Appeals court absolves firm that exposed man's SSN
No harm, no foul
A man whose social security number and other personal data were exposed by a company that processed his job application has no legal claims because no actual damage resulted from the privacy breach, a federal appeals court has ruled.
The decision, issued late last week by the Ninth US Circuit Court of Appeals, is likely to make life more difficult for people suing Facebook and other companies in California for not adequately protecting user information. It upheld a lower court ruling that said the mere possibility of damage and the cost of monitoring credit reports didn't count as the harm needed to bring a lawsuit under laws in the state.
The case arose from the theft of one or more laptops from Vangent, a company that processed job applications for clothing retailer The Gap. We're guessing it's the same mega breach The Gap reported in late 2007 warning that sensitive information for more than 800,000 individuals was exposed when laptops with unencrypted contents were stolen.
Applicant Joel Ruiz sued the two companies for a raft of violations, including negligence, breach of contract, unfair competition and invasion of privacy. But the federal judge hearing the case rejected each cause of action on the grounds the plaintiff failed to state actual damages that resulted from the breach.
“No one can doubt that those individuals whose private information was potentially exposed by the theft of the laptop have reason to be aggrieved and concerned,” the three-judge panel for the appeals court wrote in its decision. “However, the sole question for us is whether the district court properly analyzed the legal claims raised by Ruiz. We conclude that it did.”
The ruling largely echoes decisions by other courts, including a case against online prescription drug processor Express Scripts, which leaked highly sensitive subscriber information. Under the statutes invoked in the cases, plaintiffs were required to show actual damage arising from the breaches, rather than the speculation, however well founded, that they are more susceptible to harm, the courts have in essence ruled.
Last week's decision is evidence that appeals courts are inclined to agree with that reasoning. And according to The Technology & Marketing Law Blog that isn't likely to fare well for two separate lawsuits pending against Facebook for sharing users' personal information with advertisers despite assurances such information would never be shared without explicit permission.
The virtual immunity companies have when they lose your data is worth remembering the next time one of them makes solemn promises that your data is safe with them. They may sound assuring, but when push comes to shove, they don't mean very much. Just ask Joel Ruiz. ®
So, if I understand correctly, when my privacy is properly assured I do not need special bank monitoring and other measures that are costly.
But when my privacy is breached by incompetent companies and I have to take measures to protect myself and my identity, measures that have a non-negligible financial cost, that cost is not a damage ?
In short, if nobody has done anything with my identity, then I have no reason to claim damages.
In other words, I'll have to wait until the horse has bolted before closing the door and calling the police.
US Privacy Laws
The U.S. has really crappy privacy laws. Unless it is in regards to medical information, or a few other areas then it's almost like a free for all. The damages is the information itself, which is valuable otherwise they would not have been analyzing it. Unfortunately even if they agreed with that, mapping the value to something tangible is difficult.
Actual Damage ?
The should apply this principle to all cases brought by the content industries for alleged copyright infringement:
Plaintiff must show that actual damage has arisen from file sharing rather than speculation.