Ruiz v. Gap, Inc. et a., Case Number 09-15971 (9th Cir. April 12, 2010)

Around September of 2007, two laptops were stolen from a Gap office in Chicago, which contained personal information and social security numbers for approximately 750,000 job applicants, including Plaintiff Ruiz who had applied for a job online. Gap sent a letter to the affected individuals 11 days after the breach and offered 12 months of credit monitoring at no cost as well as advice regarding additional precautions to take. Ruiz did not accept Gap’s offer and brought a class action lawsuit against Gap and Vangent, Inc., the company contracted by Gap to process the online applications. The district court granted Gap’s motion to dismiss Ruiz’ claims for negligence, breach of contract, unfair competition, invasion of privacy, and violation of California Civil Code §1798.85 and the appellate court affirmed.

The primary problem with Ruiz’ claims appears to be that his alleged harm from this situation did not rise to the level required under his causes of action and was only sufficient to give him standing.

A claim for negligence in California requires (1) the existence of a duty to exercise due care, (2) breach of that duty, (3) causation, and (4) damages. Both the district court and the court of appeals held that to establish sufficient harm under California law, the damage must not be nominal, speculative, or a mere threat of future harm. Ruiz was unable to establish that his identity had actually been stolen or that he had expended any money on monitoring (or really that the credit monitoring offered by Gap was insufficient to protect him). Monitoring costs may have been sufficient, as they have been in cases dealing with exposure to toxic chemicals, but Ruiz had no such costs.

Similarly, there was no harm required for a claim for breach of contract by Gap’s vendor or unfair competition against Gap. While California has recognized nominal damages for contract actions, damages must still be appreciable and actual rather than Ruiz’ claim for an increased likelihood of damage through identify theft now that his personal information has been exposed.

A plaintiff alleging an invasion of privacy must establish each of the following: (1) a legally protected privacy interest; (2) a reasonable expectation of privacy in the circumstances; and (3) conduct by defendant constituting a serious invasion of privacy. This conduct must be “sufficiently serious in . . . scope, and actual or potential impact to constitute an egregious breach of the social norms underlying the privacy right.” Hill v. Nat’l Collegiate Athletics Ass’n, 865 P.2d 655, 657 (Cal. 1994). While there is explicit requirement for intentional conduct, the appellate court noted that no California court has yet extended the application of this claim to a situation involving accidental or negligent conduct such as the case in the present matter.

California Civil Code § 1798.85 provides that a person or entity may not “[r]equire an individual to use his or her social security number to access an Internet Web site, unless a password or unique personal identification number of other authentification device is also required to access the Internet Web site.” Ruiz’ attempt to bring a claim under this section ignores the plain language of the code, which is clearly directed at the act of logging onto a website and not the transmission of information through a website for the purpose of applying for a job.

As of January 1, 2010, paparazzi that commit an assault while attempting to photograph, videotape or record an individual may be liable for three times the amount of general damages caused by the assault. They will also be prohibited from profiting from the media they obtain. Similarly, publishers, such as newspapers and magazines, may be held liable for directing, inducing or soliciting such behavior.

The law taking effect was signed by California Governor Arnold Schwarzenegger in October 2009 and will amend California Civil Code section 1708.8, which was enacted pursuant to a bill passed in 1998. Known by many people as “Stalkerazzi,” one of the main restrictions contained in the current version of section 1708.8 is the prevention of photographing, videotaping or recording of an individual engaged in a personal or familial event, during which said individual had a reasonable expectation of privacy. Section 1708.8 is not being superseded by the amendment, but just being added to. One repercussion of the inclusion of an additional punishment for publishers implicitly supporting assaults by paparazzi may be a chilling effect on speech. This chilling effect could be unconstitutional.

The First Amendment of the United States Constitution states that, “Congress shall make no law…abridging the freedom of speech, or of the press…” Contrary to popular belief, this Constitutional right to free speech has restrictions. There are certain exceptions that have been upheld by the United States Supreme Court. However, a law abridging a group’s freedom of speech, if challenged in court, must be analyzed under one of three legal standards to determine whether it is constitutional: the rational basis test, intermediate scrutiny or strict scrutiny. Content-based speech restrictions must pass strict scrutiny.

Although Stalkerazzi may not be a content-based restriction on its face, it is likely so in practice. Stalkerazzi would punish people violating the law whether celebrities are the subject of the photographs or video, or whether an unknown person is the subject. But realistically, this law will apply mostly to paparazzi-obtained, celebrity-based media. Most stalkers of non-famous people will probably not go to the extreme of viciously chasing someone’s vehicle to get a photograph, as paparazzi have done to unfortunate celebrities including Reese Witherspoon and Lindsay Lohan. Photographs, video and recordings of celebrities will be predominantly affected. News outlets may be hesitant to run media containing celebrity subjects for fear of being held in violation of section 1708.8. This is the potential chilling effect Stalkerazzi could have on dispensing news and information to the public.

Since Stalkerazzi is a content-based speech restriction, it must pass strict scrutiny, which means it must be the least restrictive means to accomplish the desired goal, and there must be a compelling government interest justifying the need for the restriction. If Stalkerazzi is challenged, it will have to pass this standard in court.

In addition to possibly violating First Amendment free speech protection by potentially unjustifiably restricting content-based speech, it is also possible Stalkerazzi could violate the First Amendment for other reasons, such as being overbroad or vague.

In State v. Wolfe[1], the Ohio Court of Appeal s recently determined that while using your office computer for personal business may not constitute theft, you may be liable for felony unauthorized access if that personal business is illegal conduct.

On or about April 21, 2006, the Superintendent of the Shelby City Wastewater Treatment Plant came across nude pictures of one of his employees, Richard Lee Wolfe, while cleaning out old files from a city-owned computer. The Superintendent took the computer to the local police station the following week and the officer assigned to the case contacted Wolfe about his activities on the city computer. Wolfe admitted to joining a site called “Adult Friend Finder” in January 2006 to meet woman, and to purchasing a digital camera to take and send pictures of himself through the site. In addition, Wolfe admitted to visiting various pornographic websites and to violating work procedures, but not to committing a crime.

During the course of an investigation, 703 pornographic photos were located in the computer’s temporary files as well as several sexually explicit emails in which Wolfe was soliciting services from a dominatrix. The dates and times Wolfe accessed the pictures and emails were compared to City time sheets to determine that Wolfe was on the clock at the time. Wolfe estimated that he spent over 100 hours on the internet for personal business when he should have been working (for which he was paid approximately $2,392.00).

Wolfe was indicted by the Richland County Grand Jury on one count of theft in office, with a specification that the value of the property or services stolen was more than $500 and less than $5000, in violation of R.C. 2921.41(A)(2), a fourth degree felony; one count of unauthorized access to a  computer, with a specification that the value of the property or services stolen was more than $500 and less than $5000, in violation of R.C. 2913.04(B), a fifth degree felony; one count of unauthorized use of property, in violation of R.C. 2913.04(A), a fourth degree misdemeanor; and one count of solicitation, in violation of R.C. 2907.24(A), a third degree misdemeanor.

Wolfe was found guilty of theft in office, the felony unauthorized use of property charge, and soliciting prostitution. He was found not guilty of the misdemeanor count of unauthorized use of property. As a result of his convictions, the trial court sentenced Wolfe to 15 months in prison on the two felony counts, and fined him $5,000.00. The trial court also ordered Wolfe to pay restitution in the amount of $2,392.00 to the City of Shelby. On the misdemeanor count of soliciting prostitution, the trial court sentenced Wolfe to sixty (60) days in jail, to run concurrent to his felony sentence, and a $500.00 fine.

After careful review of the record the Appellate Court found sufficient evidence to support a conviction for solicitation and therefore upheld Wolfe’s conviction on the charge for unauthorized access to a computer. Under the relevant statute:

(A)   No person shall knowingly use or operate the property of another without the consent of the owner or person authorized to give consent.

(B)   No person, in any manner and by any means, including, but not limited to, computer hacking, shall knowingly gain access to, attempt to gain access to,  or cause access to be gained to any computer, computer system, computer network, cable service, cable system, telecommunications device, telecommunications service, or information service without the consent of, or beyond the scope of the express or implied consent of, the owner of the computer, computer system, computer network, cable service, cable system, telecommunications device, telecommunications service, or information service or other person authorized to give consent.

The Court agreed with the basis of the State’s claim, which was that Wolfe’s conduct was “beyond the scope of the express or implied consent” of the City and therefore a violation of the statute.

The Court, however, did not agree that Wolfe’s actions constituted criminal theft in office. While Wolfe admitted to spending approximately 100 hours over a five month-period using the City’s internet to access websites for his personal ends, there was no evidence presented that his job performance suffered in any way or that he failed to perform his job duties. Absent such evidence there could be no basis for theft and that conviction was vacated.