Privacy Claims Based on LinkedIn’s Security Promises Survive Motion to Dismiss

Screen Shot 2013-03-07 at 9.23.47 AMThis is a lawsuit filed in the wake of a widely reported data breach at LinkedIn. Plaintiffs alleged benefit-of-the-bargain type claims against LinkedIn, saying LinkedIn failed to live up to its security practices. The first time around, the court rejected these claims and granted LinkedIn’s motion to dismiss. (“Court Dismisses Data Breach Lawsuit Against LinkedIn Based on Compromised Passwords – In re LinkedIn User Privacy Litigation.”) This time around, the named plaintiff slightly adjusts her pleadings, and part of her claim survives.

Standing: She alleges that she was a premium subscriber from March through August 2010 and that:

prior to her purchase of the premium subscription, she read LinkedIn’s User Agreement and Privacy Policy and that, had LinkedIn disclosed its lax security practices, she would have viewed the premium subscription as less valuable and would have attempted to purchase a premium subscription at a lower price or not at all.

The court says that the cases construing California’s unfair competition statute hold that a consumer’s reliance on a product label is sufficient to confer standing under both the UCL and Article III. LinkedIn, on the other hand, argued that this precedent only applies to cases where the misrepresentation is contained in a “label or an advertisement.” While LinkedIn cited to cases saying that plaintiff has to allege more than “mere overpayment,” LinkedIn also disputed the notion that the statements in LinkedIn’s privacy policy was the type of advertising that could support a claim under the UCL statute at all. Among other things, the purported promise is a stray sentence that applies to premium and non-premium members alike. The court rejects LinkedIn’s argument, taking a broader view of the Unfair Competition Law cases. The court says that cases aren’t strictly limited to misrepresentations in labels or advertisements; and even to the extent they are, the term “advertisement” is broadly construed. The court hints at some skepticism as to who would actually read the policy, but says that this is not the situation where a prospective customer was physically precluded from reading the policy.

Plaintiff states a claim: LinkedIn raised a variety of arguments on the merits, including that the representation in question was not material, that the precise method of data encryption was disclosed, and that this isn’t something that would register with an average consumer. None of these is sufficient at the motion to dismiss stage. Plaintiff alleged “plausible” explanations and arguments for why the statement was false and would be likely to mislead customers, and that’s the extent of the court’s inquiry. As to her explanation of falsity, the court cites to the fact that (1) LinkedIn’s encryption practices were not in line with prevailing industry recommendations (by the National Institute of Standards and Technology), and (2) a few days after the data breach, LinkedIn publicly stated that it would revise its encryption practices to bring them in line with prevailing industry standards.

The court dismissed the breach of contract and UCL claim based on the unfairness prong previously, and dismisses those claims with prejudice. The UCL claim based on the fraud prong survives.

__

The idea that flowery language in a privacy policy would come back to haunt a company is not entirely shocking. Nevertheless, that privacy policy language could potentially support a claims under the UCL statute will probably raise a few eyebrows. As is frequently said, there is no greater lie on the Internet than “I read and agreed to the terms and conditions”! Interestingly, LinkedIn did not cite to or try to marshal any disclaimers or other protective provisions in its terms of service to neutralize or otherwise undermine plaintiff’s claims.

Privacy plaintiffs who happen to be paying customers are continuously fine-tuning their claims, and it was inevitable that they would find some sort of hook, at least to survive a motion to dismiss. To their benefit, the theory advanced doesn’t require a showing of harm flowing from the breach – i.e., they need not show that their information was ultimately misused. But they would have to prove up their allegations that they read and relied on the policies in question, and that’s where they will face some serious challenges. The case may also not lend itself to class resolution, and this may derail the case as a class action as well. (See the Gmail privacy litigation ruling.)

Case Citation: In re LinkedIn User Privacy Litigation, 12-CV-03088-EJD (N.D. Cal. Mar. 28, 2014)

Eric’s Comments: First, my apologies to Venkat and all of you for my delay adding these comments. Venkat wrote this post 5 weeks ago and I’ve held it up. Sorry.

The ruling involves the following sentence from LinkedIn’s privacy policy:

[a]ll information that you provide will be protected with industry standard protocols and technology.

I’m sure most privacy policy drafters are wondering where the rest of the problematic language is. As quoted, this is just harmless puffery, right? There’s no single definition of “industry standard” or, for that matter, “protected.” It probably seemed inconceivable to the drafter that this piece-‘o’-fluff could have any legal consequences.

But let’s look more closely at the plaintiff’s claims. The plaintiff says, apparently in earnest, that LinkedIn failed to salt passwords before hashing them–and if LinkedIn had disclosed its failure-to-salt, it would have affected the plaintiff’s decision to obtain LinkedIn’s premium services.

HAHAHAHAHA! After I stopped laughing uncontrollably, I have to call BS on that. I see one of two explanations here: (1) the plaintiff is the one-in-a-zillion potential customer of LinkedIn premium services that (a) would read the LinkedIn privacy policy all the way down to the puffy statements about security, (b) would know LinkedIn’s security practices were below industry-standard if LinkedIn disclosed that it encrypts passwords without salting them, and (c) would change the subscription decision because of the salting omission; or (2) the plaintiff is just feeding the judge a line to get past a motion to dismiss.

Neither assessment is likely to support a plaintiff victory. If it’s the latter, Rule 11 seems too gentle. If it’s the former, the plaintiffs’ lawyers won this round but apparently have made class certification almost impossible. At minimum, the class apparently now has serious typicality problems because the class representative is a unicorn.

To overcome the unicorn problem, the plaintiff argued that if LinkedIn had made proper disclosures, someone else would have publicized LinkedIn’s sub-industry standard practice well enough to change the plaintiff’s decision. This is an example of the tautologies that all-too-frequently plague false advertising litigation (“if I had known, I would have paid less” is another example). This argument works with respect to every alleged misrepresentation, i.e., I wasn’t able to understand things, but some unspecified beneficent third party would have understood the key truthful fact I needed to know and would have relayed this issue to me in a way that I could understand. Even if this impossible-to-refute tautology works to defeat the motion to dismiss, it should hinder class formation for all of the reasons discussed in Judge Koh’s Gmail ad privacy ruling.

So this opinion made me want to laugh and cry simultaneously. I wanted to cry because this lawsuit survived when it shouldn’t have; and it survived on assertions that seem mockably dubious. At the same time, I wanted to laugh at the plaintiffs for virtually ensuring the case will lose in a future round–meaning the plaintiffs are investing more bucks in a zombie case (i.e., a case that’s already dead based on their factual concessions).

What’s not funny at all is the legal system’s treatment of puffy statements about an Internet company’s security practices. We’ve already seen how the FTC and state AGs are masters at making jaw-droppingly tendentious interpretations of these statements. Now we can see how class action lawyers will do ANYTHING to chase down the puffery, even if it means finding LinkedIn subscribers who would drop services for failure-to-salt. We’ve said it before, but it bears reminding: the security provisions in your privacy policy should contain only verified facts and ZERO innuendo. If you haven’t scrubbed your privacy policy recently to de-puff it, time’s a-ticking.

[Disclosure: I am now a LinkedIn Influencer, which includes the perk of getting a free premium subscription.]

Venkat’s surreply: The idea of relying on representations in a privacy policy is laughable to me as an average consumer. However, I do wonder when it comes to privacy and security practices whether something needs to deter companies into being less cavalier. (See, e.g., Snapchat.) Class actions are a terrible tool in this context (see “The Irony of Privacy Class Action Litigation“), but given that other tools have been ineffective, maybe it’s not such a bad thing to create some fear in the minds of company privacy officers?

As for Eric’s newly-minted status as a LinkedIn Influencer, a hearty congratulations to him. If he would promise to bring the classic Eric Goldman snark (which I suspect is very unlikely), I would gladly follow his writings there.