When you hear the phrase “trade secret,” it often brings to mind an image of the secrets that companies want to keep safe from their competitors. But companies need to protect the personal information of their customers as well, whether on a laptop, Blackberry, iPhone, point of sale device, or when sent over a wireless or wired network. Companies are not safe from lawsuits for the loss of this personal information, and they can be at increased risk if they store unencrypted customer data on laptops. The Ninth Circuit has recently said that companies can be held liable for simply creating a risk that customer data will be stolen.
In Ruiz v. Gap, Inc., The Gap was sued for negligence for failing to adequately secure its customer data. See Ruiz v. Gap, Inc., 540 F.Supp.2d 1121 (N.D. Cal. 2008). A job applicant from Texas, Ruiz, applied for a position with the company over its website. The employment application required Ruiz to input several items of personal information, including his social security number. The Gap outsourced its job recruiting to another vendor and, soon after Ruiz had filed his application, The Gap realized that two laptop computers containing Ruiz's personal information had been stolen. The two laptops contained the social security numbers of over 800,000 applicants.
The Gap notified the at-risk applicants and offered them a year of credit monitoring and $50,000 in identity theft insurance. Ruiz soon brought suit under his negligence theory, and The Gap asked the court for a judgement on the pleadings. The court denied The Gap's request, but then an question arose over whether Ruiz had standing to bring his claim. Ruiz claimed that he was at an “increased risk” of becoming a victim of identity theft because of The Gap's negligent actions. The Gap argued that an “increased risk” was insufficient for standing under the US Supreme Court's Lujan v. Defenders of Wildlife standard because it was not an “injury in fact.”
The Ninth Circuit ultimately found that Ruiz had suffered an “injury in fact” to sustain his standing under Lujan, but warned that it would be quick to revoke that standing if it appeared in later proceedings that Ruiz's injury was conjecture:
The injury that underlies all of Plaintiff's claims-the fact that Plaintiff faces an increased risk that his identity may be stolen at some time in the future-seems, at first blush, conjectural or hypothetical, rather than actual or imminent. Nonetheless, the Court must presume “that general allegations embrace those specific facts that are necessary to support the claim.” Lujan, 504 U.S. at 561, 112 S.Ct. 2130 (internal quotation marks omitted). Although Ruiz has asserted that the risk of identity theft he and other putative class members face is now “increased,” there is nothing else from which the Court can determine whether this risk is actual, imminent, credible, or any of the other adjectives courts have used in defining what types of risk of future harm may confer standing.
At this stage of the proceedings, the Court cannot conclude that Ruiz lacks standing. Nonetheless, Ruiz must be mindful that the elements of standing “are not mere pleading requirements but rather an indispensable part of the plaintiff's case....” Lujan, 504 U.S. at 561, 112 S.Ct. 2130. Should it become apparent that Ruiz's alleged injury is in fact too speculative or hypothetical, the Court will conclude, as it must, that Ruiz lacks standing.
This case underscores the great importance of protecting your customer data. With the increase in identity theft over the last ten years, courts have become more willing to find companies liable for these types of mistakes. It is important to take adequate steps to not only protect your companies trade secrets, but the secrets of your customers as well.