A federal appellate court has revived claims against online shoe retailer Zappos.com Inc. related to a 2012 data breach where hackers stole the personal information of more than 24 million customers.

The U.S. Court of Appeals for the Ninth Circuit on Thursday found that the “imminent” risk of identity theft from the Zappos breach was enough to establish standing to sue for those customers who had not yet been the victim of fraud. The decision reversed a ruling from U.S. District Judge Robert Clive Jones of the District of Nevada who dismissed the claims from plaintiffs who hadn't alleged any instances of identity theft at the time of the suit.

Ninth Circuit Judge Michelle Friedland penned the unanimous opinion, joined by colleague Judge John Owens and U.S. District Judge Elaine Bucklo of the Northern District of Illinois sitting by designation. Friedland's opinion leaned heavily on the Ninth Circuit's 2010 decision in Krottner v. Starbucks, a case where the court found Starbucks Corp. employees “alleged a credible threat of real and immediate harm” after a company laptop containing their personal information was stolen.

Thursday's decision in the Zappos case was the first to re-examine the Krottner decision since the U.S. Supreme Court handed down its 2013 decision in Clapper v. Amnesty International USA, which held that “an objectively reasonable likelihood” of future harm is not enough to establish standing. Friedland concluded that Krottner is still good law and controlled the Zappos case.

“Unlike in Clapper, the plaintiffs' alleged injury in Krottner did not require a speculative multi-link chain of inferences,” Friedland wrote. “And although the Supreme Court focused in Clapper on whether the injury was 'certainly impending,' it acknowledged that other cases had focused on whether there was a 'substantial risk' of injury,” she wrote.

The hackers in the Zappos case allegedly stole customers' names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information in 2012. Thursday's opinion found that plaintiffs alleged risk of future identity theft is “fairly traceable” to Zappos' failure to prevent the breach.

“That hackers might have stolen plaintiffs' PII in unrelated breaches, and that plaintiffs might suffer identity theft or fraud caused by the data stolen in those other breaches (rather than the data stolen from Zappos), is less about standing and more about the merits of causation and damages,” Friedland wrote.

Stroock & Stroock & Lavan partner Stephen Newman in Los Angeles, who handled oral arguments at the Ninth Circuit for Zappos, directed a request for comment to the company, which didn't immediately respond Thursday afternoon. Likewise, the plaintiffs' lawyer, D. Gregory Blankinship of Finkelstein Blankinship Frei-Pearson & Garber in White Plains, New York, didn't immediately respond to a phone message.