On April 6, 2009, the U.S. District Court for the Northern District of California in Ruiz v. Gap, 2009 WL 941162 (N.D. Cal. Mar. 24, 2008) held that the increased risk of identity theft arising out of a data breach is sufficient to establish constitutional standing to sue for the breach, but is insufficient to maintain a negligence claim under California law.
Ruiz was among a group of persons whose personal information was on laptops stolen from Gap. It was unknown whether the laptops were stolen for their intrinsic value or for the value of the data on the laptops. Gap notified Ruiz of the security breach and offered him a year's worth of credit monitoring at no cost. Ruiz was not the victim of identity theft as a result of the stolen laptops, but later brought suit against Gap for negligence and several other state law causes of action. After discovery, Gap moved for summary judgment on Ruiz's negligence claim.
On the threshold issue of standing, the court found that Ruiz had established the “irreducible constitutional minimum” of an injuryin- fact. Noting that courts were in disagreement on the issue, the court found that Ruiz had suffered an injury-in-fact based on a general increased likelihood that the stolen laptop would lead to his identity being stolen. Ruiz established this “injury” through expert opinions that indicated that there is “a four-to-one general increased likelihood that a data breach will lead to actual fraud victimization.”
The court, however, found that the increased likelihood of identity theft did not rise to the level of appreciable harm necessary to assert a negligence claim under California law. Ruiz’s negligence claim hinged on his contention that his case was analogous to cases under California law in which courts allowed recovery for future medical monitoring after persons were exposed to toxic substances. The court held that the analogy to medical monitoring cases was misplaced because those cases were based on protecting a public health interest, a concern which is not present in lost data cases.
The court also noted that even if it were to apply the rationale of the medical monitoring cases, Ruiz would be unable to maintain his negligence claim because he would be required to present evidence to establish a “significant exposure of his personal information.” The court found that Ruiz had not shown that there was an actual exposure of his personal information, much less that it was significant and extensive.