Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

In April 2008, UniCare informed some members of its health insurance plans that some of their personal information was temporarily accessible to the public on the Internet. In response to UniCare’s notice, the plaintiff sued alleging that UniCare’s inadvertent disclosure of his personal information harmed him in the following ways: created anxiety and emotional distress, increased his risk of identity theft, forced him to spend time and money monitoring his credit, compromised his possessory rights in his information and invaded his privacy. UniCare then filed a motion to dismiss the complaint which focused chiefly on the plaintiff’s failure to allege that any unauthorized person actually viewed the inadvertently exposed information.

At the outset of the opinion, noting that at the motion to dismiss stage disclosure to a third party could be inferred from the plaintiff’s complaint, the court ruled that UniCare’s inadvertent disclosure might constitute a “communication” of consumer report information and thus refused to dismiss the plaintiff’s FCRA claims. The court then examined the plaintiff’s remaining claims – all of which, according to UniCare, required a showing of damages to state a valid cause of action – in relation to the various harms plaintiff claimed to have suffered due to the disclosure of his information. In each instance, the court found that even though the evidence might ultimately not support the plaintiff’s theories of damage, drawing all inferences in the plaintiff’s favor as the court must on a motion to dismiss, his complaint satisfied the liberal pleading standard set forth in the Federal Rules of Civil Procedure.

But Judge Hibbler did make clear that the Illinois Supreme Court’s decision in Williams v. Manchester, 229 Ill. 2d 404 (2008), ruled out the possibility that “the exposure of personal information might be the present injury providing the basis for recovery of damages for increased risk of future harm.” Rather, as Judge Hibbler stated, “Rowe may collect damages based on the increased risk of future harm he incurred, but only if he can show that he suffered from some present injury beyond the mere exposure of his information to the public.” Moreover, while the court did not find the Seventh Circuit’s reasoning in Pisciotta v. Old National Bancorp (see our blog post here) entirely persuasive, the court held that “the costs of credit monitoring services are not a present harm in and of themselves.”

Though some might view this decision as a victory for plaintiffs and their lawyers, it also further illustrates the level of judicial skepticism toward “identity theft exposure” claims and makes it even more difficult for plaintiffs to argue that an increased risk of harm based on the exposure of personal information, without more, is a harm that the law should recognize.
 

As many of our readers know, state data breach notification requirements have spawned a number of private lawsuits, including class actions. The vast majority of courts have found that the injury allegedly associated with the breach is too speculative and have refused to allow these cases to proceed. See, e.g., Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. Aug. 21, 2007); Stollenwerk v. Tri-West Healthcare Alliance, Case No. 05-16990, 2007 WL 4116068 (9th Cir. Nov. 20, 2007) (unpublished); Shafran v. Harley-Davidson, Inc., No. 07 Civ. 01365, 2008 WL 763177 (S.D.N.Y. Mar. 20, 2008); Kahle v. Litton Loan Servicing, LP, 486 F.Supp.2d 705, 712-13 (S.D.Ohio 2007); Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp.2d 1 (D.D.C. 2007); Forbes v. Wells Fargo Bank, N.A., 420 F.Supp.2d 1018, 1021 (D.Minn. 2006); Hendricks v. DSW Shoe Warehouse, 444 F.Supp.2d 775, 783 (W.D.Mich.2006); Key v. DSW, Inc., 454 F.Supp.2d 684 (S.D. Ohio 2006); Guin v. Brazos Higher Educ. Serv. Corp., Inc., No. Civ. 05-668, 2006 WL 288483 (D.Minn. Feb.7, 2006) (unpublished); Bell v. Acxiom Corp., No. 4:06CV00485, 2006 WL 2850042 (E.D. Ark. Oct. 3, 2006) (unpublished); Giordano v. Wachovia Sec., LLC, Civil No. 06-476, 2006 WL 2177036 (D.N.J. July 31, 2006) (unpublished).

That is why many took notice when, last year, in Ruiz v. Gap, Inc., 540 F.Supp.2d 1121 (N.D. Cal. 2008), the Northern District of California granted the Gap’s Rule 12(c) motion for judgment on the pleadings on three of five counts asserted by the plaintiff but allowed the plaintiff to proceed with a negligence claim and a statutory claim under state law. In last year's decision, the court found that an allegation of "increased risk of identity theft" from a lost Social Security number was sufficient "injury in fact" to establish standing and survive a motion to dismiss the negligence claim.

In Ruiz, a thief gained entry to the Chicago offices of Gap's job application processing vendor, Vangent, and stole two laptops. At the time of the theft, one of the computers was downloading information about Gap job applicants. The laptop in question contained personal information, including Social Security numbers, of approximately 750,000 Gap job applicants. Gap sent a notification letter to the applicants whose personal information was on the computer 11 days following the theft. Gap offered to provide the applicants with 12 months of credit monitoring with fraud assistance at no cost. Gap also advised job applicants to notify their banks and sign up for a free credit report from one of the three major credit reporting agencies. Ruiz did not enroll for the credit monitoring and did not contact his bank; he did attempt to sign up for a free credit report.

Noting that an essential element of a negligence claim under California law is "appreciable, nonspeculative, present harm", the court found that an increased risk of identity theft "does not rise to the level of . . . harm necessary to assert a negligence claim under California law" (emphasis added). In fact, Ruiz testified that he has never been a victim of identity theft. The court also rejected Ruiz's reliance on medical monitoring cases, expressing doubt that a California court "would view these two types of cases as analogous" given that there is no public health interest at stake in lost-data cases and noting that toxic exposure plaintiffs seeking to recover the costs of future medical monitoring face significant evidentiary burdens. "Ruiz presents no evidence showing there was an actual exposure of his personal information, much less that it was significant and extensive."

Thus, the Northern District of California joins the many other courts that have rejected negligence claims arising from lost data cases in the absence of a showing of actual harm.