Amazon (NSDQ: AMZN) subsidiary Zappos, an online shoe retailer, faces a second lawsuit over a hacking incident involving 24 million customers. The new suit seeks to test courts’ “no harm, no foul” rule when it comes to leaking personal data.
In a complaint filed in Boston federal court, a group of customers claim Amazon is responsible for the hacking and that the company should pay an unspecified amount of damages for negligence, breach of contract and invasion of privacy.
The incident took place on January 16 and resulted in hackers obtaining the customers’ names, phone numbers, emails and encrypted passwords. Zappos responded by sending out a mass email warning that a breach had taken place and suggesting that customers change their password for Zappos and on other sites as well.
The lawsuit claims that Zappos has failed to pay for credit monitoring and other expenses that customers may have incurred in responding to the security breach. It quotes remarks by Senator Richard Blumenthal (D-Ct) that the company is obliged to do so:
enterprising criminals can leverage information like names, addresses, email addresses, and other breached information to gain access to consumers’ accounts and commit identity theft and fraud. Therefore, I request that Zappos provide its customers with the option of receiving two years of credit monitoring and a credit freeze, as well as any costs resulting from the security breach, to be paid for by Zappos.
The lawsuit is the second to be filed and raises the question of whether companies should be liable for hacking incidents in which customers suffer no direct financial loss. In this case, Amazon had prepared for a cyber-attack by keeping certain critical data in a separate server (that was not breached) and by having a plan to rapidly notify customers.
This is different from the infamous Sony (NYSE: SNE) incident last year in which the electronics giant took days to notify their customers that hackers had stolen credit card information. The company is facing class actions over the incident based on state consumer protection laws.
At the national level, courts have ruled that customers must show actual harm in order to successfully sue a company over a data breach. So far, courts have typically found that a loss of personal information does not result in any harm.
But Greg Blankinship, an attorney in the Zappos case, believes this is changing. He points to a recent decision involving the Hannaford grocery chain in which an appeals court found that consumers had suffered harm because they had to pay to obtain new credit cards and identity theft insurance.