May 2009
S M T W T F S
« Apr   Jun »
 12
3456789
10111213141516
17181920212223
24252627282930
31  

Legal Disclaimer

Your use of this Blog does not create an attorney-client relationship. Your e-mail or comments do not create an attorney-client relationship. We have no duty to keep confidential the information that is submitted to this blog. This blog is not a substitute for, nor does it constitute legal advice. Only an attorney who knows the details of your particular situation and is properly licensed in the applicable state (or states) is able to appropriately and properly address any legal issues you may have.

Blog Categories
«  
  »

Credit Monitoring Services May Not Be Required But Put the Plaintiff in a Difficult Position When Trying to Prove Damages

By Robert Hudock, on May 6th, 2009 Print This Post Print This Post
bigstockphoto_hg_w___1_opt

Identity Theft

A number of plaintiffs have brought actions following notification that their sensitive financial information had been disclosed during a security incident.  Approximately 45 states including the District of Columbia now require that a party be informed when his/her sensitive information has been released, however, this exposure of someone’s identity even when coupled with the cost to guard against identity theft, generally does not constitute a compensable injury to state a claim for negligence or for breach of contract.  See e.g. Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007); Ponder v. Pfizer, Inc., 522 F. Supp. 2d 793 (M.D. La. 2007); Hendricks v. DSW, 444 F. Supp. 2d 775 (W.D. Mich. 2006); Kahle v. Litton Loan Servicing LP, 486 F. Supp. 2d 705 (W.D. Ohio 2007); Stollenwerk v. Tri-West Health Care Alliance, 254 Fed. Appx. 664 (9th Cir. 2007).[1]   

In Ruiz v. Gap, Inc., 540 F.Supp.2d 1121 (N.D. Cal. 2008), the Northern District of California while granting the Defendants’ motion for judgment on the pleadings in-part: allowed the plaintiff to proceed with a negligence claim under California law.  The Court in Runiz found that in theory “increased risk of identity theft” from a lost Social Security number was sufficient to state a negligence claim under California law. Ruiz v. Gap, Inc., 540 F.Supp.2d 1121 (N.D. Cal. 2008).  However the Northern District of California subsequently granted the Defendant’s motion for summary judgment finding that Plaintiff failed to provide evidence of any increased risk of identity theft. Ruiz v. Gap, Inc., et al., Case No. 07-5739 SC (April 2009)  

The Plaintiff had submitted an expert report in support of his contention that he faced an increased risk of identity theft.

 

According to a study conducted by James Van Dyke in 2008, “of the 11% of Americans notified of a data breach in the last 12 months, 19% reported becoming victims of identity fraud in the last 12 months. In contrast, only 4.32% of all Americans reported becoming victims of identity fraud in the last 12 months, a difference reflecting over a four-to-one general increased likelihood that a data breach will lead to actual fraud victimization.” Id. ¶ 4. Based on Ruiz’s increased risk of identity theft, and the reasoning of several federal courts including the Seventh Circuit, the Court finds that Ruiz has standing to bring this suit.

Ruiz v. Gap, Inc., et al., Case No. 07-5739 SC at page 8. 

The expert report in this case is contradictory to a June 2007 GAO Report entitled “PERSONAL INFORMATION- Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown” (Dated June 2007).  This report  reviewed the 24 largest breaches reported in the media from January 2000 through June 2005:

  •  The GAO report found 3 instances where there was evidence of resulting fraud on existing accounts and only one instance of the 3 identified cases did the GAO find evidence of    unauthorized creation of new accounts;
  • For 18 of the breaches, no clear evidence had been uncovered linking them to identity theft; and
  • In the remaining two cases there was not sufficient information to make a determination.

The GAO concluded (in-part) that requiring affected consumers to be notified of a data breach may encourages better security practices and help mitigate potential harm, however it also presents certain costs and challenges:

  • At the same time, breach notification requirements have associated costs, such as expenses to develop incident response plans and identify and notify affected individuals; and
  •  Further, an expansive requirement could result in notification of breaches that present little or no risk, perhaps leading consumers to disregard notices altogether

 Consistent with the GAO report the Plaintiff’s case had significant weaknesses:

  • First the Plaintiff was offered but failed to apply for the free credit monitoring service offered by the Defendant;
  • Second according to the police report the theft appeared to be a property crime and not a targeted attack to obtain sensitive data of Gap employees; and
  • Finally, the Plaintiff had not been the victim of identity theft.

While most courts have held that the purchase of credit monitoring in response to a security breach does not constitute either actual damages or a cognizable loss, the fact that Plaintiff was offered credit monitor services in this case and failed to take advantage of the service was significant. See Hendricks v. DSW, 444 F. Supp. 2d 775, 782 (W.D. Mi. 2006); Kahle v. Litton Loan Servicing LP, 486 F. Supp. 2d 705 (W.D. Ohio 2007); Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007); Ponder v. Pfizer, Inc., 522 F. Supp. 2d 793 (M.D. La. 2007); Stollenwerk v. Tri-West Health Care Alliance, 254 Fed. Appx. 664 (9th Cir. 2007).

 

[1] In Pisciotta, a third-party computer hacker obtained access to the confidential information of tens of thousands of Bancorp users. Id. at 631.  Because the plaintiffs did not allege any completed direct financial loss to their accounts as a result of the breach, nor did they claim that they or any other member of the putative class already had been the victim of identity theft as a result of the breach, the appellate court (affirming the district court’s decision) concluded that the plaintiffs’ claims failed as a matter of law because they have not alleged a cognizable injury. Id. at 632, 640.  In Ponder, files stored in a laptop containing data on the names, social security numbers, and addresses of Pfizer employees became exposed to outsiders. Ponder, 522 F. Supp. 2d at 794. The plaintiff, suing on behalf of a class, claimed that the plaintiffs suffered or will potentially suffer damages in the form of economic and other losses as a result of Pfizer’s actions. Id. at 795. Plaintiff’s complaint did not allege that he suffered any actual damages-that someone actually used the disclosed information to his detriment. Id. at 797.

 Digg  Facebook  StumbleUpon  Technorati  Deli.cio.us 

Related posts:

  1. Excellent Article from American Health Lawyers Association’s Healthcare Liability & Litigation Health Briefs, on 9/9/09. by Kristen McDonald. (Republished with permission from the author.) What happens if the offices of a covered entity are...
  2. An Analysis of Data Breaches by Industry and Type Security researches using a taxonomy to classify breaches by type...
  3. Fear Mongering or Legitimate Criticism — “HHS guts health-care breach notification law, groups warn” I am a little unclear as to why privacy advocates...
May 6th, 2009 | Tags: , , , , , , , , , , , , | Category: Damages, Identity Theft, Privacy Law, State Security Breach Laws | Leave a comment Print This Post Print This Post

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Improve the web with Nofollow Reciprocity.