Another "Victory" on the Issue of "Damages" in a Security Breach Negligence Case

As has been reported on this blog previously (here and here), many courts that have considered the issue of damages in a security breach scenario involving personal information have concluded that taking pre-emptive actions (such as purchasing credit monitoring services) do not amount to "damages" for purposes of a negligence claim. Some chinks, however, have begun to develop in the "damages" armor used by defendants in security breach negligence cases. A recent decision sets forth another possible theory of liability to get a plaintiff at least beyond a motion to dismiss.In Ruiz v. Gap, 07-5739 (N.D. Cal. 2008), a class of plaintiffs sued the Gap alleging that their unencrypted personal information resided on one of two laptops stolen from one of the Gap's vendor (the personal information of approximately 800,000 Gap job applicants was stored on the laptops). The Gap offered the plaintiffs 12 months of credit monitoring services and fraud assistance without charge, as well as access to $50,000 worth of identity theft insurance. The Ruiz court analyzed the plaintiffs' complaint to determine whether the plaintiff properly alleged an "injury in fact" for purposes of standing and the issue of damages with respect to the plaintiffs' negligence claim. In particular, the court noted that the plaintiffs had merely alleged that they were at "an increased risk of identity theft" and did not allege that their identity had been stolen. The court noted that the plaintiffs' allegations seemed "conjectural or hypothetical, rather than actual or imminent," and that there was nothing else to allow the court to determine that the risk was actual, imminent or credible. Nonetheless, the court presumed that the general allegations embraced the specific facts supporting them and denied the motion to dismiss. The court did, however, issue a warning to the plaintiffs indicating that if it became apparent that their allegation of injury was too speculative or hypothetical the plaintiffs' case may be dismissed later in the proceeding. In addition, the court noted that the extent of recoverable damages was unclear even if the plaintiffs were to prevail on a negligence claim. Unfortunately, as with other negligent security cases allowing plaintiffs to proceed past a motion to dismiss, the court did not provide a highly developed legal rationale to support its decision. In this case it appears that the court simply accepted on its face that the alleged "increased risk of identity theft" constituted an injury. It went further and allowed the negligence claim to proceed even though no specific facts were alleged supporting that the plaintiffs were at increased risk. For the time being at least, it appears to be another small chip off the damages security breach defense rationale.