9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap
[Post by Venkat with a few comments from Eric at the bottom]
Ruiz v. Gap, Inc. (9th Cir. May 28, 2010)
In a decision that does not bode well for plaintiffs bringing privacy-based claims against Facebook in California, the Ninth Circuit recently affirmed the trial court’s rejection of data breach claims against Gap.
Facts: The case arose out of the theft of two laptop computers from a Gap vendor who processed job applications for gap. The stolen laptops contained personal information of applicants who applied for a job at Gap. Ruiz, one of those applicants, brought claims on behalf of a putative class under theories of negligence, breach of contract, unfair competition (17200), the California constitution, and California Civil Code section 1798.85 (which addresses when a social security number could be required to access a website).
The district court rejected Ruiz’s claims largely on the basis that he failed to articulated any cognizable injury. Increased risk of future harm was not sufficient to state a negligence claim under California law, and risk of future harm and credit monitoring were not recognizable damages for a breach of contract claim. In any event, Gap had offered credit-monitoring services, which Ruiz failed to avail himself of. (See Tom O’Toole’s coverage of the case here.)
The Ninth Circuit’s Ruling: The Ninth Circuit agreed with Judge Conti.
Negligence: With respect to the negligence claim, the court held that nominal damages cannot vindicate a “technical right” in the absence of “actual loss.” While in the toxic exposure context, the court recognized that damages for monitoring may be available, the court declines to decide whether that rule should be extended to this context, given the total evidence of any time or money spent on credit monitoring. (And the fact that Ruiz failed to take up Gap’s offer of credit monitoring, or demonstrate why it was insufficient.)
Breach of Contract: With respect to the breach of contract claim, the court held that controlling 9th circuit authority holds that a breach of contract claim “requires a showing of appreciable and actual damage.” This ruling is fairly consistent with the majority rule that breach of a privacy policy is not actionable absent a showing of economic loss, and increased monitoring generally doesn’t qualify. In re JetBlue Airways Corp. Privacy Litigation is the seminal case, but many cases since have followed this route. In JetBlue, there was some discussion of whether a privacy policy even constitutes an enforceable contract in the first place, but ultimately, the court assumed that even if it constitutes a contract, a failure to allege damages is fatal. Cases since have included Pinero v. Jackson Hewitt, Bell v. Acxiom, and many many others.
17200 (UCL) Claim: The court ruled that recovery under California’s unfair competition statute is limited to individuals who suffer “actual losses of money or property.” Ruiz could not make a colorable argument that he was entitled to any restitution from Gap, so this claim was a loser.
California Constitution: There were two problems with Ruiz’s claim under the California constitution. First, cases have found that the breach must be egregious, and have yet to extend a cause of action under this theory to negligent or accidental conduct. Second, the court says Ruiz only alleges a “risk of privacy invasion, rather than an actual privacy invasion.” In the court’s eyes, the actual invasion only occurs when someone actually misuses the data which they obtained from Gap’s vendor.
Section 1798.85: Ruiz also brought a claim under California Civil Code 1798.85. The court ruled that, by its terms, this section only required a person or entity conditioning access to a website on the use of an individual’s social security number to also require the use of a password, a unique personal identification number, or an authentication device. Here, the social security number was not used to access the website of Gap’s vendor, so the section did not apply.
___
This is not a surprising result. The overwhelming majority of courts have rebuffed data breach claims brought by affected persons (particularly those that have been offered monitoring) on the basis that those individuals have not suffered any appreciable injury. While a few cases have taken a different legal route by holding that these plaintiffs lack Article III standing, the end result is always the same: No actual injury = no recovery (and risk of future identity theft does not equal cognizable injury).
This news is probably depressing to two groups of plaintiffs who recently sued Facebook: Robertson v. Facebook and Gould v. Facebook. Both of these lawsuits allege that Facebook improperly disclosed the user name and other information of Facebook users who accessed content on the web. Claims in both lawsuits are premised around Facebook’s violation of its privacy policy. As this case makes clear, the plaintiffs in these cases are unlikely to be able to show actual damages, and their breach of contract, negligence, and unfair competition claims are likely dead on arrival.
___
Eric’s comments: In the past few months, I’ve noticed a disturbing trend. Whenever Google or Facebook make a privacy gaffe, the plaintiffs’ lawyers go into full-tilt litigation mode. There have been too many complaints filed to blog them all, although I’ve been posting many of the complaints to my Scribd account. Unfortunately, Google and Facebook have made their lives harder by making too many unnecessary mistakes, but many of these mistakes are obviously inconsequential in the grand scheme of things. But the most disturbing thing is that so many plaintiffs’ lawyers seem completely uninterested in pleading how their clients suffered any consequence (negative or otherwise) from the gaffe at all. Their approach appears to be that the service provider broke a privacy promise, res ipsa loquitur, now write us a check containing a lot of zeros.
Although this case was designated non-published and therefore isn’t binding on the 9th Circuit, this case nevertheless illustrates that most of these plaintiffs’ lawyers are wasting their time and significant social resources with their poorly developed cases. Instead, if they truly believe the privacy gaffe is worth suing over, they should do the advance legwork to find at least one plaintiff representative who actually suffered some harm. If they can’t even do that, society would be better off if the lawyers redirected their energies elsewhere.