The mere increased risk of identity theft following a data breach is sufficient to give the data subjects standing to bring a lawsuit in federal court but, absent actual identity theft or other actual harm, claims against the data owner and its service provider for negligence and breach of contract cannot survive, a federal judge ruled this month.Ruiz v. Gap, Inc., et al., No. 07-5739 SC (N.D. Cal. April 6, 2009).

Plaintiff Joel Ruiz brought a putative class action against Gap, Inc. and its service provider Vangent, Inc. after a thief stole a laptop computer from Vangent containing unencrypted Social Security numbers and other personal information of Ruiz and approximately 750,000 other Gap job applicants. Shortly after the theft, Gap notified Ruiz and the other applicants of the breach and offered them 12 months of free credit monitoring and fraud assistance. Ruiz sought damages under various theories, including negligence (failure to exercise due care to protect the data) and breach of contract (breach of the security provisions of Gap’s contract with Vangent, under the theory that Ruiz was a third-party beneficiary of the contract).

Ruiz did not experience identity theft, but he claimed that the increased risk of identity theft supported his claims. With respect to the negligence claim, the Complaint stated, “Plaintiff and the Class have suffered damages; they have spent and will continue to spend time and/or money in the future to protect themselves as a result of Defendants' conduct,” and the contract claim was supported with nearly identical language. Defendants moved for summary judgment.

On the issue of standing, the court held that the increased risk of identity theft indeed constituted “an invasion of a legally protected interest which is (a) concrete and particularized ... and (b) actual or imminent, not conjectural or hypothetical” and that Ruiz met the basic threshold to bring a case in federal court. Unfortunately for the plaintiff, merely stepping through the proverbial courthouse door is not enough to win a case, and he did not get much further than that.

Dismissing the negligence claim, the court noted that Gap had already offered one year of credit monitoring and that any potential risk not mitigated by that monitoring did not amount to the sort of “appreciable, nonspeculative, present harm [that] is an essential element of a negligence cause of action” under California law.

The contract claim suffered the same fate, as the Court explained that “a breach of contract claim requires a showing of appreciable and actual damage,” and “[b]ecause Ruiz has not been a victim of identity theft, he can present no evidence of appreciable and actual damage as a result of the theft … .” Ruiz argued that the costs he independently paid for credit monitoring are compensable because they constitute his attempt to mitigate damages, but the court held that “Ruiz has no actual damages to mitigate since he has never been a victim of identity theft.”

Judgment was entered for the defendants.