Joel Ruiz v. Gap, Inc., et al.
Case No. 07-5739 SC (N.D. Ca., March 24, 2008).
Court allows job applicant to proceed with putative class action, arising out the theft of two lap top computers containing personal information, including social security numbers, provided to the Gap by job applicants, including plaintiff. The Court held that plaintiff had sufficiently alleged that he sustained the requisite injury in fact needed to confer standing to pursue such claims by alleging that he was at increased risk of identity theft as a result of the theft of these lap tops. Notably, the Court reached this conclusion notwithstanding the fact that plaintiff’s identity had not, as of the filing of the complaint, actually been stolen.
The Court further held that plaintiff had validly pled negligence claims arising out of the theft of the laps tops, by alleging that the Gap had breached its duty to plaintiff to take adequate steps to protect the confidential information he and other job applicants provided.
The Court also held that plaintiff had pled a valid claim under California Civil Code Section 1798.85, which prohibits web site operators from requiring users to supply their social security numbers to access a website unless a password or other authentication device is also required to access the site. The Court noted, however, that such a claim would fail if the job applicant was only required to provide his social security number to submit his job application, and not to access a website.
The Court did dismiss so much of plaintiff’s complaint which asserted claims for bailment, violations of California Business and Professions Code Section 17200, which prohibits unfair competition, and invasion of privacy, arising out of the theft of the lap tops at issue.
Plaintiff applied online for a position at one of defendant Gap’s stores. As part of this job application process, plaintiff supplied the Gap with personally identifiable information, including his social security number. In or about September 2007, two lap tops containing personal information of approximately 800,000 Gap job applicants, including social security numbers, was stolen from a third party vendor with whom the Gap had contracted for recruitment purposes. The information on the lap tops was apparently not encrypted. The Gap notified the plaintiff and offered to provide both twelve months of credit monitoring and $50,000 of identity theft insurance, in exchange for plaintiff’s agreement to waive his right to a jury trial should the credit monitoring fail to prevent the theft of his identity.
Rejecting this offer, plaintiff commenced this putative class action, claiming that he was at increased risk for identity theft as a result of defendant’s conduct. Notably, at the time of suit, plaintiff’s identity had not in fact been stolen.
The Gap moved to dismiss, asserting that plaintiff lacked standing to pursue a claim. To have standing, a plaintiff must show that he has suffered an injury in fact, that there is a causal connection between this injury and defendant’s conduct, and that it is likely that the injury will be redressed by a favorable decision. The Gap argued that the alleged increased risk of identity theft, without more, was insufficient to constitute the requisite injury in fact needed to confer standing to prosecute this action. The Court rejected this argument, holding that at the pleading stage, this was sufficient to meet the requirement of injury in fact. The Court accordingly denied defendant’s motion to dismiss on lack of standing grounds.
The Court also denied defendant’s motion to dismiss plaintiff’s negligence claim. The Court held that plaintiff had pled a valid negligence claim by alleging that defendant had failed to take adequate steps to protect the personally identifiable information entrusted to it by job applicants. The Court rejected defendant’s challenge to this claim on the ground that plaintiff had failed to allege that the purported breach of this duty caused plaintiff injury, a prerequisite to a valid negligence claim. As with standing, the Court held that plaintiff was not required to allege more than that he was at increased risk of identity theft as a result of defendant’s conduct. The Court did caution plaintiff, however, that it was not at all clear what damages he would be able to recover if he eventually prevailed on this claim.
The Court also allowed plaintiff to proceed with a claim under California Civil Code Section 1798.85. This statute prohibits a website operator from requiring an individual to use a social security number to access a website “unless a password or unique personal identification number or other authentication device is also required to access the Internet website.” The Court held that plaintiff had stated a valid claim under this statute, because he alleged that he was required to enter his social security number, without password, to use the Gap’s online job application process. The Court warned, however, that it would dismiss this claim “if further evidence reveals that [plaintiff’s] social security number was necessary only to submit his application, and was not required to access any website…”.
The Court did dismiss the remaining claims asserted by plaintiff as a result of the theft of the lap tops at issue. Plaintiff’s bailment claim failed because plaintiff did not deliver personal property to the Gap, a prerequisite to such claim. The Court held that a social security number was not such personal property. Plaintiff’s bailment claim also failed because the Gap was not alleged to have been involved in the theft at issue. Plaintiff’s unfair competition claim – advanced under California Business and Professions Code Section 17200 - similarly failed. To assert such a claim, a plaintiff must show that it has ‘lost money or property as a result of” the unfair competition giving rise to such claim. Because the unauthorized release of personal information does not constitute a loss of personal property, this claim failed.
Finally, the Court dismissed plaintiff’s invasion of privacy claim. To sustain such a claim under the California State Constitution, a plaintiff must show “(1) a legally protected privacy interest, (2) a reasonable expectation of privacy and (3) conduct by defendant constituting a serious invasion of privacy.” The Court held that the increased risk of identity theft, and the manner in which it was allegedly created, did not constitute “an egregious breach of the social norms underlying the privacy right” and as such, did not constitute an invasion of plaintiff’s right of privacy.