Court Dismisses Data Breach Lawsuit Against LinkedIn Based on Compromised Passwords – In re LinkedIn User Privacy Litigation
[Post by Venkat Balasubramani]
In re LinkedIn User Privacy Litigation, 2013 WL 844291 (N.D. Cal. Mar. 5, 2013) [pdf]
LinkedIn suffered a data breach in 2012. Someone allegedly posted 6.5 million passwords and email addresses from LinkedIn users on the internet. Shortly after the password dump, LinkedIn announced that it switched encryption and would store passwords in a more secure encrypted format.
All information that you provide will be protected with industry standard protocols and technology.
In a short 8 page order, Judge Davila says plaintiffs lack standing. Plaintiffs proceeded based on a “benefit of the bargain” theory because they were paying customers, but the court found several problems with this theory.
The court also says that the cases where plaintiffs asserted claims for insufficient performance have required plaintiffs to allege “something more” than merely overpaying. For example, damages based on identity theft would constitute something more, but neither plaintiff alleged any damages in this category.
One of the plaintiffs separately raised the argument that she suffered injury by virtue of her information being posted online, but the court also rejects this theory:
Plaintiff Wright fails to show how this amounts to a legally cognizable injury, such as, for example, identify theft or theft of her personally identifiable information.
Plaintiffs’ failure to sue on behalf of a subclass that actually suffered out-of-pocket loss as a result of their information being posted online is telling, and probably spells the end of this lawsuit. Although they have a chance to amend, the court appears fairly hostile to plaintiffs’ claims.
The lay of the land for data breach lawsuits has not changed much. The overwhelming majority of plaintiffs lose, either on the basis of standing or the merits. In either scenario, the underlying rationale is the same: no out-of-pocket losses equals no cognizable damages.
The plaintiffs here tried a different tack that a few other plaintiffs have also tried: as paying customers, they asserted contract-based claims and claims for misrepresentation. Like earlier plaintiffs, these plaintiffs were also unsuccessful, at least on the first round. Early indications from these cases are that the “benefit of the bargain” argument is unlikely to be successful in the typical data breach case.
(Threat Post): LinkedIn Data Breach Lawsuit Dismissed
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks