California court says don’t cry before you’re hurt

In November 2007 it was announced that HMRC had lost two CDs containing personal information about 25 million people.  Since then there has been a steady stream of stories about data losses, mainly from the public sector.

The Data Protection Act 1998 requires appropriate measures to be taken against the accidental loss of personal data.  Breach of this requirement can lead to enforcement action by the Information Commissioner. An individual whose data was lost could claim compensation from the data controller under section 13 of the Act, but only on proof of damage.  If the individual had suffered identity fraud as a result of the breach then this would probably be sufficient.  What if the individual argued that he was now at a higher risk of ID fraud, even though no fraud had yet taken place?  Would this count as damage?

A US district court in California has recently considered a similar question.  In Ruiz v Gap and Vangent a laptop was stolen containing unencrypted personal data of 750,000 Gap job applicants.  In a class action, the plaintiff sued for negligence, contending that he and the other class members had suffered damage consisting of exposure to an increased risk of ID fraud.  The Court granted summary judgment to the defendants and dismissed the claim.  Speculative harm, or the threat of future harm, was not enough for a cause of action in negligence.  The plaintiff relied on cases where recovery had been allowed for medical monitoring after negligent exposure to toxic substances; the court rejected the analogy.  It also noted that Gap had informed those whose information was on the laptop, and had offered to provide them with 12 months of free credit monitoring.  The plaintiff had not taken up this offer.

In policy terms it is questionable whether strengthening individual rights of action is the best way to deal with data loss.  Of course, individuals who suffer direct financial loss – through ID fraud or otherwise – should be compensated.  But in the Ruiz type of claim individual damages are likely to be modest.  There is no great social benefit in spending a lot of time and money in order to provide a wide class of individuals with low-level compensation.  Instead the focus should be on deterring breaches and avoiding recurrence.  The Information Commissioner’s new power to fine for serious data protection breaches (DPA section 55A) is a step in the right direction, though not yet in force.

If the UK regulatory framework needs further strengthening then one option would be legislation requiring data controllers to notify affected individuals where information is lost or stolen.  Last year the Thomas/Wolpert data sharing review recommended notification to the Information Commissioner as good practice, but not as a mandatory requirement.  The Government agreed.  Its response (see page 19) made clear that it had considered, and rejected, the possibility of a US-style law requiring notification of data breaches to the individuals affected.

Incidentally, I found the Ruiz case via the excellent blog maintained by InfoSecCompliance LLC, a US firm specialising in privacy, information law and data security. David Navetta is their founding member.