Tom O'Toole at BNA Tech TechLaw posts on a recent federal trial court decision rejecting claims brought by plaintiffs who suffered "data exposure" when a laptop containing the personal information of approximately 750,000 Gap job applicants was stolen.  (He calls this one of the more "illuminating" data breach opinions: [pdf] link.  The order is very readable and well worth a read.  It's illuminating, but I'm not sure provides plaintiffs with much more of a roadmap to recovery.)

Background:  There have been a slew of laptop thefts in recent years where the laptop contains personal information, typically (more recently) employee information.  The employer or service provider offers data monitoring services (12 mos) and notifies the affected parties.  Unsatisfied, plaintiffs sue.  Result?  Denied.  (Previous post here discussing this topic.  Discussion of ongoing Starbucks laptop/data breach lawsuit here.)  Courts have uniformly rejected claims by plaintiffs who cannot point to out of pocket damages (other than monitoring) which they suffered as a result of the data breach.  In other words, the harm is not in the exposure of the information, but in its subsequent misuse. 

The Court's Analysis:   The court's analysis is very readable.  Judge Conti first concludes that plaintiff (plaintiff had a motion for class cert. pending) has standing based on "increased risk of identity theft."  However, this is separate from actually stating a claim for damages.  On the issue of whether plaintiff states a cognizable negligence claim, the court finds that the evidence provided (and the risk of ID theft) "does not rise to the level of appreciable harm necessary to assert a negligence claim under California law."  Unlike other courts, this court actually articulates a standard for when recovery may be appropriate.  According to the court, if plaintiff presented evidence that there was "significant exposure of his personal information" this may be sufficient to state a claim.  [VB: So the theft of the laptop doesn't constitute "exposure" I'm guessing?]  The court notes that there's no such evidence here.  It wasn't clear as to whether the plaintiff argued that increased monitoring constituted damages, but the court quickly rebuffs this argument anyway, noting that the plaintiff failed to utilize the free monitoring provided by Gap.  The court also quickly disposes of the ancillary claims (1) a third party contract claim as third party beneficiary to the Gap-service provider contract, and (2) a statutory claim based on a statute which restricted when a website operator could require a social security number to "access" a website.

What to Make?  At first glance I was inclined to think that Judge Conti's order was a sliver of light at the end of the data breach tunnel, but I'm not so sure.  I think he articulates the issue in a slightly more nuanced fashion, but at the end of the day, if you can't show that someone actually used your information after the compromise, you are out of luck.  (This is really the same result other courts have reached.)  There's a lawsuit pending in Washington over a Starbucks laptop theft/data breach.  I'm curious to see how the result pans out here. California is obviously a plaintiff-friendly state.  My instinct is to say "if you can't win in California, you may as well pack up and go home," but that would be over-generalizing.  (NB:  here's the one 9th Cir. data breach case I'm aware of: Stollenwerk v. Tri-West (discussed by the court on page 11).)

Practical Takeaways?  (1) outsourcing data-related functions is risky, investigate your service provider well; (2) I'm not sure any amount of due diligence could have really prevented this (here the compromise occurred because entry was gained by theft); and (3) offering monitoring and notification is key.