A recent ruling by the 9th Circuit Court of Appeals is the latest in a series of cases where individuals whose personal information was involved in a data breach were unable to successfully pursuit causes of action due to the lack of actual harm suffered by the data breach victims. In this case, Ruiz v. Gap, Inc., the plaintiff had submitted personal information as part of an online employment application to Gap. Two laptops belonging to Vangent (a contractor providing job application processing services to Gap) were stolen from the contractor's offices. The laptops contained data on some 750,000 Gap job applicants, including Ruiz, and he filed a lawsuit in California against Gap and Vangent alleging negligence, breach of contract, and various other California regulations. The Northern District Court granted defendants' motion for summary judgment and rejected Ruiz's claims, noting that while the potential future harm he faced, such as increased risk of identity theft, was sufficient to give standing to sue, the lack of proof of any actual injury due to the theft of his personal information meant the case failed to meet the standard of appreciable harm necessary to bring a cause of action for negligence under California law. The 9th Circuit affirmed the District court's ruling.
The ruling in Ruiz v. Gap follows a recent trend in personal privacy lawsuits where the parties responsible for breaches of personal information are not subject to private rights of action unless the plaintiffs can prove harm resulted from the breach. It should be noted that the fact that organizations escape potential civil liability in such cases does not mean that they cannot be fined or even criminally prosecuted under state or federal privacy statutes, where such laws exist. A similar dichotomy exists in federal health data breach rules, where liability for individuals and even requirements for organizations suffering breaches to disclose them hinge on the determination of harm due to the breach. Even where organizations assert that no risk of harm to individuals exists, the organizations can still be held liable for violating provisions of the HIPAA Privacy Rule, and even be subject to criminal prosecution if the breaches were the result of willful negligence. As the Ruiz ruling shows, the problem in these cases for individual plaintiffs is not the privacy laws per se, but the tort law requirements for negligence or other causes of action. The legal precedents shown in these cases (and described in detailed case law citations in the Northern District court's order of summary judgment) suggest that privacy regulations and data disclosure laws may not be the best legal avenue for plaintiffs suing Facebook over its privacy practices or in the ever-rising number of lawsuits being filed against Google for the wireless data collection activities it conducted in its Street View program. In the case of Google and Street View, plaintiffs seem to be focusing on the company's alleged violation of federal wiretapping laws, rather than asserting privacy violations or breaches of personal information.
Bejtlich Teaching at Black Hat USA 2014
11 hours ago