On May 28, 2010, in an unpublished decision, the U.S. Court of Appeals for the Ninth Circuit affirmed the California district court’s dismissal of a class action lawsuit against retailer Gap, Inc. because, among other things, the plaintiff failed to show that the loss of his personal information harmed him in a legally cognizable way. The Ninth Circuit’s decision echoes those issued in every “identity exposure” lawsuit to date: an increased risk of identity theft does not a lawsuit make!

On January 5, 2010, Judge William Hibbler of the U.S. District Court for the Northern District of Illinois became the latest federal district judge to share his views about whether an increased risk of future harm based on the inadvertent exposure of personal information is a legally cognizable harm. In Rowe v. UniCare Life & Health Insurance Co., No. 1:09-cv-2286 (N.D. Ill. Jan. 5, 2010), Judge Hibbler . . . hinted that the plaintiff’s claims for violations of the Fair Credit Reporting Act (“FCRA”) and the Illinois Insurance Information and Privacy Act, as well as his common law claims of invasion of privacy, negligence and breach of implied contract, may ultimately be dismissed if the plaintiff failed to show a basis for damages other than his alleged increased risk of future harm, such as identity theft.

On December 7, 2009, a federal district court sitting in New Jersey dismissed a securities fraud class action lawsuit against Heartland Payment Systems arising from a massive breach of credit and debit card information and, in doing so, reinforced the difficulties private plaintiffs face in bringing data breach lawsuits under the federal securities laws.