November 17, 2011
App Developer RockYou Settles Privacy Lawsuit--Claridge v. RockYou
[Post by Venkat Balasubramani with comments from Eric]
Claridge v. RockYou, 09-CV-6032-PJH (N.D. Cal.; Nov. 14, 2011) (settlement pending court approval)
Eric and I previously blogged about the opinion in Claridge v. RockYou, where the court tentatively recognized the theory that personal information may be an end user's property and thus a misappropriation of that data can satisfy Article III standing. ("Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff.") RockYou is an app developer who claimed to have 130 million unique customers using its apps on a monthly basis. It was hit with a security breach, which allegedly affected the log-in credentials of 32 million RockYou users. Claridge sued, and RockYou and Claridge settled the dispute.
The principal terms of the settlement:
- RockYou consents to an injunction for 36 months, requiring it to undergo two audits during this time (the audits will be conducted by an independent third party selected by "defendant") [i.e., RockYou];
- RockYou is bound by the injunction to the extent it continues to collect consumer information "as alleged in the" lawsuit;
- Claridge gets $2,000 for his time and efforts, and plaintiff's counsel gets $290,000;
- RockYou "represents and warrants that it is financially unable to provide the monetary relief sought by [Claridge]".
The settlement is subject to court approval and only resolves the claims for injunctive and declaratory relief with prejudice as to the proposed class. Someone else is not precluded from bringing another class action, but they have to seek money damages and cannot rely on injunctive relief.
The court/agency-monitored audit requirement is in vogue. Soon, it's possible that every single network will have a court or agency imposed requirement to undergo periodic privacy/security audits. (As part of settlements with the FTC, Twitter and Google agreed to periodic audits.) The efficacy of these audits is not clear and surely depends on the scope of the audit and who conducts it. In this case, the audit requirement is toothless since RockYou chooses its auditor. There is also no discussion of what action on RockYou's part facilitated the breach and what corrective steps it would take.
Paragraph 2 of the settlement was confusing. RockYou is only bound by the injunction to the extent it continues to collect and maintain information as alleged in the complaint? Or is RockYou indefinitely subject to the injunction if it continues to collect and maintain such information? How much does RockYou have to change its business practices such that it's not bound by the injunction? Something broader, that required RockYou to be bound any time it collected consumer information, makes more sense. Also, what happens to the information RockYou previously collected if it "exits the business"?
The attorneys' fees figure in this settlement ($290,000) is significantly less than what has been paid in previous cases (Google Buzz: $2.5mm; TD Ameritrade: $500K, knocked down from $1.8mm; Facebook Beacon: $2.8mm, currently on appeal to the 9th Circuit).
I'm not sure if the attorneys' fees figure is related to this, but RockYou's representation that it is "financially unable" to shell out money to the Proposed Class was worth noting. Does this mean it's on the ropes financially? It's interesting that Claridge did not go after the platforms the RockYou apps were run on top of. The responsibility of networks and platforms to police the conduct of app developers is a brewing issue.
Of course, one downside of the settlement is that the court's earlier order remains on the books.
Beacon Class Action Settlement Approved -- Lane v. Facebook
The FTC's Proposed Settlement With Google Over Buzz Privacy Breaches
The FTC Dings Twitter's Security Practices -- What Does This Mean for Everyone Else?
Court Approves TD Ameritrade Data Breach Settlement -- In re TD Ameritrade
Google Settles Buzz User Privacy Litigation
This is an odd settlement. The plaintiff class got virtually nothing from RockYou--no relief for the class and de minimis promises from RockYou. The plaintiff's lawyer didn't even get a particularly big payday, although they do expect to get paid even if the "victims" don't get a dime. This financial dichotomy makes me wonder if the judge will approve this settlement. I would expect the judge to ask more questions about RockYou's purported poverty (see Paragraph 5) given it's the excuse for not paying anything to the class. Paragraph 5 sounded to me more like a preference (RockYou would prefer not to pay out more money) than a necessity (RockYou is on death's door). RockYou clearly isn't raking in the dough--it just laid off over half its staff--but they are claiming they'll be profitable within the next year, they have raised nearly $130M in financings, and they surely have cash remaining in the bank.
Because the lawyers are getting paid while the class is getting bubkus, the judge surely can't miss the possibility that the lawyers sold out the class to advance their own profit-seeking interests. That would be a good basis to reject the settlement. Personally, I hope the judge does reject it so that the plaintiff's lawyers don't even get these crumbs and so that RockYou will keep litigating to demonstrate the lack of merit to the plaintiffs' claims.
The ongoing promises by RockYou are ambiguous. There's a fatal typo in the settlement agreement. Paragraph 2 reads "RockYou’s shall be bound by the injunction described in Section 2.1 above, so long as it is engaged in the business of collecting and maintaining consumer records as alleged in the Action." Putting aside the minor typo (the possessive "RockYou's"), the provision references "Section 2.1 above," which doesn't exist. Unlike Venkat, I have no idea what additional obligations RockYou is undertaking other than the 2 audits referenced in Paragraph 1.
It's a bummer the agreement leaves the existing opinion in place. I wish the parties had agreed to ask the judge to vacate it. Even though other courts haven't embraced the judge's data-as-valuable-property argument (see, e.g., the Low v. LinkedIn opinion), with the opinion still on the books, plaintiffs will keep citing it (and clearing the Rule 11 bar) until an appellate court wipes it away--a result that could take years. Until then, the existing opinion gives plaintiffs false hope, spurring many more meritless actions. Just what we need.
Posted by Venkat at November 17, 2011 03:08 PM | Privacy/Security