporting Agency within the meaning of the FCRA is itself an interesting issue, but outside the scope of this post.  The real thorny issue will likely be damages.

As we posted here previously, the information exposed in the breach was limited to:

• names
• addresses
• telephone numbers
• email addresses
• passwords (cryptographically scrambled)
• the last 4 digits of credit card numbers

Significantly, the incident did not expose customer’s social security numbers, nor did it expose complete credit card information.  Yet the complaint alleges damages as a result of future ”phishing” attacks directed at the customers, as well as anxiety, emotional distress and loss of privacy.    Plaintiff also seeks compensation for the costs of identify theft insurance and credit monitoring (apparently to soothe the anxious and distressed customers).

In other words, the allegations are primarily based on ”fear of identity theft” not actual damages.   Aside from the recent 1st Circuit decision in Hannaford, courts have generally rejected such fear of identity theft claims, and require a showing of some actual harm by the individuals affected by the breach.   In this instance, unlike Hannaford, which exposed complete credit card numbers, there seems little likelihood of directly connecting any fraud to this incident, in light of the limited customer data that was exposed.

So did Zappos even have to notify its customers that it was hacked?  Arguably the risk of harm to the customers is low and most state data breach notification laws are not even triggered without the exposure of SSNs or complete credit card numbers.  Obviously Zappos erred on the side of notification for customer and/or public relations reasons, and it would be hard to argue against notifying under the circumstances.

Nonetheless, the Zappos breach demonstrates the conundrum and headaches these sorts of incidents can cause for businesses.  Choose to bury the incident, and you may have to justify your decision to regulators and attorneys general, should the word get out.  Or err on the side of notifying and expose yourself to class action lawsuits.    Either way, businesses can expect to incur significant costs in the wake of a breach.