
    Michael STOLLENWERK and Andrea DeGatica, husband and wife; and Mark William Brandt, Plaintiffs—Appellants, v. TRI-WEST HEALTH CARE ALLIANCE, Defendant—Appellee.
    No. 05-16990.
    United States Court of Appeals, Ninth Circuit.
    Argued and Submitted Sept. 25, 2007.
    Filed Nov. 20, 2007.
    
      Kenneth Sean Countryman, Esq., Kenneth S. Countryman, P.C. Joel Grant Woods, Law Offices of Grant Woods, Phoenix, AZ, M. David Karnas, Esq., James A. Robles, Esq., Barry L. Bellovin, Esq., Bellovin & Karnas PC, Tucson, AZ, Henry T. Dart, Esq., Henry T. Dart Law Office, Covington, LA, for Plaintiffs-Appellants.
    Barry D. Halpern, Andrew Halaby, Snell & Wilmer, LLP, Phoenix, AZ, for Defendant-Appellee.
    Before: GIBSON , BERZON, and BEA, Circuit Judges.
    
      
       The Honorable John R. Gibson, Senior United States Circuit Judge for the Eighth Circuit, sitting by designation.
    
   MEMORANDUM

Plaintiffs Stollenwerk, DeGatica and Brandt (collectively, “Plaintiffs”) appeal the district court’s grant of summary judgment to Defendant Tri-West Health Care Alliance (“Tri-West”) on Plaintiffs’ claims that Tri-West negligently failed to secure their personal information maintained on Tri-West’s computers. During a December 14, 2002 burglary at Tri-West’s headquarters, computer servers containing hard drives with Tri-West’s customers’ personal information—including names, addresses, and social security numbers— were stolen. Stollenwerk and DeGatica claim damages in the form of credit monitoring insurance they purchased after the burglary. Brandt claims damages suffered after his personal information was used in six identity theft incidents. We affirm the grant of summary judgment with regard to DeGatica and Stollenwerk’s claims, and reverse and remand with regard to Brandt’s claim.

Plaintiffs also ask us to certify the general question of the availability of credit monitoring damages under Arizona law to the Arizona Supreme Court. As discussed below, our view of Plaintiffs’ claims is such that the answer to this question would not be dispositive of the case. As the Arizona Supreme Court’s jurisdictional requirements for certified questions are, therefore, not met, Ariz.Rev.Stat. Ann. § 12-1861, we deny Plaintiffs’ certification request.

I. DeGatica and Stollenwerk

DeGatica and Stollenwerk do not claim harm from any actual misuse of their personal information. The district court ruled that, even assuming that an Arizona court would apply case law allowing damages for pre-harm medical monitoring, see, e.g., Burns v. Jaquays Mining Corp., 156 Ariz. 375, 752 P.2d 28, 33 (Ariz.Ct.App.1987), to exposure of personal information, Stollenwerk and DeGatiea failed to produce evidence to overcome summary judgment on such a claim. We agree.

Under the medical monitoring cases, individuals who have been exposed to potentially harmful substances but have no presently detectable illnesses may recover the costs of future medical surveillance by showing “through reliable expert testimony,” (1) the “significance and extent of exposure,” (2) the “toxicity of [the contaminant], [and] the seriousness of the [harm] ... for which the individuals are at risk,” and (3) the “relative increase in the chance of ... [the harm] in those exposed,” such that (4) “monitor[ing] the effects of exposure ... is reasonable and necessary.” Burns, 752 P.2d at 33, quoting Ayers v. Township of Jackson, 106 N.J. 557, 525 A.2d 287, 312 (1987). Even if one applies a similar standard to determine the availability of damages for the cost of credit monitoring in instances of exposure of personal information, Stollenwerk and DeGatica fail to produce sufficient evidence to overcome summary judgment as to all elements of such a claim.

Plaintiffs have produced evidence of neither significant exposure of their information nor a significantly increased risk that they will be harmed by its misuse. The only proof of exposure they have offered is the burglary itself. However, a range of hardware was taken, not just the servers containing customers’ personal information; Stollenwerk and DeGatiea have offered no evidence the thieves had any interest in their personal information, rather than just the hardware.

A claim for medical monitoring damages requires evidence of direct toxic exposure that by itself creates a significantly increased risk of later illness. See, e.g., Theer v. Philip Carey Co., 628 A.2d at 733 (finding monitoring damages only available where increased risk of illness is directly and specifically related to exposure). Here the thieves could use the information only by taking further steps after stealing the servers, and the risk they would do so, given the nature of the theft, was low.

Moreover, Plaintiffs failed to show that the damages for which they seek compensation, the cost of “Premium Credit Monitoring,” a service their expert described as including “Daily Alerts” of credit-related activities, “Identity Fraud” and “Lost Wage” insurance, and “Personalized Victim Care,” are reasonable and necessary on the evidence they have submitted. Tri-West urged Plaintiffs to have the three major credit agencies supply them with their credit reports for review, and place a fraud alert in their files. But TriWest also informed Plaintiffs that they could do this free of charge. In the case of two of the credit agencies, these services were renewable at no cost for up to seven years, the period of time that Plaintiffs’ own expert stated that Plaintiffs faced an increased risk of identity fraud.

Plaintiffs’ expert opined that “[i]t is reasonable and necessary for [Plaintiffs] ... to procure ‘Premium Credit Monitoring’ to significantly minimize their risk and the monetary value of their identity fraud risk.” He did not indicate, however, why it was necessary, given that Plaintiffs could place fraud alerts with the major credit agencies and receive copies of their credit reports free of charge, or whether it was reasonable to do so, given that free precautionary measures were available and the risk that the thieves would engage in identity fraud was so low.

A key rationale for awarding medical monitoring damages in the absence of present harm is to ensure that the cost of testing does not prevent plaintiffs from receiving increased medical surveillance that is of actual benefit to them. Compare Ayers, 525 A.2d at 811 (medical monitoring damages ensure that “lack of reimbursement will [not] ... deter” plaintiffs from “seek[ing] medical surveillance”), with DeStories, 744 P.2d at 711 (monitoring damages not available where plaintiffs fail to show value of increased testing over “what would normally have been prudent for them based on their individual circumstances”). Here, there has been no showing that a normally prudent person in these circumstances would have taken precautions beyond the free services Tri-West suggested. The expert evidence, which does not mention or account for the availability of these free services, is entirely too conclusory to establish that a reasonable person faced with Stollenwerk’s level of risk of identity theft would incur significant monitoring costs rather than take advantage of these services.

We conclude that the district court was correct in holding that even if an Arizona court were to apply the standard it has adopted in medical monitoring cases, summary judgment on DeGatica and Stollenwerk’s claims would still be appropriate.

II. Brandt

Brandt produced evidence from which a jury could infer a causal relationship between the theft of the hard drives and the incidents of identity fraud he suffered following the Tri-West burglary. We therefore reverse the grant of summary judgment as to his negligence claim.

To survive summary judgment Brandt need not show that the Tri-West burglary was the sole cause of the identity fraud incidents, only that it was, more likely than not, a “substantial factor in bringing about the result,” Wisener v. State of Arizona, 123 Ariz. 148, 598 P.2d 511, 513 (1979), and a factor “without which the injury would not have occurred.” Robertson v. Sixpence Inns of Am., Inc., 163 Ariz. 539, 789 P.2d 1040, 1047 (1990). The district court held that Brandt’s evidence concerning the fact that credit accounts were opened in his name by someone else was admissible, but that the evidence as to what information was used was inadmissible hearsay, because Brandt was testifying as to what he was told by third parties at the firms where the accounts were opened. We assume that the latter evidence was properly excluded. Still, the fact that the type of information contained on the stolen hard drives is the same kind needed to open credit accounts at the firms where these incidents took place (Home Depot, T-Mobile, Sears, Wal-Mart) is a matter of common knowledge from which a jury could reasonably draw inferences regarding its probative value in establishing causation. Wisener, 598 P.2d at 513.

The primary additional evidence of proximate causation Brandt produced was his testimony that (1) he gave Tri-West his personal information; (2) the identity fraud incidents began six weeks after the hard drives containing Tri-West’s customers’ personal information were stolen; and (3) he previously had not suffered any such incidents of identity theft.

Of course, purely temporal connections are often insufficient to establish causation. See, e.g., Choe v. INS, 11 F.3d 925, 938 (9th Cir.1993). Here, however, proximate cause is supported not only by the temporal, but also by the logical, relationship between the two events. The Arizona Supreme Court has endorsed the view that,

If as a matter of ordinary experience a particular act or omission might be expected, under the circumstances, to produce a particular result, and that result in fact has followed, the conclusion may be permissible that the causal relation exists. Circumstantial evidence, expert testimony, or common knowledge may provide a basis from which the causal sequence may be inferred.... Such questions are peculiarly for the jury; ... [and] are questions on which a court can seldom rule as a matter of law.

Wisener, 598 P.2d at 513 (quoting William Prosser, Law of Torts, § 41, 242-243 (4th Ed.1971)). As a matter of twenty-first century common knowledge, just as certain exposures can lead to certain diseases, the theft of a computer hard drive certainly can result in an attempt by a thief to access the contents for purposes of identity fraud, and such an attempt can succeed.

Moreover, Brandt has stated that (1) he does not transmit personal information over the internet, (2) he shreds mail containing personal information, and (3) the only other known incident of his personal information being stolen was the theft of Brandt’s wallet at least five years before the Tri-West burglary. Brandt did not suffer any incidents of identity fraud in the five years between his wallet being stolen and the burglary at Tri-West.

Given all these circumstances, a reasonable jury could, on the present record, find it more likely than not that a causal relationship existed between the burglary and the incidents of identity theft. We accordingly reverse the district court’s grant of summary judgment on Brandt’s claim.

III. Request to Certify to Arizona Supreme Court

Finally, we deny Plaintiffs’ request that we certify the question of the availability of credit monitoring damages under Arizona law to the Arizona Supreme Court. The Arizona Supreme Court’s jurisdiction to answer questions certified to it by a federal court only extends to questions “which may be determinative of the cause then pending in the certifying court.” Ariz.Rev.Stat. Ann. § 12-1861; In re Price Waterhouse Ltd., 202 Ariz. 397, 46 P.3d 408, 409 (2002) (stating that § 12-1861 is jurisdictional). We have concluded that even if credit monitoring damages were available under Arizona law, summary judgment as to DeGatica and Stollenwerk’s claims would be appropriate. We also have concluded that Brandt has produced sufficient evidence of a causal relationship between the Tri-West burglary and the identity fraud incidents to go forward with a traditional negligence claim, even if a credit monitoring damages claim is not available. As a result of these two rulings, the Arizona Supreme Court’s answer to the legal question on which Plaintiffs seek certification would not affeet our disposition of this case. We therefore decline to certify the question.

IV. Conclusion

The decision of the district court with regard to DeGatica and Stollenwerk’s negligence claims is AFFIRMED. The decision of the district court with regard to Brandt’s negligence claim is REVERSED and the claim is REMANDED. The request to certify the question of the availability of credit monitoring damages under Arizona law to the Arizona Supreme Court is DENIED. 
      
       This disposition is not appropriate for publication and is not precedent except as provided by 9th Cir. R. 36-3.
     
      
      . Because Plaintiffs have established at most only one of these factors—the "seriousness of the [harm] ... for which the individuals are at risk,” 752 P.2d at 33—our decision does not turn on whether Arizona law would require Plaintiffs to show all four elements or just some of them. In either case, merely showing the seriousness of a potential harm, without showing a significantly increased risk that it will occur, or the value of added testing to detect it, does not satisfy the standard. See e.g., Theer v. Philip Carey Co., 133 N.J. 610, 628 A.2d 724, 733 (1993); DeStories v. City of Phoenix, 154 Ariz. 604, 744 P.2d 705, 711 (Ariz. Ct. App. 1987).
     
      
      . We note that the fact that the identity fraud incidents were committed by third parties does not preclude a finding of proximate cause. Under Arizona law, the criminal act of a third party does not necessarily relieve a defendant of liability for negligence, even when the third party is a stranger. See Robertson, 789 P.2d at 1046-48 (denying summary judgment where an injury was caused by criminal act of a trespasser on defendant's property).
     