Big opinion today on privacy law. Judge Samuel Conti dismissed the complaint in Ruiz v. Gap Inc., No. 07-cv-5739 (N.D. Calif. April 6, 2009), ruling that the plaintiff's proof he was at "significant risk" of identity theft as a result of a laptop containing unencrypted personal information was not a sufficient damage to make out a viable negligence claim.
The court wrote that in this context the damages element of a negligence claim could be met by establishing a "significant exposure of ... personal information." Significant risk falls short of this standard, the court wrote.
Significant exposure is needed, not significant risk.
The heart of the court's ruling on the damages question reads:
At a minimum, Ruiz would be required to present evidence establishing a significant exposure of his personal information. Here, Ruiz has not presented such evidence. Instead, Ruiz relies on the expert report of Dr. Ponemon to overcome this evidentiary burden. However, as Ruiz himself concedes, all Dr. Ponemon's report establishes is that there is a "significant risk" that Ruiz's information was exposed. See id. Ruiz presents no evidence showing there was an actual exposure of his personal information, much less that it was significant and extensive. The Court is convinced that even if a California court were to apply the standard it has adopted in medical monitoring cases, summary adjudication of Ruiz's negligence claim would still be appropriate.
This case arose out of the Sept. 17, 2007, theft of two laptop computers from Vangent Inc., a Gap vendor that was processing job applications at the time of the theft. The stolen laptops contained personal information, including social security numbers, on roughly 750,000 Gap job applicants.
If you are an attorney just getting into this area, Judge Conti's take on the data breach damages issue is the most illuminating opinion I have come across so far. The opinion neatly separates the standing question (Ruiz's proof on significant risk of identity theft is sufficient for Article III standing) from the negligence damages question, and he summarizes all of relevant cases decided to date. The court discusses how the environmental risk/medical monitoring cases bear on data breach cases. Judge Conti mentions in passing that it was significant whether the laptop theft was for the purpose of acquiring the laptop or for the purpose of acquiring the data it contained; I hadn't noticed this inquiry in prior data breach cases, though it didn't help the plaintiff here. There is a lot more in this opinion that should inform the thinking of parties on both sides of data breach cases.
Other issues in the case involved the plaintiff's claim that Gap and Vangent violated a California law (Calif. Civil Code 1798.85) that forbids Web site operators from requiring a social security number to "access" a Web site. Here, the plaintiff "accessed" the Gap Web site when he landed there following a Google search -- a time well in advance of when he was later asked for his social security number as part of the online application process. The court rejected the claim on this basis.
The court also turned back the plaintiff's breach of contract claim, finding that speculative harm, fear of harm, or costs of credit monitoring were not a cognizable form of damage in a breach of contract action. The credit monitoring issue was a little tricky. Gap's data breach notification letter offered all victims a year's worth of free credit monitoring, which the plaintiff declined. The court ruled that the plaintiff's own subsequent expenditure for allegedly better credit monitoring services was unnecessary and could not create damages to support his contract claim.
Follow me on Twitter at @bnatechlaw
Comments