The U.S. Supreme Court turned away an appeal by Amazon.com Inc.’s Zappos unit, letting a lawsuit proceed over a 2012 hack that exposed the personal information of 24 million customers.
The online shoe and clothing retailer argued unsuccessfully that the customers couldn’t sue without proof of concrete injury, such as the impending misuse of their information. The suit, allowed by a federal appeals court in San Francisco, seeks class-action status.
The rebuff is a setback for business groups that urged the court to hear the appeal and tighten the rules for data-breach lawsuits. The U.S. Chamber of Commerce said companies face similar suits over alleged vulnerabilities in internet-connected cars, home security systems, children’s toys and medical devices.
“The factual scenario this case presents — a database holding customers’ personal information is accessed, but virtually no identity theft or fraud results — is an increasingly common one,” Zappos argued. The company says only two dozen people have ever claimed their data might have been misused because of the breach.
The appeals court let the suit go forward, saying the sensitive nature of the stolen data, which included credit card information, left customers vulnerable to identity theft. The court pointed to people who said their email accounts had been commandeered or credit cards fraudulently charged.
The suing customers face “a substantial risk that the Zappos hackers will commit identity fraud or identity theft,” Judge Michelle Friedland wrote for a three-judge panel of the U.S. 9th Circuit Court of Appeals.
Lawyers for the customers pressing the suit urged the Supreme Court to reject the appeal.
The high court had been holding the appeal while it considered a case involving Alphabet Inc.’s Google unit that raised similar issues. The justices sent that case back to a lower court to consider whether consumers pressing a privacy suit had legal standing to sue.