A federal judge in the Northern District of California recently added to the growing list of cases rejecting attempts to recover damages resulting from data breaches.  In In re LinkedIn User Privacy Litigation, Case no. 5:12-CV-03088 EJD (March 6, 2013), the court dismissed a lawsuit brought by LinkedIn users who were upset over the June 2012 posting of 6.5 million stolen LinkedIn user passwords.  The court reasoned that plaintiffs lacked standing to sue because they had not sufficiently pled either economic harm or increased risk of future harm.

The putative class attempted to show harm by limiting the class to "premium" LinkedIn members who paid monthly fees for access to features not available to non-paying users, alleging that LinkedIn’s failure to “salt”[1] users' passwords before encrypting them—and thereby enhance password security—was not consistent with industry standards, and that because of this security lapse, among others, plaintiffs did not receive the premium product they paid for.  Plaintiffs pointed to the security portion of LinkedIn’s privacy policy as the basis of LinkedIn’s security promises. 

The court quoted several portions of LinkedIn’s privacy policy that were referenced in the complaint, including the following:

All information that you provide will be protected with industry standard protocols and technology….  In order to help secure your personal information, access to your data on LinkedIn is password-protected, and sensitive data (such as credit card information) is protected by SSL encryption when it is exchanged between your web browser and the LinkedIn website.  To protect any data you store on our servers, LinkedIn also regularly audits its system for possible vulnerabilities and attacks, and we use a tier-one secured-access data center.  However, since the internet is not a 100% secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn.  

While plaintiffs’ limitation of the purported class to paying premium LinkedIn members attempted to get around a common problem faced by data breach plaintiffs—that they have suffered no damage—the court was not persuaded and identified four problems with plaintiffs’ theory of "economic harm:"

1. LinkedIn’s security promises applied to all LinkedIn users, not just those who paid for premium accounts, so the premium members did not provide any monetary consideration for LinkedIn’s security services;
   
   
2. Plaintiffs did not allege that they actually read the alleged misrepresentations regarding security contained in LinkedIn's privacy policy and therefore could not have relied on those promises in purchasing premium accounts;
   
   
3. Plaintiffs' claims were primarily based on breach of contract for LinkedIn’s failure to use the promised level of security, but this economic loss would have occurred at some point before the breach, so the damages proffered by plaintiffs cannot form the basis of standing for their breach of contract-related claims; and 
   
   
4. If viewed as a defective product claim, economic harm requires not only that the plaintiffs have bought the defective product, but that they have been damaged in some way by it, and plaintiffs here did not allege "something more" than overpaying for a “defective” product.  The court noted that the “something more” could be a harm that occurred as a result of the alleged deficient security services and security breach, such as, for example, theft of their personally identifiable information.

One of the putative class representatives also alleged a "fear of future harm" theory, based on the fact that her LinkedIn password was posted on the Internet.   But the court rejected that theory and noted that an allegation that her password was merely posted online does not equate to a legally cognizable injury, such as identify theft or theft of her personally identifiable information.

The court then dismissed the complaint without prejudice and gave plaintiffs leave to amend.

[1] “Salting” is an encryption process in which random values are combined with a password before the text is encrypted.

© 2013 Perkins Coie LLP