« Amazon's Merchandising of Its Search Results Doesn't Violate Trademark Law (Forbes Cross-Post) | Main | Family Law Judge Discounts Tweets That Threatened Children and Discussed Alcohol Use – R.M. v. D.Z. »
March 07, 2013
Court Dismisses Data Breach Lawsuit Against LinkedIn Based on Compromised Passwords – In re LinkedIn User Privacy Litigation
[Post by Venkat Balasubramani]
In re LinkedIn User Privacy Litigation, 2013 WL 844291 (N.D. Cal. Mar. 5, 2013) [pdf]
LinkedIn suffered a data breach in 2012. Someone allegedly posted 6.5 million passwords and email addresses from LinkedIn users on the internet. Shortly after the password dump, LinkedIn announced that it switched encryption and would store passwords in a more secure encrypted format.
All information that you provide will be protected with industry standard protocols and technology.
In a short 8 page order, Judge Davila says plaintiffs lack standing. Plaintiffs proceeded based on a “benefit of the bargain” theory because they were paying customers, but the court found several problems with this theory.
The court also says that the cases where plaintiffs asserted claims for insufficient performance have required plaintiffs to allege “something more” than merely overpaying. For example, damages based on identity theft would constitute something more, but neither plaintiff alleged any damages in this category.
One of the plaintiffs separately raised the argument that she suffered injury by virtue of her information being posted online, but the court also rejects this theory:
Plaintiff Wright fails to show how this amounts to a legally cognizable injury, such as, for example, identify theft or theft of her personally identifiable information.
Plaintiffs’ failure to sue on behalf of a subclass that actually suffered out-of-pocket loss as a result of their information being posted online is telling, and probably spells the end of this lawsuit. Although they have a chance to amend, the court appears fairly hostile to plaintiffs’ claims.
The lay of the land for data breach lawsuits has not changed much. The overwhelming majority of plaintiffs lose, either on the basis of standing or the merits. In either scenario, the underlying rationale is the same: no out-of-pocket losses equals no cognizable damages.
The plaintiffs here tried a different tack that a few other plaintiffs have also tried: as paying customers, they asserted contract-based claims and claims for misrepresentation. Like earlier plaintiffs, these plaintiffs were also unsuccessful, at least on the first round. Early indications from these cases are that the “benefit of the bargain” argument is unlikely to be successful in the typical data breach case.
(Threat Post): LinkedIn Data Breach Lawsuit Dismissed
Class Action Against Path Over Cellphone Address Book Access Keeps Going
Judge Koh Whittles Down iPhone App Privacy Lawsuit
Data Breach Claim Survives Based on Allegation of Misuse of Personal Information -- Burrows v. Purchasing Power
Sony Network Data Breach Class Action Suffers Setback -- In re Sony Gaming Network
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit -- Krottner v. Starbucks
9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap
LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds--Low v. LinkedIn
Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data -- Reilly v. Ceridian
First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing--Katz v Pershing
New Essay: The Irony of Privacy Class Action Lawsuits
Another Data Loss Case Tossed on Article III Grounds--Whitaker v. Health Net
Reidentification Theory Doesn't Save Privacy Lawsuit--Steinberg v. CVS Caremark
Men's Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute -- Boorstein v. Men’s Journal
The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon
A Look at the Commercial Privacy Bill of Rights Act of 2011
Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media
Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou
Another Lawsuit over Flash Cookies Fails -- Bose v. Interclick
Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]