On Monday, the Northern District of California granted Gap, Inc.’s Motion for Summary Judgment in Ruiz v. Gap, Inc., et al., Case No. 07-5739 SC, holding that Ruiz’s allegations of an increased risk of identity theft “do not rise to the level of appreciable harm necessary to assert a negligence claim under California law.”
As many of our readers know, state data breach notification requirements have spawned a number of private lawsuits, including class actions. The vast majority of courts have found that the injury allegedly associated with the breach is too speculative and have refused to allow these cases to proceed. See, e.g., Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. Aug. 21, 2007); Stollenwerk v. Tri-West Healthcare Alliance, Case No. 05-16990, 2007 WL 4116068 (9th Cir. Nov. 20, 2007) (unpublished); Shafran v. Harley-Davidson, Inc., No. 07 Civ. 01365, 2008 WL 763177 (S.D.N.Y. Mar. 20, 2008); Kahle v. Litton Loan Servicing, LP, 486 F.Supp.2d 705, 712-13 (S.D.Ohio 2007); Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp.2d 1 (D.D.C. 2007); Forbes v. Wells Fargo Bank, N.A., 420 F.Supp.2d 1018, 1021 (D.Minn. 2006); Hendricks v. DSW Shoe Warehouse, 444 F.Supp.2d 775, 783 (W.D.Mich.2006); Key v. DSW, Inc., 454 F.Supp.2d 684 (S.D. Ohio 2006); Guin v. Brazos Higher Educ. Serv. Corp., Inc., No. Civ. 05-668, 2006 WL 288483 (D.Minn. Feb.7, 2006) (unpublished); Bell v. Acxiom Corp., No. 4:06CV00485, 2006 WL 2850042 (E.D. Ark. Oct. 3, 2006) (unpublished); Giordano v. Wachovia Sec., LLC, Civil No. 06-476, 2006 WL 2177036 (D.N.J. July 31, 2006) (unpublished).
That is why many took notice when, last year, in Ruiz v. Gap, Inc., 540 F.Supp.2d 1121 (N.D. Cal. 2008), the Northern District of California granted the Gap’s Rule 12(c) motion for judgment on the pleadings on three of five counts asserted by the plaintiff but allowed the plaintiff to proceed with a negligence claim and a statutory claim under state law. In last year’s decision, the court found that an allegation of “increased risk of identity theft” from a lost Social Security number was sufficient “injury in fact” to establish standing and survive a motion to dismiss the negligence claim.
In Ruiz, a thief gained entry to the Chicago offices of Gap’s job application processing vendor, Vangent, and stole two laptops. At the time of the theft, one of the computers was downloading information about Gap job applicants. The laptop in question contained personal information, including Social Security numbers, of approximately 750,000 Gap job applicants. Gap sent a notification letter to the applicants whose personal information was on the computer 11 days following the theft. Gap offered to provide the applicants with 12 months of credit monitoring with fraud assistance at no cost. Gap also advised job applicants to notify their banks and sign up for a free credit report from one of the three major credit reporting agencies. Ruiz did not enroll for the credit monitoring and did not contact his bank; he did attempt to sign up for a free credit report.
Noting that an essential element of a negligence claim under California law is “appreciable, nonspeculative, present harm”, the court found that an increased risk of identity theft “does not rise to the level of . . . harm necessary to assert a negligence claim under California law” (emphasis added). In fact, Ruiz testified that he has never been a victim of identity theft. The court also rejected Ruiz’s reliance on medical monitoring cases, expressing doubt that a California court “would view these two types of cases as analogous” given that there is no public health interest at stake in lost-data cases and noting that toxic exposure plaintiffs seeking to recover the costs of future medical monitoring face significant evidentiary burdens. “Ruiz presents no evidence showing there was an actual exposure of his personal information, much less that it was significant and extensive.”
Thus, the Northern District of California joins the many other courts that have rejected negligence claims arising from lost data cases in the absence of a showing of actual harm.