MEMORANDUM
Plаintiffs Stollenwerk, DeGatica and Brandt (collectively, “Plaintiffs”) appeal the district court’s grant of summary judgment to Defendant Tri-West Health Care Alliance (“Tri-West”) on Plaintiffs’ claims that Tri-West negligently failed to secure their personal information mаintained on Tri-West’s computers. During a December 14, 2002 burglary at Tri-West’s headquarters, computer servers containing hard drives with Tri-West’s customers’ personal information—including names, addresses, and social security numbers— were stolen. Stollenwerk and DеGatica claim damages in the form of credit monitoring insurance they purchased after the burglary. Brandt claims damages suffered after his personal information was used in six identity theft incidents. We affirm the grant of summary judgment with regard to DeGatica and Stollenwerk’s claims, and reverse and remand with regard to Brandt’s claim.
Plaintiffs also ask us to certify the general question of the availability of credit monitoring damages under Arizona law to the Arizona Supreme Court. As discussed below, our view of Plaintiffs’ claims is such that the answer to this question would not be dispositive of the case. As the Arizona Supreme Court’s jurisdictional requirements for certified questions are, therefore, not met, Ariz.Rev.Stat. Ann. § 12-1861, we deny Plaintiffs’ certification request.
I. DeGatica and Stollenwerk
DeGatiсa and Stollenwerk do not claim harm from any actual misuse of their personal information. The district court ruled that, even assuming that an Arizona court would apply case law allowing damages for pre-harm medical monitoring, see, e.g., Burns v. Jaquays Mining Corp.,
Under the medical monitoring cases, individuals who have been exposed to potentially harmful substances but have no presently detectable illnesses may recover the costs of future medical surveillance by showing “through reliable expert testimony,” (1) the “significance and extent of exposure,” (2) the “toxicity of [the contaminant], [and] the seriousness of the [harm] ... for which the individuals are at risk,” and (3) the “relative increase in the chance of ... [the harm] in those exposed,” such that (4) “monitor[ing] the effects of exposure ... is reasonаble and necessary.” Burns,
Plaintiffs have produced evidence of neither significant exposure of their information nor a significantly increased risk that they will be harmed by its misuse. The only proof of exposure they have offered is the burglary itself. However, a range of hardware was taken, not just the servers containing customers’ personal information; Stollenwerk and DeGatiea have offered no evidence the thieves had any interest in their personal information, rather than just the hardware.
A claim for medical monitoring damages requires evidence of direct toxic exposure that by itself creates a significantly increased risk of later illness. See, e.g., Theer v. Philip Carey Co.,
Moreover, Plaintiffs failed to show that the damages for which they seek compensation, thе cost of “Premium Credit Monitoring,” a service their expert described as including “Daily Alerts” of credit-related activities, “Identity Fraud” and “Lost Wage” insurance, and “Personalized Victim Care,” are reasonable and necessary on the evidence they have submitted. Tri-West urged Plaintiffs to have the three major credit agencies supply them with their credit reports for review, and place a fraud alert in their files. But TriWest also informed Plaintiffs that they could do this free of charge. In thе case of two of the credit agencies, these services were renewable at no cost for up to seven years, the period of time that Plaintiffs’ own expert stated that Plaintiffs faced an increased risk of identity fraud.
Plaintiffs’ еxpert opined that “[i]t is reasonable and necessary for [Plaintiffs] ... to procure ‘Premium Credit Monitoring’ to significantly minimize their risk and the
A key rationale for awarding medical monitoring damages in the absence of present harm is to ensure that the cost of testing does not prevent plaintiffs from receiving increased medical surveillance that is of actual benefit to them. Compare Ayers, 525 A.2d at 811 (medical monitoring damages ensure that “lack of reimbursement will [not] ... deter” plaintiffs from “seek[ing] medical surveillance”), with DeStories,
We conclude that the district court was correct in holding that even if an Arizоna court were to apply the standard it has adopted in medical monitoring cases, summary judgment on DeGatica and Stollenwerk’s claims would still be appropriate.
II. Brandt
Brandt produced evidence from which a jury could infer a causal relationship between the theft of the hard drives and the incidents of identity fraud he suffered following the Tri-West burglary. We therefore reverse the grant of summary judgment as to his negligence claim.
To survive summary judgment Brandt need not show that the Tri-West burglary was the sole cause of the identity fraud incidents, only that it was, more likely than not, a “substantial factor in bringing about the result,” Wisener v. State of Arizona,
The primary additional evidence of proximate causation Brandt produced was his testimony that (1) he gave Tri-West his personal information; (2) the identity fraud incidents began six weeks after the hard drives containing Tri-West’s customers’ personal information were stolen; and (3) he previously had not suffered any such incidents of identity theft.
If as a matter of ordinary experience a particular act or omission might be expected, under the circumstances, to produce a particular result, and that result in fact has followed, the conclusion may be permissible that the causal relation exists. Circumstantial evidence, expert testimony, or common knowledge may provide а basis from which the causal sequence may be inferred.... Such questions are peculiarly for the jury; ... [and] are questions on which a court can seldom rule as a matter of law.
Wisener,
Moreover, Brandt has stated that (1) he does not transmit personal information over the internet, (2) he shreds mail containing personal information, and (3) the only other known incident of his personal information being stolen was the theft of Brandt’s wallet at least five years before the Tri-West burglary. Brandt did not suffer any incidents of identity fraud in the five years between his wallet being stolen and the burglary at Tri-West.
Given all these circumstances, a reasonable jury could, on the present record, find it more likely than not that a causal relationship existed between the burglary and the incidents of identity theft.
III. Request to Certify to Arizona Supreme Court
Finally, we deny Plaintiffs’ request that we certify the question of the availability of credit monitoring damages under Arizona law to the Arizona Supreme Court. The Arizona Supreme Court’s jurisdiction to answer questions certified to it by a federal court only extends to questions “which may be determinative of the cause then pending in the certifying court.” Ariz.Rev.Stat. Ann. § 12-1861; In re Price Waterhouse Ltd.,
IV. Conclusion
The decision of the district court with regard to DeGatica and Stollenwerk’s negligence claims is AFFIRMED. The decision of the district court with regard to Brandt’s negligence claim is REVERSED and the claim is REMANDED. The request to certify the questiоn of the availability of credit monitoring damages under Arizona law to the Arizona Supreme Court is DENIED.
Notes
This disposition is not appropriate for publication and is not precedent except as provided by 9th Cir. R. 36-3.
. Because Plaintiffs have established at most only one of these factors—the "seriousness of the [harm] ... for which the individuals are at risk,”
. We note that the fact that the identity fraud incidents were committed by third parties dоes not preclude a finding of proximate cause. Under Arizona law, the criminal act of a third party does not necessarily relieve a defendant of liability for negligence, even when the third party is a stranger. See Robertson,