Ruiz v. Gap

Citation: Ruiz v. Gap, Inc., Case Number 09-15971 (9th Cir. Apr. 12, 2010).

Factual Background
Around September of 2007, two laptops were stolen from a Gap office in Chicago, which contained personal information and social security numbers for approximately 750,000 job applicants, including Plaintiff Ruiz, who had applied for a job online. Gap sent a letter to the affected individuals 11 days after the breach and offered 12 months of credit monitoring at no cost as well as advice regarding additional precautions to take. Ruiz did not accept Gap’s offer and brought a class action lawsuit against Gap and Vangent, Inc., the company contracted by Gap to process the online applications. The district court granted Gap’s motion to dismiss Ruiz’ claims for negligence, breach of contract, unfair competition, invasion of privacy, and violation of California Civil Code §1798.85 and the appellate court affirmed. The primary problem with Ruiz’ claims appears to be that his alleged harm from this situation did not rise to the level required under his causes of action and was only sufficient to give him standing. A claim for negligence in California requires (1) the existence of a duty to exercise due care, (2) breach of that duty, (3) causation, and (4) damages. Both the district court and the court of appeals held that to establish sufficient harm under California law, the damage must not be nominal, speculative, or a mere threat of future harm. Ruiz was unable to establish that his identity had actually been stolen or that he had expended any money on monitoring (or really that the credit monitoring offered by Gap was insufficient to protect him). Monitoring costs may have been sufficient, as they have been in cases dealing with exposure to toxic chemicals, but Ruiz had no such costs. Similarly, there was no harm required for a claim for breach of contract by Gap’s vendor or unfair competition against Gap. While California has recognized nominal damages for contract actions, damages must still be appreciable and actual rather than Ruiz’ claim for an increased likelihood of damage through identify theft now that his personal information has been exposed. A plaintiff alleging an invasion of privacy must establish each of the following: (1) a legally protected privacy interest; (2) a reasonable expectation of privacy in the circumstances; and (3) conduct by defendant constituting a serious invasion of privacy. This conduct must be “sufficiently serious in. . . scope, and actual or potential impact to constitute an egregious breach of the social norms underlying the privacy right.” Hill v. Nat’l Collegiate Athletics Ass’n, 7 Cal. 4th 1, 26 Cal. Rptr. 2d 834, 865 P.2d 655, 657 (1994). While there is explicit requirement for intentional conduct, the appellate court noted that no California court has yet extended the application of this claim to a situation involving accidental or negligent conduct such as the case in the present matter. California Civil Code §1798.85 provides that a person or entity may not “[r]equire an individual to use his or her social security number to access an Internet Web site, unless a password or unique personal identification number of other authentification device is also required to access the Internet Web site.” Ruiz’ attempt to bring a claim under this section ignores the plain language of the code, which is clearly directed at the act of logging onto a website and not the transmission of information through a website for the purpose of applying for a job.