The U.S. Supreme Court on March 25 rejected an appeal by Zappos.com Inc. in a case involving a lawsuit stemming from a massive data breach at the online shoe seller seven years ago that its customers claim continues to put their personal information at risk.
The high court's refusal to grant Zappos a review of the case means the lawsuit against the company can advance in the lower courts. Plaintiffs are seeking class-action status for that lawsuit, which is a consolidation of several other complaints.
Zappos, a subsidiary of Amazon.com Inc., contends it is not liable following a 2012 data security breach of the online shoe sellers' servers that exposed the information of more than 24 million Zappos customers, including account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information, according to court documents.
Several customers filed lawsuits against Zappos in various courts in 2012, claiming that Zappos was responsible for liability associated with the breach and exposure of personal information and subsequent misuse by hackers. Those lawsuits were consolidated at the U.S. District Court of Nevada, and in 2015, that district court dismissed the customers' claims due to lack of standing. The district court ruled that plaintiffs had not made specific allegations of theft or fraud and therefore did not sufficiently plead injury, according to court documents.
The underlying issue, the suing customers contended, was that their personal information was still exposed to hackers and criminals, even if it did not include financial information. Zappos argued that it is not liable, due in part because it notified customers quickly of the breach. The company also argued that "too much time has passed since the breach for any harm to be imminent," according to court filings.
Zappos petitioned the high court after the San Francisco-based 9th U.S. Circuit Court of Appeals ruled in November 2018 that "respondents [the consumers] sufficiently alleged an injury in fact based on a substantial risk that the Zappos hackers will commit identity fraud or identity theft."
"This appeal concerns claims based on the hacking incident itself, not any subsequent illegal activity," Zappos argued in its petition to the high court.
Zappos and Amazon, which purchased the shoe merchant in 2009, did not immediately return requests for comment from S&P Global Market Intelligence.
Data breaches have previously impacted some major companies, including a 2017 breach of credit reporting agency Equifax Inc. that impacted more than 145 million consumers, as well as several within the consumer space, including Target Corp. and Home Depot Inc.
Several lawmakers have pushed for a national data breach security law that would require quicker notification to consumers if their information was compromised.