Shoe retailer Zappos is facing a national class action suit one day after it warned customers that its servers had been hacked.
On Monday, the Amazon-owned shoe company sent a mass email stating that 24 million customer accounts had been breached. The incident resulted in hackers obtaining names, phone numbers, emails, encrypted passwords and the last four numbers of customer credit cards.
The lawsuit claims Amazon (NSDQ: AMZN) violated a part of the Fair Credit Reporting Act by failing to properly encrypt and secure customer information, and seeks unspecified damages for 24 million customers.
The lead plaintiff in the case is a Texas woman but the suit was filed in federal court in Louisville, Kentucky on the grounds that Amazon has servers located in that state.
As these type of hacking incidents have become more common, so too have related lawsuits. So far, though, few of these lawsuits been successful because customers have been unable to show that they have been harmed by the data breaches.
The Kentucky lawsuit appears based in part on a novel legal theory that customers will now be more susceptible to phishing and other online scams because hackers have their email. It also alleges the plaintiffs suffered emotional distress. Other high-profile data breach cases such as one involving Sony’s Play Station have been based in part on state consumer laws.
Although courts have been reluctant to find that customers have been harmed by data breaches, there is evidence this may be changing. A security publication recently reported
that an appeals court allowed customers to claim they suffered harm in the form of having to buy insurance for identity theft.
Some media publications this week praised Zappos’ for having a pre-arranged plan to respond to the data theft. The company claims that its customer credit cards remained secure because they were stored in a separate server.