On January 16, 2012, attorneys filed a class action against Amazon.com relating to an online hacking attack that compromised the personal information of up to 24 million customers of its online shoe retailer, Zappos.com. Data Breach Legal Watch reported that less than 24 hours after the breach occurred, the plaintiffs’ bar had already filed a Complaint claiming that the attack resulted in the exposure of the following:
• Telephone Numbers;
• Email Addresses;
• Passwords (cryptographically scrambled); and
• The Last 4 Digits of Credit Card Numbers
The attack did not expose the social security numbers or complete credit card numbers of customers. Nonetheless, the Complaint claims that customers will be exposed to “phishing” attacks that are tailored to the compromised information, as well as anxiety, emotional distress and loss of privacy. Further, similar to the Sony data breach case, the Complaint seeks compensation for the costs of identity theft insurance and credit monitoring.
Data Breach Legal Watch notes that, aside from the Hannaford decision that the 1st Circuit recently published, courts have generally rejected fear of identity theft claims, requiring a showing of some actual harm to the individuals affected by the breach. This breach, however, did not expose complete credit card numbers like in Hannaford or several of the hacking attacks directed at Sony. It would seem that Zappos is unlikely to be on the hook for anything beyond being forced into providing identity protection and/or monitoring for its customers. However, the cumulative effect of these data breaches and the class actions that inevitably follow will likely be greater data security within internet industries.