Court Dismisses Data Breach Lawsuit Against LinkedIn Based on Compromised Passwords – In re LinkedIn User Privacy Litigation

[Post by Venkat Balasubramani]

In re LinkedIn User Privacy Litigation, 2013 WL 844291 (N.D. Cal. Mar. 5, 2013) [pdf]

LinkedIn suffered a data breach in 2012. Someone allegedly posted 6.5 million passwords and email addresses from LinkedIn users on the internet. Screen Shot 2013-03-07 at 9.23.47 AM.jpg Shortly after the password dump, LinkedIn announced that it switched encryption and would store passwords in a more secure encrypted format.

Plaintiffs predictably sued. The two named plaintiffs (in a now-consolidated lawsuit) were LinkedIn “premium” users, which meant that they paid a monthly or yearly fee for upgraded services. One of the plaintiffs alleged that her password was posted online, but the other did not. They sued on behalf of a putative class, consisting of all premium account subscribers. They also asserted claims on behalf of a subclass consisting of individuals whose information was compromised by the data breach. Plaintiffs pointed to language in LinkedIn’s privacy policy as evidence that LinkedIn had misrepresented the level of security for the storage of user passwords:

All information that you provide will be protected with industry standard protocols and technology.

In a short 8 page order, Judge Davila says plaintiffs lack standing. Plaintiffs proceeded based on a “benefit of the bargain” theory because they were paying customers, but the court found several problems with this theory.

First, there is no plausible allegation that plaintiffs paid money to LinkedIn in exchange for any enhanced security services. In fact, the privacy policy and levels of security were expressly the same for paying and non-paying users. As the court notes, the purchase of a premium account is “actually for the advanced networking tools and capabilities to facilitate enhanced usage of LinkedIn’s services.”

Second, plaintiffs failed to allege reliance on any alleged misrepresentations—they did not allege that they read the privacy policy.

The court also says that the cases where plaintiffs asserted claims for insufficient performance have required plaintiffs to allege “something more” than merely overpaying. For example, damages based on identity theft would constitute something more, but neither plaintiff alleged any damages in this category.

One of the plaintiffs separately raised the argument that she suffered injury by virtue of her information being posted online, but the court also rejects this theory:

Plaintiff Wright fails to show how this amounts to a legally cognizable injury, such as, for example, identify theft or theft of her personally identifiable information.

__

Plaintiffs’ failure to sue on behalf of a subclass that actually suffered out-of-pocket loss as a result of their information being posted online is telling, and probably spells the end of this lawsuit. Although they have a chance to amend, the court appears fairly hostile to plaintiffs’ claims.

The lay of the land for data breach lawsuits has not changed much. The overwhelming majority of plaintiffs lose, either on the basis of standing or the merits. In either scenario, the underlying rationale is the same: no out-of-pocket losses equals no cognizable damages.

The plaintiffs here tried a different tack that a few other plaintiffs have also tried: as paying customers, they asserted contract-based claims and claims for misrepresentation. Like earlier plaintiffs, these plaintiffs were also unsuccessful, at least on the first round. Early indications from these cases are that the “benefit of the bargain” argument is unlikely to be successful in the typical data breach case.

It’s worth noting that dodging a civil lawsuit does not mean that LinkedIn may not come under fire from the FTC for its representations. More than one company has gotten into trouble over flowery language in its privacy policy about security that did not match up with actual practices.

Other coverage:

(Threat Post): LinkedIn Data Breach Lawsuit Dismissed

Related posts:

Class Action Against Path Over Cellphone Address Book Access Keeps Going

Judge Koh Whittles Down iPhone App Privacy Lawsuit

Data Breach Claim Survives Based on Allegation of Misuse of Personal Information — Burrows v. Purchasing Power

Sony Network Data Breach Class Action Suffers Setback — In re Sony Gaming Network

Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks

9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn

Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data — Reilly v. Ceridian

First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing–Katz v Pershing

New Essay: The Irony of Privacy Class Action Lawsuits

Another Data Loss Case Tossed on Article III Grounds–Whitaker v. Health Net

Reidentification Theory Doesn’t Save Privacy Lawsuit–Steinberg v. CVS Caremark

Men’s Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute — Boorstein v. Men’s Journal

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

A Look at the Commercial Privacy Bill of Rights Act of 2011

Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media

Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff — Claridge v. RockYou

Another Lawsuit over Flash Cookies Fails — Bose v. Interclick

Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]