Tort Liability from Data Thefts: The Race is to the Swift
A thief breaks into the corporate headquarters of your digital media company and steals a laptop. He uses the laptop to gain access to your customers' files, and gleans sensitive information, including their drivers license data, social security numbers and bank account data. Can you be liable to customers for this theft? The answer, at present, is theoretically "yes", but in many cases, "no" -- if you take the right steps.
Many states have statutes protecting personal information of consumers. For example, the California Civil Code requires businesses to: (i) destroy personal information when it is no longer to be retained by the business; (ii) "implement and maintain reasonable security procedures" to protect personal information from unauthorized access; (iii) disclose any breach of security which has caused disclosure of personal information, and (iv) disclose any personal information provided to third parties on the consumer's request. (Fn 1) The Civil Code provides that a customer may sue to recover damages, as well as injunctive relief, for any violation of these rules. (Fn 2)
So if a thief steals your customer data, and your failure to meet these standards causes your customers to suffer losses -- yes -- you can be found liable.
But, while these laws have been on the books for about five years, they do not seem to have resulted in a lot of large judgments. There are no reported appellate cases directly dealing with any of them and few unreported court orders mention them.
One reason for this may be the sheer economics of consumer rights litigation. Most consumer rights cases involve small dollars. Because the plaintiff generally must bear his own attorneys fees, few cases hold the promise of a sufficiently large recovery to warrant paying the fees to win the case. This is why the real action in consumer rights cases is in consumer class actions. Combining thousands or millions of cases together can yield sufficient damages to justify the attorney time expended. In addition, bringing a case as a class action may give plaintiffs an argument that they are also entitled to an attorney fee award under state statutes awarding fees for actions taken in the public interest or in defense of civil rights. (Fn 3)
However, even data theft cases brought as class actions have faced significant hurdles. This is mainly because the lead plaintiffs have often been unable to allege actual injuries resulting from the cyber security breach.
A recent case in point is Ruiz v. Gap, Inc., a class action brought in the Northern District of California. (Fn 4) In September 2007, the clothing chain Gap discovered that two laptop computers, containing personal information from 800,000 job applicants, had been stolen from one of its recruiting vendors. The data included the job applicants' names, social security numbers, addresses and other personal information. To remedy the situation, Gap offered to provide twelve months of credit monitoring and fraud assistance without charge.
Rejecting this offer, Ruiz sued on behalf of all the applicants. His complaint noted that California and other state legislatures had "impose[d] proactive obligations on companies to maintain reasonable security measures to protect personal information of consumers", such as the statutes cited above. Ruiz's complaint named several causes of action, including negligence, based on the Gap's alleged failure to take adequate measures to safeguard the personal information of its applicants. Ruiz sought damages for these breaches, as well as attorneys fees.
On April 6, 2009, Northern District of California Judge Samuel Conti granted summary judgment, dismissing the suit. In his ruling, Judge Conti first addressed an issue which has often proved fatal to other cyber security breach suits -- standing. Judge Conti noted that for the Court to consider the suit, there must be an injury-in-fact. In many "lost data" cases, court have held that plaintiffs suffered no injury from the mere loss of the data itself, reasoning that an increased risk of loss still isn't a loss. However, a number of more recent cases have begun to find that, at least for the purpose of determining standing, "the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the patient only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant's action." (Fn 5) Adopting this reasoning, Judge Conti held that because Ruiz faced an increased risk of identity theft, he met the standing requirement.
However, while having successfully leaped over "harm" hurdle necessary to get standing, Ruiz tumbled over the "harm" hurdle necessary to sustain his negligence cause of action. According to Judge Conti, "while Ruiz has standing to sue based on his increased risk of future identity theft, this risk does not rise to the level of appreciable harm necessary to assert a negligence claim . . ." To support his damages claim, Ruiz relied on cases such as Potter v Firestone, in which California courts had allowed damages for future medical monitoring after plaintiffs were exposed to toxic substances. (Fn 6) Judge Conti found this analogy inapposite. In Potter, to get medical monitoring damages, a plaintiff must show that "the need for medical monitoring is a reasonably certain consequence of the plaintiff's toxic exposure." Here, Judge Conti found that Ruiz had "presented no evidence that there was a significant exposure of his personal information" and "no evidence that he has become a victim of identity theft." In other words, because the data theft did not result in his personal information being transferred to third parties or actual losses, Ruiz was out of luck.
The take-away from cases such as Ruiz is that a business can limit its tort exposure from data thefts by taking the right actions before and after a data loss. Before a data loss, a company should implement appropriate measures to prevent such losses. After a data theft, a company should act as quickly as possible to stop the thieves from transferring the data to third parties and to prevent actual dollar losses to its consumers. A business also needs to comply with state laws requiring prompt disclosure of data losses.
On the other hand, if a business acts languidly to a data theft loss, and the data thieves are able to cause customers to lose money, the tort damages could be significant.
David D. Johnson is a business lawyer whose practice focuses on litigation and other issues relating to digital media and consumer electronics companies. David can be contacted at (310) 785-5371 or DJohnson@jmbm.com.
Notes:
Fn1 California Civil Code Sections 1798.80, 1798.81., 1798.81.5, 1798.82, 1798.83.
Fn2 Id. at 1798.94,
Fn3 See, e.g., California Code of Civil Procedure ยง1021.5
Fn4 Riuz v. Gap, Inc., U.S. District Court, Northern District of California, Case No. 07-5730.
Fn5 See, Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 634 (7th Cir. 2007).
Fn6 Potter v. Firestone Tire & Rubber Co., 6 Cal. 4th 965, 1009 (1993).
