Published by Al Saikali

June 2012

Following my post on the subject last week, I had the chance to speak with Colin O’Keefe of LXBN regarding the class action suit filed against LinkedIn following their recent high-profile data breach. In the brief interview, I explain the background of the case, what damages the plaintiffs are alleging and why it’s too early to tell which way the case is going to go.

An interesting new study by CORE Security highlights a disconnect between the boardroom and the IT room in Corporate America with respect to how each view threats to IT infrastructure security.  The study found that, “[m]ore than 60% of CISOs [Chief Information Security Officers] responding said that they are very concerned about their IT systems experiencing a breach.”  In contrast, “only 15 percent of CEOs felt the same way.”

CISOs and CEOs also disagreed on the greatest security threat to their companies.  The CISOs cited lack of employee education and diligence as their primary concerns.  The CEOs, however, believed that external phishing attacks were the largest threat to the organization.

What explains this divide?  65% of CEO’s admitted that they do not have sufficient data to interpret how security threats translate to overall business risk.  Indeed, more than 36% of CEOs said that their CISOs never report to them on the state of IT infrastructure security.  In other words, there is a breakdown in communication.  Also, the study found that “[s]ecurity protection is seen as an expense, not something that can save your business from being hijacked, extremely embarrassed or devalued.”

So what is the takeaway? First, it seems that more communication is needed between the C-Suite and the IT-Suite.  Also, security as an issue needs to be taken more seriously by the upper echelon of management.  As the study recommends, “[o]rganizations need to take a proactive, intelligence-based approach to security.”  The CORE Security study is a very quick, interesting read, and highlights how important communication is one of the best information security safeguards.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Well THAT didn’t take long!  Less than 10 days after LinkedIn announced that it suffered a data breach of approximately 6.5 million user passwords, a class action lawsuit was filed against it in California federal court seeking in excess of $5 million.  The lawsuit alleges that, contrary to its Privacy Policy, LinkedIn failed to comply with long standing industry standard encryption protocols, thereby jeopardizing its users’ personal information.  Specifically, the plaintiffs contend that LinkedIn failed to “salt” its users’ passwords and store them in hashed format.  Salting is the process of adding random values to a password before it is stored.  Hashing is a format in which at least a portion of the password is made unreadable and encrypted.  The plaintiffs also claim that LinkedIn should have stored the passwords on a separate, secure server, apart from all other user information.

Who are the plaintiffs?  The plaintiffs are two classes – (1) all individuals and entities in the U.S. who had a LinkedIn account on or before June 6, 2012, and (2) everyone in the previous class who paid a monthly fee for an upgraded account.

What is the essence of the plaintiffs’ allegations?  The plaintiffs claim that LinkedIn’s data breach was a result of an “SQL injection”, a hacking technique that makes use of a web form to exploit a vulnerability in the LinkedIn website software.  The plaintiffs imply that it would have been easy for LinkedIn to adopt security measures that would have avoided SQL injection vulnerabilities.  Perhaps hoping that their class action complaint will gain the attention of the FTC, the plaintiffs draw a comparison to an FTC action against a different company for claiming to secure customer data while remaining vulnerable to SQL injection attacks.

What are the legal causes of action?  The lawsuit is based on several different causes of action:

  • Violation of California’s Unfair Competition Law – that LinkedIn failed to expend the resources necessary to protect its users’ data and created a perception that it followed industry standard protocols for security when in fact it did not.
  • Violation of California’s Consumers Legal Remedies Act – that LinkedIn deceptively induced the plaintiffs to register with LinkedIn based upon deceptive and misleading representations that it would take reasonable steps to safeguard its users’ sensitive personal information.
  • Breach of Contract (all-users class) – that LinkedIn failed to comply with the portion of its User Agreement and Privacy Policy in which it promised to protect its users’ personal information by implementing industry standard protocols and technology.
  • Breach of Contract (premium users class) – same allegation of the previous breach of contract claim, but here the plaintiffs paid actual money for upgraded services.
  • Breach of Implied Covenant of Good Faith and Fair Dealing – that LinkedIn breached the implied covenant of good faith and fair dealing by failing to safeguard and secure sensitive personal information from unauthorized access and theft.  Instinctually I wonder how this count can stand when it is precisely the same as the breach of express contract count, but again, I’m sure this is something the parties will litigate.
  • Breach of Implied Contract – that pursuant to implied contracts with Plaintiffs, LinkedIn was obligated to take commercially reasonable steps to secure and safeguard the plaintiffs’ information.
  • Negligence – that LinkedIn had a duty to exercise reasonable care to secure the plaintiffs’ information and to use industry standard protocols and technology to do so, but it failed to do that.
  • Negligence per se – that LinkedIn’s violation of California’s Unfair Competition Law  (see first count) is automatically negligence.

So what are the class members’ damages?  The plaintiffs contend that they paid for LinkedIn’s services with actual dollars (in the case of premium services) and with their personal information (first name, last name, email address, and password).  Remember, the plaintiffs are divided into two classes.  With respect to the first class (all LinkedIn users), those plaintiffs claim to “have lost money and/or property”, but their specific explanation of money lost is “money in the form of the value of their personal data.”  (I’m skeptical that such damages will be cognizable with the court, as money is money, not personal data, but this is not totally out of left field, as the RockYou decision demonstrates).  Their lost property is “in the form of their breached personal data.”   With respect to the second class (premium members), those plaintiffs claim to have lost money in the form of monthly membership fees.

In sum, damages, standing, and the proper causes of action are all interesting issues that the court is sure to address at some point, depending on how long this litigation proceeds.  No matter how the litigation proceeds, however, it is yet another example of consumers and their lawyers rushing to the courthouse to file lawsuits soon after a high-profile data breach.  It will be interesting to see how  this one unfolds . . . .

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Tom Barnett, Managing Director and eDiscovery Practice Leader for Stroz Friedberg, has written an article entitled “What Happens on Facebook Stays on Facebook”.  The article provides a good overview of legislation passed recently by the Maryland legislature, which prohibits an employer or prospective employer from asking their employees or prospective employees for their social media passwords.  Similar legislation is now pending in Congress and several other states.  Tom’s article also does a nice job of framing the big picture issue of whether the recent legislation portends a shift in the law towards greater privacy rights for employees in the workplace.  I highly recommend this quick read.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Flying “under the radar” this week as a result of the high profile LinkedIn data breach, was news that the Federal Trade Commission charged two businesses with illegally exposing the sensitive personal information of consumers by allowing peer-to-peer (P2P) file-sharing software to be installed on their corporate computer systems.  P2P software is commonly used to play games, make online telephone calls, and share software, music, videos and documents.  If not configured correctly, however, files not intended for sharing may be accessible to anyone on the P2P network.  Once shared, a file usually cannot be permanently removed from the P2P network.

In February 2010, the FTC issued a warning about the improper release of sensitive consumer data on P2P file-sharing networks.  FTC Chairman, Jon Leibowitz, recommended that “[c]ompanies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.  Just as important, companies that distribute P2P programs . . . should ensure that their software design does not contribute to inadvertent file sharing.”

Fast-forward two years, the FTC recently filed two complaints against businesses that allowed P2P technology to be used on their network, exposing their consumers’ personally identifiable information.  The FTC has entered into settlements in both cases, but the lessons learned about a company’s obligation to monitor the type of software installed by its employees are invaluable.

In the first complaint, the FTC alleged that an auto dealer compromised its consumers’ personal information by allowing P2P software to be installed on its network, which led to sensitive financial information being uploaded to the P2P network.  The FTC claims that the auto dealer failed to implement “reasonable security measures” such as:

  • assessing risks to the consumer information it collected and stored
  • adopting policies to prevent or limit unauthorized disclosure of information
  • preventing, detecting, and investigating unauthorized access to personal information on its networks
  • adequately training employees
  • responding to unauthorized access to personal information
  • Because the dealer is also a financial institution, it was governed by the Gramm-Leach-Bliley Safeguards Rule, and accordingly failed to provide annual privacy notices and provide a mechanism by which consumers could opt out of information sharing with third parties.

In the second complaint, the FTC charged a debt collection company with failure to implement reasonable security measures after the company’s COO installed a P2P application on her desktop computer that allowed private information of 3,800 of the company’s clients’ customers to leak into the P2P network.  The FTC’s complaint details some of the debt collection company’s alleged failures:

  • failure to adopt an information security plan that was appropriate for its network and the personal information processed and stored on them
  • failure to implement an incident response plan
  • failure to assess risks to the consumer information collected and stored online
  • failure to adequately train employees about security to prevent unauthorized disclosure of personal information
  • failure to assess and enforce compliance with its existing security policies and procedures, such as scanning networks to identify unauthorized P2P file sharing applications and other unauthorized applications operating on the networks or blocking installation of such programs
  • failure to prevent, detect, and investigate unauthorized access to personal information on its networks, such as by logging network activity and inspecting outgoing transmissions to the Internet to identify unauthorized disclosures of personal information.

The settlement agreements entered into in both cases require the companies to, among other things, establish and maintain a comprehensive information security program and undergo data security audits by independent auditors every other year for 20 years.

So what are the take-aways?  First, this is a major warning to companies that the FTC may hold them responsible for software that a company employee installs on her desktop.  Second, P2P software can be a significant threat to private information and it is important that companies take steps to monitor and perhaps entirely prevent the use of such software.  Third, the terms of settlement show why it is important for companies to be proactive and undergo audits of their information security network, adopt information security policies and procedures, train their employees, and continue staying vigilant against threats to private information stored on their networks before a data breach occurs.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.