Yeah, in this case, users are the “bastards” to the Zappos family. Seven years after the Zappos data breach, the long-awaited class-action lawsuit has finally come to its closing mark. Unfortunately, for the Las Vegas online store’s users, the news isn’t that great—if anything, it’s almost laughable.
For a quick recap, Zappos first warned users by email in January 2012 that it had suffered a data breach, affecting 24 million users. The breach exposed data including names, email addresses, billing and shipping addresses, phone numbers, and the last four digits of credit card numbers. It also included password hashes, which generated using the SHA-2 algorithm.
Days following the breach notification, Zappos was hit by a lawsuit seeking class action status over its security failure.
Under Nevada’s data breach statute, codified in Title 52, Chapter 603A of the Nevada Revised Statutes Annotated, a data collector is subject to Nevada’s data breach notification statute if it owns or licenses computerized data that includes personal information.
In this event, it shall disclose any breach in the security of the system data to any resident of Nevada whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. This notice can be delivered via written notification, electronic notice, if its consistent with the provisions of the Electronic Signatures in Global and National Commerce Act, and/or substitute notice, as further discussed in Nevada’s data breach notification statute.
In March, the U.S. Supreme Court refused to hear an appeal from Zappos, which would have addressed the issue of “standing,” which is required under Article III of the U.S. Constitution. ‘Standing’ refers to a justifiable harm or an articulatable harm caused by another party. The result of the SCOTUS’ refusal to hear an appeal, meant that the victims of the breach did not have to show evidence of illegal activity directly linked to the Zappos breach.
With the lawyers set to receive $1,620,000 in attorneys’ fees and other legal costs, Zappo users are walking away with a 10% discount for any future purchase at the online store. You’ve got to be fu***** kidding me right??
But wait, there’s more.
- Users will have 60 days to request and use their 10% discount and
- Zappos would admit to no wrongdoing or liability.
Okay, now you can throw down. This settlement marks another case where data breach victims walk away with almost nothing in their pockets, and more problems with little to no remedy.
The terms of the settlement received preliminary approval from District Judge Robert C. Jones on September 19, and victims have until November 29 to file their objections. It currently is pending Judge Jones’ approval in a final approval hearing scheduled for December 20.
This lawsuit represents everything that’s wrong with class-action lawsuits today and our legal justice system.
#1—History Continues to Repeat Itself
If you are thinking of countering that this is just one shitty outcome, think again. This isn’t anything new.
Yahoo’s Data Breach
Let’s look back to the Yahoo data breach and its accompanying settlement, where affected users were able to walk away with a maximum of $358.80.
Back in September, Yahoo announced that if you had an account any time between January 1, 2012 and December 31, 2016, and are a resident of the U.S. or Israel, you are part of the settlement class and can file a claim for part of the $117,500,000. In other words, you may be entitled to at least $358 as part of the settlement.
The settlement was designed to compensate users for losses resulting from a series of data breaches that took place in 2012 and 2013. Over several years, hackers were able to gain access to Yahoo user accounts, stealing private emails, calendars, and contacts in at least three documented, separate attacks. The breaches ranged in scope from two attacks in 2012, although Yahoo claims no data was taken, to a 2013 breach where hackers were able to gain access to information from more than 3 billion Yahoo accounts, stealing names, email addresses, telephone numbers, birth dates, passwords, and answers to many security questions.
Equifax Data Breach
Back in September 2017, credit reporting agency, Equifax announced a data breach that exposed the personal information of over 147 million people, one of the largest data breaches in history. The company settled with the FTC for $425 million in September 2019, again, with little to no accountability. Why? Consumers still have no choice when other agencies choose to pull credit information from Equifax.
The Equifax settlement generously allowed consumers to walk away with a whopping $125. However, just two days ago, it was announced that Equifax used the word “admin” as both password and username for a portal that contained sensitive information, according to a class action lawsuit filed in federal court in the Northern District of Georgia.
The ongoing lawsuit, consolidating the 373 previous lawsuits into one, was filed after the company’s data breach, went viral after BuzzFeed reporter Jane Lytvynenko took to Twitter sharing the details from the lawsuit:
“Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes, a password that ‘is a surefire way to get hacked,’” the lawsuit reads.
The lawsuit also notes that Equifax admitted using unencrypted servers to store the sensitive personal information and had it as a public-facing website.
One of the three largest consumer credit reporting agencies left the keys to unlocking public-facing servers up for grabs.
#2—The Settlement Is Absolutely BONKERS
While the settlement is the first where both parties have formally agreed following a very drawn-out, seven-years-old lawsuit, I’m not sure what the hell was going on during this seven-year period.
What made this case unusually difficult, was the lack of evidence that consumers actually suffered from the breach beyond simply changing their passwords. Indeed, as Zappos wasn’t found to be negligent in its security measures, holding the company responsible and liable for the breach was an up-hill battle.
It’s a slap in the face to consumers and to the justice system. These settlements are not reflective nor punitive enough in nature to wake these companies up. It’s only fair to assume the same will take place with whatever settlement arises from the Capital One data breach and Door Dash data breach.
The settlement, having received preliminary approval, has its final approval hearing in December. The settlement itself grants $2,500 to each of the nine representative plaintiffs in the case, while the rest of the $1.6 million settlement fund goes straight into the attorney fees. God it would be nice to be one of them right now.
As you may have guessed by now, the public is fucking furious with the Zappos outcome. Don’t believe us?
Check out your Twitter feeds.
#3—Consumers Are Left to Fend for Themselves
So, if you’re one of probably 99 percent of the masses that is extremely disjointed with the settlement, you can opt out and hire a lawyer to help fight the case individually. However, Adam Moskowitz, a class-action attorney in Miami believes the opt-out rate for the settlement will be very low.
“It’s better than nothing,” Moskovitz said of the discount, explaining that in a settlement, the plaintiff and defendant agree on the relief (your compensation) together. While the coupon is a show of goodwill, it does more harm than good. Of course, loyal consumers to the brand will continue to buy shoes, but what about those truly affected or upset?
But, that’s just it isn’t it? We are continuing to see each of these conglomerates escape liability, with little to no accountability, while the average consumer continues to suffer. Sorry Moskovitz, but it’s not better than nothing—why would people continue to trust, at least wholly, the security Zappos offers?
I don’t care that there was a lack of evidence consumers suffered from the breach—every breach creates a harm, direct or indirect, large or small. The mere fact it happened, shows some slight misstep in the company’s security. That’s a fact.
What is it going to take to wake these companies up? What is it going to take for a court to realize that this is far from acceptable? Maybe the court needs to see for itself what it’s like to get hit from one of these breaches.
And no, there is nothing premeditated here. Back in high school, our curriculum required us to study Sharon Creech and her novel, “Walk Two Moons,” and if there’s anything that can be taken away from it, it’s that you “don’t judge a man until you’ve walked two moons in his moccasins.” Yes, we are talking to you Judge Jones.