A data breach can result in the exposure of private customer information (credit card information, social security numbers, email addresses, etc.) to unknown third parties who may fraudulently use that information. In instances where the information is used fraudulently, the customer suffers a harm that can usually be quantified or measured in some way.
But what happens when the harm to the consumer is harder to quantify? Does a plaintiff have the necessary standing or harm to bring a lawsuit? More specifically, does the customer’s private information have its own separate, inherent value that is diminished by the data breach?
At least one federal District Court recently addressed these issues and determined that yes, the private information a consumer provides a company in exchange for the company’s services may have its own inherent value for the purpose of determining whether the plaintiff has suffered harm.
In Claridge v. RockYou, Inc., the plaintiff, Mr. Claridge, was informed by the defendant, RockYou, a developer of applications for social networking sites, that his personal information including his email address, passwords, and login credentials for social networks like MySpace and Facebook might have been compromised through a security breach. Claridge filed a class action lawsuit against RockYou based on the data breach. RockYou moved to dismiss, arguing that Claridge lacked standing and suffered no injury as required for the underlying causes of action. Claridge responded with “a novel theory” that he paid for RockYou’s services by providing his private information, and that the private information is inherently valuable. He argued that as a result of the breach, RockYou caused plaintiff to suffer diminished “value” of his private information.
The court expressed its “doubts about plaintiff’s ultimate ability to prove his damages theory” but it nevertheless rejected RockYou’s standing argument, reasoning that there was no controlling authority one way or the other regarding the legal sufficiency of Claridge’s damages theory. The court noted that “the context in which plaintiff’s theory arises—i.e., the unauthorized disclosure of personal information via the Internet—is itself relatively new, and therefore more likely to raise issues of law not yet settled in the courts.” The court did, however, dismiss several of Claridge’s counts for failure to allege the more particularized injury required for those causes of action.
The RockYou decision is important for a number of reasons, including because it appears to be one of the first to address this issue of valuing private information. It is unclear whether RockYou will start a new trend or be an outlier, but it will be interesting to look back several years from now to see what sort of impact it has had on the development of data security law.
DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.