Zappos' Offer to Breach Victims: A 10 Percent DiscountProposed Data Breach Settlement Follows Supreme Court's Refusal to Hear Appeal
Zappos is close to settling a long-running class action lawsuit filed by consumers over a 2012 data breach.
See Also: HIPAA Audits: A Revised Game Plan
The case against the Las Vegas-based online shoe and clothing retailer has been closely watched as the defense has tried to persuade courts that victims must show harm as a result of a breach to be eligible for any compensation (see: Why So Many Data Breach Lawsuits Fail).
Now, however, Zappos is proposing to compensate all breach victims by giving them a 10 percent discount on a future online purchase.
The terms of the settlement received preliminary approval from District Judge Robert C. Jones on Sept. 19. Victims have until Nov. 29 to file objections, according to a copy of the settlement.
Jones has scheduled a final approval hearing for Dec. 20 at a federal court in Reno, Nevada.
The terms of the agreement include paying about $1.6 million in attorney fees and $2,500 to each of the 14 class representatives. As part of the settlement, Zappos would admit no wrongdoing or liability.
Zappos Denies Wrongdoing
"Zappos vigorously denies all claims asserted in the actions, including, without limitation, that any full credit card numbers were exfiltrated during the data incident, and denies all allegations of wrongdoing and liability," according to the settlement agreement.
How much will the 10 percent discount being offered affect the Zappos bottom line? That remains unclear, although since 2009, Zappos has been owned by Amazon, which reported 2018 revenue of $232.9 billion.
Also unclear is whether victims will settle for a discount on a future purchase from a business that previously lost control of their personal information.
"I'd be worried they'd have another breach, I'm not really sure the 10 percent discount is sufficient for this," tweeted security specialist James Stach.
The proposed class action settlement follows a reached by Zappos with nine state attorneys general in 2015. As part of that agreement, Zappos agreed to pay a total of $106,000 to the states and take several steps to better secure its customers' information (see: Settlement in Zappos Breach Case).
Hacker Compromised Server
Zappos first warned users by email in January 2012 that it had suffered a data breach (see: Zappos Breach Affects 24 Million).
At the time, CEO Tony Hsieh told customers that "we were recently the victim of a cyberattack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky."
The breach exposed data for about 24 million customers. Leaked information included names, email addresses, billing and shipping addresses, phone numbers and the last four digits of credit card numbers. It also included password hashes, which were generated using the SHA-2 algorithm.
Just days after its breach notification, Zappos was hit by a lawsuit seeking class action status over the security failure. But the case has obviously taken a long route through the courts as the retailer has continued to assert that victims must show they suffered harm as a result of a breach.
Supreme Court Refused to Hear Appeal
To pursue a claim in federal court, plaintiffs must have standing under Article III of the U.S. Constitution. Standing is the term for articulating harm caused by another party. Depending on where a class action suit has been filed, standing has sometimes proved to be an obstacle in data breach cases.
In March, the U.S. Supreme Court refused to hear an appeal from Zappos that would have addressed the issue of standing. That refusal meant a Ninth Circuit Court of Appeals ruling was upheld, which meant that victims did not have to demonstrate evidence of illegal activity that was directly linked to the Zappos breach.
Demonstrating harm tied to a specific breach is potentially difficult given the frequency of data breaches and the likelihood that the same personal information may have been exposed many times over by other parties.
The Supreme Court's action was the third time this year that the court has refused to hear a case that addressed the threshold issue of data breach cases, law firm Drinker Biddle & Reath LLP wrote in a March blog post on The National Law Review.
But it also means that the fat of lawsuits may vary depending on where their cases are heard or appealed. Some appeals courts have plaintiff-friendly views, meaning that the fear of harm is enough to gain standing in a class action suit.
Appeals courts in some other circuits, however, "reason that fear of future harm as a result of a data breach is too speculative to meet Article III's standing requirements," the law firm wrote. "With this most recent [Supreme Court] denial, a business's legal exposure after a data breach will continue to depend on the laws of the circuit where the claims are filed."
Executive Editor Mathew Schwartz contributed to this story.