The Ruiz v. Gap, Inc. et al. decision, rendered earlier this week by a federal court in California, is another in a long series of cases that dismisses lawsuits brought by data-breach victims when those victims cannot establish that they were actual identity theft victims with actual damages. In this case, the plaintiff was an applicant for employment at The Gap whose personal information was compromised when two laptops belonging to Vantage, Inc, the company that processed job applications for The Gap, were stolen.
Going along with the vast majority of courts to date, the Ruiz court held that, although the plaintiff faced an increased risk of future identity theft, that risk did not rise to the level of appreciable harm necessary to assert a negligence claim. In addition, the court held that the lack of proof of actual damages was fatal to the plaintiff’s claim that he was a third party beneficiary to the agreement between The Gap and Vantage.
Though The Gap was able to get off the hook in this civil litigation, it undoubtedly spent large sums of money on the notifications it sent to the 750,000 applicants whose personal information was put at risk as well as the twelve months of credit monitoring with fraud assistance that it offered to those applicants. And, of course, that doesn’t begin to account for the attorney fees expended in defending the lawsuit either. Ruiz and cases like it have been dismissed because the plaintiffs have been unable to establish any actual damages as a result of the data breach, but at some point, plaintiffs who have been actual identity theft victims will begin filing cases and those cases will be more difficult and costlier to defend.
In addition, employers should not lose sight of the potential for FTC enforcement actions or suits brought by state attorney generals’ offices. Though the FTC is targeting primarily high-profile, large-scale consumer cases, the agency recently entered into a consent order with CVS Caremark to settle charges that the company had failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, in violation of federal law.
The Ruiz case highlights employers’ need to carefully control and monitor their vendor relationships to ensure that those vendors are taking all necessary precautions to protect the personal information of applicants and employees. Here, The Gap’s vendor appears to have been requiring employment applicants to provide their social security numbers at the time of their initial applications. At that early stage in the process, however, social security numbers generally are not necessary and, in fact, don’t become necessary until the employer decides to conduct background checks on specific applicants. The vendor then compounded the problem by not having or enforcing policies to ensure that the personal information on the laptops was encrypted.
Because the potential always exists that vendors may not be securing applicants’ or employees’ personal data, employers that are outsourcing human resources functions should ensure that their vendor agreements require the vendor to maintain appropriate safeguards for the privacy and security of any personal data that they obtain in the course of providing their services. Vendor agreements likewise should include indemnification provisions that protect the employer if it becomes necessary to respond to and defend itself in litigation as a result of a data breach caused by the vendor.