Updating a prior post, the Ninth Circuit, in Ruiz v. Gap, Inc., recently upheld a dismissal on summary judgment on the grounds that the mere risk of identity theft is too speculative of an injury to substantiate a cause of action based on negligence. See Ruiz v. Gap, Inc., No. 09-15971, 2010 WL 2170993 (9th Cir. May 28, 2010)
As background, Plaintiff, Mr. Joel Ruiz, submitted an online job application to work in a Gap store. As part of the application, Ruiz provided his social security number. Gap later disclosed that laptops were stolen from Vangent, the vendor with whom Gap had contracted for recruiting purposes. The laptops contained Ruiz’s unencrypted personal information, along with the information of nearly 800,000 other Gap job applicants.
Ruiz filed a putative class action alleging, among other things, negligence and violation of California Civil Code § 1798.85. Ruiz later amended his complaint to bring a breach of contract claim against Vangent. As discussed in a prior post, the court previously denied a motion to dismiss on the negligence claim. However, defendants were granted summary judgment on the negligence claim after discovery had done little to cure its speculative nature. See Ruiz v. Gap, Inc., 622 F. Supp. 2d 908 (N.D. Cal. 2009). The court held that an increased risk of identity theft did not constitute “the level of appreciable harm necessary to assert a negligence claim under California law.” Id. at 913.
In the opinion, the Ninth Circuit held that while the increased risk of identity theft created sufficient concern to grant plaintiff Article III standing, the alleged injury was still too speculative to sustain a negligence claim under California law. See Ruiz v. Gap, Inc., No. 09-15971, 2010 WL 2170993, at *1 (9th Cir. May 28, 2010). “It is fundamental that a negligent act is not accountable unless it results in injury to another.” Id. Notably, the court refrained from answering whether money spent on credit monitoring, as the result of personal information theft, supported a negligence claim. Id. However, the court included a footnote citing authority in favor of awarding medical monitoring costs, thus suggesting that it might be inclined to draw a parallel between these issues in the future. Id. at n1.
The Ninth Circuit also upheld the district court’s dismissal of Ruiz’s claims under CAL. CIVIL CODE § 1798.85. Id. at *3. That section disallows requiring “an individual to use his or her social security number to access an Internet Web site, unless a password or unique personal identification number or other authentication device is also required to access the [site].” Id. Ruiz alleged that Gap and Vangent violated this statute by requiring him to use his social security number to submit his online job application. Id. In upholding the district court’s dismissal of this claim, the Ninth Circuit reasoned that the “plain language of § 1798.85(a)(4) is directed to the initial act of logging onto a website, rather than as information that is subsequently requested….” Id. Therefore, Gap’s policies did not violate the statute.
This opinion is the latest in a growing body of case law holding that the mere fear and risk of identity theft is an insufficient injury to support a cause of action, such as negligence or breach of contract. It is especially beneficial from a defense counsel perspective because it provides binding authority based in California law, which is a well-known hotbed for class actions in this area.