On January 15, 2012, hackers accessed Zappos’ system and stole the names, addresses, passwords, and the last four digits of the credit and debit card numbers of 24 million footwear-seeking customers. Fast forward almost 8 years and the Amazon-owned e-commerce site and the group of nine class action plaintiffs have reached a settlement: in exchange for having their personal information stolen, anyone who had a Zappos account – or for whom Zappos had an email address – prior to the January 2012 data breach is entitled to a one-time-use 10 percent off coupon.
Submitted for approval in mid-September, and granted on a preliminary basis by the U.S. District Court for the District of Nevada, the 9 named plaintiffs will each net $2,500, while the rest of the $1.6 million sum that Zappos has agreed to pay will be used to cover their attorneys’ fees and other legal costs. As for the 24 million or so other individuals impacted by the breach, there will not be a $350 check coming in the mail (as is the case for the recent Yahoo settlement). No, relief is limited to a 10 percent code to be used before December 31, 2019, assuming, of course, the settlement is finalized.
As Slate’s Josephine Wolff wrote last week, the Zappos terms are “an astonishing step backward in data breach settlements and a disheartening reminder of how easy it is for major companies to still walk away from data breaches with minimal consequences.” Wolff further asserted that the settlement “seems less like an actual penalty than a business tactic for Zappos to generate additional revenue in the final quarter of 2019,” since it “forces customers who want to get anything out of the settlement to provide more of their money and information to a business that has already let them down on the data protection front.”
At the same time, Kirkland & Ellis class action litigators Dan Donovan, Ragan Naresh, and Carrie Bodner stated early this year that “nearly 15 years ago, Congress passed the Class Action Fairness Act to curb perceived abuses in the class action settlement process,” including the requirement that federal courts approve class action settlements. As a result, “Courts have been reviewing proposed class action settlements with greater rigor, resulting in several high profile rejections of settlements – sometimes early in the settlement approval process.”
With that law and courts’ larger pattern of “taking seriously their obligation to scrutinize class action settlements” – as Donovan, Naresh, and Bodner assert – in mind, it is difficult not to wonder how Zappos’ 10 percent off settlement terms could be deemed “fair,” even in a preliminary capacity.
Yet, it seems the facts are very much on Zappos’ side. As class-action attorney Adam Moskowitz recently told LifeHacker, while the Zappos settlement – the $1.6 million and the 10 percent off coupons, alike – “seems quite low,” that is likely due to the fact that there was a general lack of “evidence that consumers suffered [harm] from the breach beyond the hassle of changing their passwords.”
Add to that the fact that Zappos acted diligently. The National Law Review reported this spring that “Zappos did everything a responsible corporate citizen would do upon learning of a breach: [it] immediately cut access between its systems and the outside world, suspended online ordering until customers’ passwords were reset, and notified its customers to change their passwords.”
The consensus has been that, taken together, Zappos’ “actions prevented widespread harm and, as a result, only a handful of customers out of 24 million reported concerns that their information was misused in the six years following the breach.”
The overall lack of harm caused by the breach was a significant point of contention throughout the case. Zappos responded to the class action suit by arguing that customers whose data had not used in nefarious ways (i.e., in furtherance of identity theft or to make fraudulent charges) did not have the grounds to file a federal lawsuit. Counsel for the plaintiffs argued that they stood to be the targets of harm in the future, as their information could be used at any time, including years after the hack.
In hearing the plaintiffs’ case, the trial court in Nevada “rejected the claims of many plaintiffs, finding they had no standing to sue because they had not suffered an actual injury” as a result of having their information hacked, Patterson Belknap Webb & Tyler LLP’s Peter A. Kurtz and Craig A. Newman wrote last spring. As such, the plaintiffs’ case, as a whole, largely centered on the risk of future harm that would result from the breach.
On appeal, a 3-judge panel for the Ninth Circuit sided with the plaintiffs, determining that they could establish standing to sue even if they had not yet suffered an actual injury because the breach put the plaintiffs at a substantial risk of future harm, largely due to “the nature of the data that the plaintiffs allege was taken.” In addition to an actual injury, “the court said customers can sue if they can show there is a substantial risk of harm and that it is impending,” per Reuters, and that decision was ultimately left to stand when the Supreme Court denied to take on Zappos’ appeal.
That decision – one that Zappos called “manifestly insufficient” in light of the fact that “data breaches are a fact of life in an increasingly digital world” – does not appear to have dictated the settlement terms for the 24 million Zappos users who might be subject to harm in the future. Nonetheless, Moskowitz suspects that the opt-out rate for the settlement will be very low. After all, he says, a discount from the notoriously discount-averse Zappos is “better than nothing.”