Feeds

Appeals court absolves firm that exposed man's SSN

No harm, no foul

Designing a Defense for Mobile Applications

A man whose social security number and other personal data were exposed by a company that processed his job application has no legal claims because no actual damage resulted from the privacy breach, a federal appeals court has ruled.

The decision, issued late last week by the Ninth US Circuit Court of Appeals, is likely to make life more difficult for people suing Facebook and other companies in California for not adequately protecting user information. It upheld a lower court ruling that said the mere possibility of damage and the cost of monitoring credit reports didn't count as the harm needed to bring a lawsuit under laws in the state.

The case arose from the theft of one or more laptops from Vangent, a company that processed job applications for clothing retailer The Gap. We're guessing it's the same mega breach The Gap reported in late 2007 warning that sensitive information for more than 800,000 individuals was exposed when laptops with unencrypted contents were stolen.

Applicant Joel Ruiz sued the two companies for a raft of violations, including negligence, breach of contract, unfair competition and invasion of privacy. But the federal judge hearing the case rejected each cause of action on the grounds the plaintiff failed to state actual damages that resulted from the breach.

“No one can doubt that those individuals whose private information was potentially exposed by the theft of the laptop have reason to be aggrieved and concerned,” the three-judge panel for the appeals court wrote in its decision. “However, the sole question for us is whether the district court properly analyzed the legal claims raised by Ruiz. We conclude that it did.”

The ruling largely echoes decisions by other courts, including a case against online prescription drug processor Express Scripts, which leaked highly sensitive subscriber information. Under the statutes invoked in the cases, plaintiffs were required to show actual damage arising from the breaches, rather than the speculation, however well founded, that they are more susceptible to harm, the courts have in essence ruled.

Last week's decision is evidence that appeals courts are inclined to agree with that reasoning. And according to The Technology & Marketing Law Blog that isn't likely to fare well for two separate lawsuits pending against Facebook for sharing users' personal information with advertisers despite assurances such information would never be shared without explicit permission.

“Both of these lawsuits allege that Facebook improperly disclosed the user name and other information of Facebook users who accessed content on the web,” blogger Venkat Balasubramani wrote. “Claims in both lawsuits are premised around Facebook's violation of its privacy policy. As this case makes clear, the plaintiffs in these cases are unlikely to be able to show actual damages, and their breach of contract, negligence, and unfair competition claims are likely dead on arrival.”

The virtual immunity companies have when they lose your data is worth remembering the next time one of them makes solemn promises that your data is safe with them. They may sound assuring, but when push comes to shove, they don't mean very much. Just ask Joel Ruiz. ®

Securing Web Applications Made Simple and Scalable

More from The Register

next story
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
UK Parliament rubber-stamps EMERGENCY data grab 'n' keep bill
Just 49 MPs oppose Drip's rushed timetable
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
Delaware pair nabbed for getting saucy atop Mexican eatery
Burrito meets soft taco in alleged rooftop romp outrage
LightSquared backer sues FCC over spectrum shindy
Why, we might as well have been buying AIR
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.