Zappos Sued Over Data Breach
Class-Action Suit Argues Data Not SafeguardedSee Also: Effective Communication Is Key to Successful Cybersecurity
In the lawsuit, Stevens v. Amazon.com Inc., filed Monday in the U.S. District Court for the Western District of Kentucky, attorneys for Theresa D. Stevens claim that the defendants were entrusted with "safeguarding plaintiff's and class members' PCAI [personal customer account information]" and are in violation of the Fair Credit Reporting Act. The suit alleges the defendants failed to adopt and maintain adequate procedures to protect information and limit its dissemination only for the permissible purposes set forth in the Act.
The defendants' actions also "constitute common law invasion of privacy by the public disclosure of private facts and common law negligence," the suit argues.
The suit states, "Plaintiff and class members are entitled to compensation for their actual damages including ... expenses for credit monitoring and identity theft insurance, out-of-pocket expenses, and other economic and non-economic harm, or statutory damages of not less than $100, and not more than $1,000, each, as well as attorneys fees, litigation expenses and costs, pursuant to [the Act]."
Zappos officials declined to comment on the lawsuit and said any updates would be provided on its blog.
Zappos Breach Details
In a blog entry posted Jan. 15, Tony Hsieh, CEO of Zappos, explained that a criminal gained access to certain parts of the network through one of the company's servers in Kentucky.
The data breach resulted in unauthorized access to customer account information including: names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers and/or the cryptographically scrambled passwords (but not the actual passwords).
The database that stores customers' critical credit card and other payment data was not affected or accessed, Hsieh stressed.
But the lawsuit contends that as a result of the breach, hackers now have information on Zappos customers that can be used to lure them into providing more personal information. "As such, consumers ... are more likely to unknowingly give away their sensitive personal information to 'phishing' and 'pharming' thieves who specialize in constructing spoof websites and e-mails that mirror the brand they're spoofing - such as Zappos.com and/or other popular online retailers and financial institutions."
Analyzing Zappos' Response
Zappos was quick to communicate after discovering the data breach, but the company's response has been getting mixed reviews.
Francoise Gilbert of the IT Law Group lauds the retailer for sending quick, informal notification. But she doesn't support the company's tactics of shutting down its customer service phone lines and denying access to the website from locations outside the U.S.
"I understand why they did that, because they were overwhelmed," Gilbert says. "But that's not appropriate for a company of their size. Zappos is not a start-up" (See: Zappos Breach Notice: Lessons Learned).