Data Breach: Identity Theft Risk Insufficient to Support Claims

Posted on April 13, 2009 by Hunton & Williams LLP

The mere increased risk of identity theft following a data breach is sufficient to give the data subjects standing to bring a lawsuit in federal court but, absent actual identity theft or other actual harm, claims against the data owner and its service provider for negligence and breach of contract cannot survive, a federal judge ruled this month.  Ruiz v. Gap, Inc., et al., No. 07-5739 SC (N.D. Cal. April 6, 2009).

Plaintiff Joel Ruiz brought a putative class action against Gap, Inc. and its service provider Vangent, Inc. after a thief stole a laptop computer from Vangent containing unencrypted Social Security numbers and other personal information of Ruiz and approximately 750,000 other Gap job applicants.  Shortly after the theft, Gap notified Ruiz and the other applicants of the breach and offered them 12 months of free credit monitoring and fraud assistance.  Ruiz sought damages under various theories, including negligence (failure to exercise due care to protect the data) and breach of contract (breach of the security provisions of Gap’s contract with Vangent, under the theory that Ruiz was a third-party beneficiary of the contract).

Ruiz did not experience identity theft, but he claimed that the increased risk of identity theft supported his claims.  With respect to the negligence claim, the Complaint stated, “Plaintiff and the Class have suffered damages; they have spent and will continue to spend time and/or money in the future to protect themselves as a result of Defendants' conduct,” and the contract claim was supported with nearly identical language.  Defendants moved for summary judgment.

On the issue of standing, the court held that the increased risk of identity theft indeed constituted “an invasion of a legally protected interest which is (a) concrete and particularized ... and (b) actual or imminent, not conjectural or hypothetical” and that Ruiz met the basic threshold to bring a case in federal court.  Unfortunately for the plaintiff, merely stepping through the proverbial courthouse door is not enough to win a case, and he did not get much further than that.

Dismissing the negligence claim, the court noted that Gap had already offered one year of credit monitoring and that any potential risk not mitigated by that monitoring did not amount to the sort of “appreciable, nonspeculative, present harm [that] is an essential element of a negligence cause of action” under California law.

The contract claim suffered the same fate, as the Court explained that “a breach of contract claim requires a showing of appreciable and actual damage,” and “[b]ecause Ruiz has not been a victim of identity theft, he can present no evidence of appreciable and actual damage as a result of the theft … .”  Ruiz argued that the costs he independently paid for credit monitoring are compensable because they constitute his attempt to mitigate damages, but the court held that “Ruiz has no actual damages to mitigate since he has never been a victim of identity theft.”

Judgment was entered for the defendants.
 
Tags: , , , , , , , , , , , ,

Belgian Criminal Court Fines Yahoo for Non-Disclosure of Personal Data to Public Prosecutor

Posted on March 16, 2009 by Hunton & Williams LLP

On 2 March 2009, a Belgian Criminal court (Tribunal correctionnel de Termonde, No. DE 20.95.16/08/25) fined Yahoo! Inc., €55,000 ($71,745) for refusing to disclose to a Belgian Public Prosecutor the personal data of its e-mail users who were under criminal investigation for fraud. The Criminal court also imposed a daily penalty fee of €10,000 ($13,045) in a case of non-compliance with the judgment.  This decision was reached despite Yahoo!’s argument that Belgian law did not apply because the company does not maintain a legal entity in Belgium and does not store any customer data in Belgium.

In the context of a criminal investigation for fraud, the Belgian Public Prosecutor of Termonde had requested the disclosure of detailed account information to identify e-mail users using pseudonyms on their Yahoo! email accounts.  Yahoo! refused to disclose such information. The Belgian Criminal court held that Yahoo! had violated Article 46bis of Belgian Code of Criminal Procedure (Code d’instruction criminelle), which imposes on electronic communication service providers a duty to cooperate with a Public Prosecutor and to provide the identity of their users when requested by a Public Prosecutor in the course of a criminal investigation.

As mentioned above, Yahoo! argued that Belgian law did not apply because there is not a Yahoo! legal entity in Belgium and Yahoo! does not store any customer data in Belgium. Furthermore, Yahoo! argued that the Belgian Public Prosecutor had failed to issue a formal request in accordance with the procedures established by the Treaty on Mutual Legal Assistance on Criminal Matters, signed between the United States and Belgium on 1 January 2000. Following the ruling, Yahoo! appealed the judgment of the Criminal court on 3 March 2009.
 
Tags: , , , , , , , ,