Recently, the United States Court of Appeals for the Ninth Circuit rejected the claims of a job candidate whose social security number was compromised following the theft of a laptop of the potential employer. The court ruled that the named plaintiff in this putative class action failed to adduce any evidence of appreciable and actual damages. The court issued its unpublished opinion in this case, Ruiz v. Gap, Inc., No. 09-15971, on May 28, 2010. To download a copy of the opinion, click here.
In Ruiz, the court did not set for the facts of the case, but the discussion implies that Ruiz was a candidate for a job at Gap, Inc. He provided his social security number to the company job application website. A company employee apparently held Ruiz’s information, including his social security number, on a laptop. Someone then stole the laptop and the information was compromised.
Courts around the country have turned aside cases in which personally identifiable information of a person is compromised, because the plaintiff cannot show present actual injury that is not speculative. Time and money spent on credit monitoring as a result of the breach may or may not constitute actual injury. An increased risk of future identity theft following a breach is difficult to show and courts are skeptical of claims for future damages, since they are arguably too speculative to be compensable.
The court rejected the plaintiff’s claims for the same reason. Interestingly, the court found sufficient “injury-in-fact” to say that the plaintiff had sufficient standing under Article III of the Constitution to bring suit in federal court. Nonetheless, the plaintiff did not suffer actual loss of money or property to maintain a claim for unfair competition.
Also, the court turned aside plaintiff’s negligence claim for time and money spent on credit monitoring, because he did not offer evidence on the amount of time and money he actually spent. In future cases, plaintiffs may be more careful about keeping records of such figures. The court assumed, without ruling, that time and money spent following a breach constitute cognizable elements of damage.
The court also rejected the plaintiff’s breach of contract claim and privacy claim under the California constitution for lack of present damages. The court rejected the claim under California Civil Code Section 1798.85, which prohibits a website from using social security numbers as identification or account numbers, but does not bar sites from collecting social security numbers after access is provided using means other than a social security number. Interestingly, the plaintiff failed to make a claim under California AB 1950, Civil Code Section 1798.81.5, which would have allowed the plaintiff to seek damages for failure to take reasonable care to protect the security of the plaintiff’s name and associated social security number.
The Ruiz case has no precedential value, because it is an unpublished opinion. Nonetheless, it is some indication of how future panels of the Ninth Circuit will rule on these issues if they come before the court again. And the opinion is consistent with other cases that make it difficult for plaintiffs to prevail in identity theft cases. Nonetheless, it would be interesting to see a plaintiff with more careful records of damages seek relief under AB 1950. Such a claim may have a better chance to succeed.
Stephen Wu
Partner, Cooke Kobrick & Wu LLP