Privacy Claims Based on LinkedIn’s Security Promises Survive Motion to Dismiss
This is a lawsuit filed in the wake of a widely reported data breach at LinkedIn. Plaintiffs alleged benefit-of-the-bargain type claims against LinkedIn, saying LinkedIn failed to live up to its security practices. The first time around, the court rejected these claims and granted LinkedIn’s motion to dismiss. (“Court Dismisses Data Breach Lawsuit Against LinkedIn Based on Compromised Passwords – In re LinkedIn User Privacy Litigation.”) This time around, the named plaintiff slightly adjusts her pleadings, and part of her claim survives.
Standing: She alleges that she was a premium subscriber from March through August 2010 and that:
Plaintiff states a claim: LinkedIn raised a variety of arguments on the merits, including that the representation in question was not material, that the precise method of data encryption was disclosed, and that this isn’t something that would register with an average consumer. None of these is sufficient at the motion to dismiss stage. Plaintiff alleged “plausible” explanations and arguments for why the statement was false and would be likely to mislead customers, and that’s the extent of the court’s inquiry. As to her explanation of falsity, the court cites to the fact that (1) LinkedIn’s encryption practices were not in line with prevailing industry recommendations (by the National Institute of Standards and Technology), and (2) a few days after the data breach, LinkedIn publicly stated that it would revise its encryption practices to bring them in line with prevailing industry standards.
The court dismissed the breach of contract and UCL claim based on the unfairness prong previously, and dismisses those claims with prejudice. The UCL claim based on the fraud prong survives.
Privacy plaintiffs who happen to be paying customers are continuously fine-tuning their claims, and it was inevitable that they would find some sort of hook, at least to survive a motion to dismiss. To their benefit, the theory advanced doesn’t require a showing of harm flowing from the breach – i.e., they need not show that their information was ultimately misused. But they would have to prove up their allegations that they read and relied on the policies in question, and that’s where they will face some serious challenges. The case may also not lend itself to class resolution, and this may derail the case as a class action as well. (See the Gmail privacy litigation ruling.)
Case Citation: In re LinkedIn User Privacy Litigation, 12-CV-03088-EJD (N.D. Cal. Mar. 28, 2014)
Eric’s Comments: First, my apologies to Venkat and all of you for my delay adding these comments. Venkat wrote this post 5 weeks ago and I’ve held it up. Sorry.
[a]ll information that you provide will be protected with industry standard protocols and technology.
But let’s look more closely at the plaintiff’s claims. The plaintiff says, apparently in earnest, that LinkedIn failed to salt passwords before hashing them–and if LinkedIn had disclosed its failure-to-salt, it would have affected the plaintiff’s decision to obtain LinkedIn’s premium services.
Neither assessment is likely to support a plaintiff victory. If it’s the latter, Rule 11 seems too gentle. If it’s the former, the plaintiffs’ lawyers won this round but apparently have made class certification almost impossible. At minimum, the class apparently now has serious typicality problems because the class representative is a unicorn.
To overcome the unicorn problem, the plaintiff argued that if LinkedIn had made proper disclosures, someone else would have publicized LinkedIn’s sub-industry standard practice well enough to change the plaintiff’s decision. This is an example of the tautologies that all-too-frequently plague false advertising litigation (“if I had known, I would have paid less” is another example). This argument works with respect to every alleged misrepresentation, i.e., I wasn’t able to understand things, but some unspecified beneficent third party would have understood the key truthful fact I needed to know and would have relayed this issue to me in a way that I could understand. Even if this impossible-to-refute tautology works to defeat the motion to dismiss, it should hinder class formation for all of the reasons discussed in Judge Koh’s Gmail ad privacy ruling.
So this opinion made me want to laugh and cry simultaneously. I wanted to cry because this lawsuit survived when it shouldn’t have; and it survived on assertions that seem mockably dubious. At the same time, I wanted to laugh at the plaintiffs for virtually ensuring the case will lose in a future round–meaning the plaintiffs are investing more bucks in a zombie case (i.e., a case that’s already dead based on their factual concessions).
[Disclosure: I am now a LinkedIn Influencer, which includes the perk of getting a free premium subscription.]
As for Eric’s newly-minted status as a LinkedIn Influencer, a hearty congratulations to him. If he would promise to bring the classic Eric Goldman snark (which I suspect is very unlikely), I would gladly follow his writings there.