No Harm, No Foul; Ninth Circuit Affirms Dismissal of Data Breach Case Against The Gap
Written by Kevin McGinty
It’s a distressingly common scenario. A corporate laptop containing job applicant data, including social security numbers, is stolen from an employee who has taken the laptop off of corporate premises. Access to the social security numbers makes it possible for wrongdoers to engage in identity theft. Is an applicant’s fear that data will be misused enough to support claims for negligence and breach of contract against the company? The federal Ninth Circuit Court of Appeals has joined a growing number of courts in answering that question in the negative. In Ruiz v. Gap, Inc., the court held that California law requires actual damages to support claims for negligence and breach of contract, and that time and effort that the applicant allegedly expended to monitor for identity theft were insufficient to constitute actual damages. The court reached similar conclusions as to the claim under California’s consumer protection statute and, significantly, the claim for invasion of privacy. As to the latter, the court ruled that increased threat of a breach of privacy does not constitute an actual invasion of privacy.
None of this is to say that a company is immune from state law liability and can simply elect to do nothing when a data breach occurs. Although not detailed in the Ninth Circuit’s decision, The Gap took affirmative steps to protect applicants from potential harm arising from theft of their data. Not only did The Gap notify the applicants about the theft of the computer containing their personal information, but it also offered to provide twelve months of credit monitoring and fraud assistance without charge, plus $50,000 worth of identity theft insurance. The lesson of the Ruiz decision is that companies that do take reasonable steps to mitigate against potential misuse of stolen data will have a strong defense against further liability. It also reinforces the commonsense proposition that has bedeviled many attempts to parlay data breaches into class actions – the mere threat of bad consequences is not the same as actually suffering bad consequences. Thieves generally steal computers because they want the hardware, not the data. The loss of a computer containing personal data does not inevitably mean that such data will be misused. As such, claims arising from data breaches are unlikely to succeed unless there has also been identity theft and resulting adverse consequences for individuals whose identities have been stolen.
Kevin M. McGinty
Kevin is a member in the firm's Boston office whose practice is concentrated in complex corporate and class action litigation. Kevin chairs the firm's Class Action Working Group and has experience defending consumer, antitrust, unfair trade practice, contract, mass tort and employment class actions.