The Supreme Court has paved the way for consumers to proceed with a class-action lawsuit against Zappos over a data breach.
The court on Monday announced it won't hear Zappos's appeal of a 9th Circuit Court of Appeals decision that allowed consumers to sue the retailer over a 2012 data breach. As is typical, the Supreme Court didn't give a reason for its decision to leave the 9th Circuit's ruling in place.
The battle dates to 2012, when Zappos suffered a security breach that resulted in the theft of 24 million customers' information, including their email addresses, passwords, phone numbers and last four digits of their credit cards.
Zappos argued the case should be dismissed on the grounds that the consumers didn't establish they were injured by the breach. A trial judge in Nevada accepted Zappos's argument, but the 9th Circuit Court of Appeals ruled against the company last year. The appellate judges said in a May 2018 ruling that the stolen data "gave hackers the means to commit fraud or identity theft,” and that two consumers named in the suit said hackers "took over their AOL accounts and sent advertisements to people in their address books."
"These alleged attacks further support plaintiffs’ contention that the hackers accessed information that could be used to help commit identity fraud or identity theft," 9th Circuit said in its ruling.
Zappos then asked the Supreme Court to hear an appeal.
“This Court’s intervention is sorely needed,” the retailer wrote in a petition filed in August. “Mere exposure to a data breach is an unfortunate fact of life in our increasingly virtual world.”
The company argued to the Supreme Court that the 9th Circuit's decision was “of enormous consequence in the Internet age,” adding that the ruling would clear the way for “abstract suits that fail to focus on and compensate concrete injuries.”
“Worse still,” Zappos added, “by subjecting all manner of retailers, employers, and service providers victimized by a data breach to the prospect of sprawling and costly litigation, no matter how adroitly and effectively they respond, the decision below severely dulls incentives to take immediate steps to prevent actual misuse of the data.”