“Lack of Harm” Doesn’t Prevent Zappos Lawsuit From Going Forward.

The US Supreme Court has rejected an appeal from Zappos regarding a lawsuit brought forth by customers. In 2012, the famed online shoe store (and Amazon subsidiary) announced it had suffered a data breach where approximately 24 million people were affected.

Unsurprisingly, lawsuits were filed. Zappos has been arguing ever since that the lawsuits have no merit. Its latest argument:

“The factual scenario this case presents – a database holding customers’ personal information is accessed, but virtually no identity theft or fraud results – is an increasingly common one,” Zappos argued in its appeal to the Supreme Court.

In other words, it’s the old argument: because there is no harm the case has “no legal standing” – an expression meaning that the lawsuit should be tossed out of court.

The company does admit that “around two dozen” have claimed to have been affected, which is a tiny, tiny fraction of the actual number who were involved. Two dozen is an interesting number because it represents 24, making the math easy: the odds of being “truly” affected by this specific breach is the mythical one in 1 million (approximately).

Data Breaches Are Harmful to Consumers?

There was a time when the courts would have listened to arguments similar to Zappos’s and said “yep, you’re right.” The courts weren’t actually that flippant (at least, it’s hoped that they weren’t), but that was the gist of it. Even now, one presumes, there are courts that would rule in such a manner. After all, Zappos is not entirely wrong: there aren’t too many instances where you can prove that fraud and ID theft are tied to a data breach. There never was.

But, this is not because it doesn’t happen too often; it’s because you can’t prove that the crime is tied to a particular data breach. If some unknown orders credit cards in your name because they’ve got all your personal particulars (SSN, residential address, mother’s maiden name, etc)… is it because he (or, increasingly, she) obtained that private information from the Zappos data breach? Or was that information obtained from some other massive data breach? Who knows?

(As an aside, Zappos’s hackers obtained “customers’ names, email addresses, billing and shipping addresses, phone numbers and the last four digits of credit cards numbers and scrambled passwords,” per Reuters. Not exactly highly sensitive information).

Chances are, even the people running scams don’t know the provenance of the information they’re using because they bought the information online. Which leads to the question of where Zappos obtained the “facts” that they allude to, considering that there is so much unknown that you can’t really arrive at a factual conclusion (as far as we know, they never found out who hacked Zappos or where the data ended up… although it’s a given that its definitely somewhere in the dark web). Indeed, if the laws were turned upside down so that defendants would have to prove there was no harm – or that harm is not linked to their own data breach – Zappos would have difficulties in doing so, as hard a time as the 24 million customers who are required to prove harm.

Parallels Show Absurdity of Argument

In addition, the argument is a poor one for having a case dismissed. Can you imagine applying the same argument to something else? Like an E. coli breakout involving romaine lettuce?

In mid-2018, people in the US got sick from eating lettuce that was tainted with E. coli. (There was a second scare later in the year that was also tied to romaine lettuce). Per the records I can find, 210 people got ill; 96 people were hospitalized; and 5 people died. Of course, lawsuits were filed.

So, 5 deaths and 210 sick in the US, whose population is 327 million (the scare was nationwide, with potentially anyone in the US – and Canada, which is not included in the calculations – being affected). That represents about six in 10 million sick, and one in 100 million dead. In terms of people affected, these figures are actually better than Zappos’s one in 1 million.

Can you imagine arguing that the lettuce lawsuit should be tossed from court because virtually no one got sick, and even less people died? (And, in this case, the numbers are indisputably factual. There’s ways to track the cause of mortality and tie it to the tainted lettuce).

There would be an uproar. The lawyers wouldn’t dream of making such an argument. The company executives wouldn’t sign off on it. But, in Zappos’s case, they made that very argument.

Because, you know, it’s data.

And the company executives signed off on it, presumably; in fact, most companies probably would.

Because, you know, it’s data.

Maybe it’s because of that attitude that we keep having preventable data breaches. Companies may repeat the mantra that they “take your privacy and security seriously” whenever the occasion calls for it. However, it’s pretty evident they don’t. It shows in their information security incidents, and it shows in their legal defenses as well.

Related Articles and Sites:

Comments (0)

Let us know what you think