In January 2012, the Amazon-owned online retailer Zappos suffered a major data breach that exposed personal information of about 24 million of the site’s customers, including names, addresses, passwords, and the last four digits of their credit card numbers. The fallout from large-scale data breaches is never resolved quickly, but even by those standards, the settlement that Zappos proposed this fall was a little bit shocking both in how long it took to reach and how little it offered to victims of the breach.
The settlement, which was submitted for approval to the United States District Court for the District of Nevada in September, provides a 10-percent-off code for one Zappos order per affected customer, but the discount has to be used by 11:59 Pacific time on Dec. 31, 2019, or within 60 days of being distributed to affected customers, whichever is later. The deal has already received preliminary approval and is likely to be finalized in the coming weeks. It’s an astonishing step backward in data breach settlements and a disheartening reminder of how easy it is for major companies to still walk away from data breaches with minimal consequences.
If anything, a 10-percent-off coupon seems less like an actual penalty than a business tactic for Zappos to generate additional revenue in the final quarter of 2019. It also forces customers who want to get anything out of the settlement to provide more of their money and information to a business that has already let them down on the data protection front. And all for a measly 10 percent! You could probably find better Zappos discounts than that on a holiday weekend. (Though, admittedly, it’s a bit of a rarity, given that Zappos doesn’t offer coupons.)
Perhaps everyone involved is just relieved that the case is finally over, no matter how paltry the terms of the settlement are. After all, the agreement comes at the end of a seven-year legal saga in and out of various courts. Zappos has tried repeatedly to get the case dismissed, while the customer class-action group kept appealing until the 9th U.S. Circuit Court of Appeals finally sided with the plaintiffs in 2018 and then denied Zappos’ petition for a rehearing.
The Zappos settlement looks especially paltry compared with the landmark Equifax data breach settlement reached earlier this year for between $575 and $700 million for its 2017 breach of personal information belonging to 145 million Americans. At that moment, it seemed like the courts might be coming around to the idea that having their personal data stolen could present real harm to people and might merit serious penalties. Zappos is a reminder that settlements of the size Equifax is facing are still very much the exception, not the rule. And even the Equifax settlement is currently being mismanaged to the point where it seems extremely unlikely that most affected individuals will get any financial compensation at all by the time the settlement administrator is done forcing them to jump through hoops. By the time they’re done demanding to see proof of your identity-monitoring, you may wish Equifax had just sent you a coupon.