The Supreme Court on Monday declined to take a case involving a data breach against online retail giant Zappos, leaving lower courts to sort out what it takes for consumers to be able to sue companies that lose their data.
The justices denied the case without comment, leaving in place a decision from the 9th Circuit Court of Appeals, which ruled a group of consumers could sue Zappos for a 2012 breach that affected 24 million customers.
That ruling conflicted with other federal courts that have held customers to a tougher standard for suing over data breaches, and lawyers had been hoping the justices would settle things.
“It is frankly embarrassing that the court leaves this major circuit split on such an important issue unresolved,” said Fred Cate, a law professor at Indiana University.
The Zappos breach involved customers who had partial credit card numbers revealed, though none of those involved in the 9th Circuit case had evidence of fraudulent activity directly linked to the hack.
The 9th Circuit ruled that the fact of the breach put the consumers at imminent risk of identity theft. Four other federal appeals courts have agreed.
But four others have disagreed, instead requiring plaintiffs to show a direct injury as a result of a hack to be able to sue.
Zappos wanted the justices to step in and sort out the circuit conflict, hoping the high court would overturn the 9th Circuit’s decision and agree to the higher burden.
“This court’s intervention is sorely needed. Mere exposure to a data breach is an unfortunate fact of life in our increasingly virtual world,” Zappos’ attorneys argued to the high court.
Lawyers for the customers urged the court not to take up Zappos’ appeal, saying the circuit courts have come down in different ways not because of a confusing legal standard, but because the facts of every data breach case vary.
“Different outcomes in data breach cases reflect the fact that there are many different kinds of data breaches, and different data breaches give rise to different risks of harm,” they argued.
Michael Greenberger, a law professor at the University of Maryland, said the justices are likely waiting for a case with different facts to settle the dispute.
“At some point there will be enough justices who will want to have certiorari granted to get this thing straightened out,” Mr. Greenberger said. “This issue is critically, critically important.”
Mr. Cate said other branches of government could step up by passing cybersecurity legislation or naming a dedicated regulator.
“Litigants spend millions of dollars in litigation and the court acts as if it simply does not care or can’t be bothered, despite the fact that breaches affect virtually all Americans,” he said.