Well THAT didn’t take long! Less than 10 days after LinkedIn announced that it suffered a data breach of approximately 6.5 million user passwords, a class action lawsuit was filed against it in California federal court seeking in excess of $5 million. The lawsuit alleges that, contrary to its Privacy Policy, LinkedIn failed to comply with long standing industry standard encryption protocols, thereby jeopardizing its users’ personal information. Specifically, the plaintiffs contend that LinkedIn failed to “salt” its users’ passwords and store them in hashed format. Salting is the process of adding random values to a password before it is stored. Hashing is a format in which at least a portion of the password is made unreadable and encrypted. The plaintiffs also claim that LinkedIn should have stored the passwords on a separate, secure server, apart from all other user information.
Who are the plaintiffs? The plaintiffs are two classes – (1) all individuals and entities in the U.S. who had a LinkedIn account on or before June 6, 2012, and (2) everyone in the previous class who paid a monthly fee for an upgraded account.
What is the essence of the plaintiffs’ allegations? The plaintiffs claim that LinkedIn’s data breach was a result of an “SQL injection”, a hacking technique that makes use of a web form to exploit a vulnerability in the LinkedIn website software. The plaintiffs imply that it would have been easy for LinkedIn to adopt security measures that would have avoided SQL injection vulnerabilities. Perhaps hoping that their class action complaint will gain the attention of the FTC, the plaintiffs draw a comparison to an FTC action against a different company for claiming to secure customer data while remaining vulnerable to SQL injection attacks.
What are the legal causes of action? The lawsuit is based on several different causes of action:
- Violation of California’s Unfair Competition Law – that LinkedIn failed to expend the resources necessary to protect its users’ data and created a perception that it followed industry standard protocols for security when in fact it did not.
- Violation of California’s Consumers Legal Remedies Act – that LinkedIn deceptively induced the plaintiffs to register with LinkedIn based upon deceptive and misleading representations that it would take reasonable steps to safeguard its users’ sensitive personal information.
- Breach of Contract (all-users class) – that LinkedIn failed to comply with the portion of its User Agreement and Privacy Policy in which it promised to protect its users’ personal information by implementing industry standard protocols and technology.
- Breach of Contract (premium users class) – same allegation of the previous breach of contract claim, but here the plaintiffs paid actual money for upgraded services.
- Breach of Implied Covenant of Good Faith and Fair Dealing – that LinkedIn breached the implied covenant of good faith and fair dealing by failing to safeguard and secure sensitive personal information from unauthorized access and theft. Instinctually I wonder how this count can stand when it is precisely the same as the breach of express contract count, but again, I’m sure this is something the parties will litigate.
- Breach of Implied Contract – that pursuant to implied contracts with Plaintiffs, LinkedIn was obligated to take commercially reasonable steps to secure and safeguard the plaintiffs’ information.
- Negligence – that LinkedIn had a duty to exercise reasonable care to secure the plaintiffs’ information and to use industry standard protocols and technology to do so, but it failed to do that.
- Negligence per se – that LinkedIn’s violation of California’s Unfair Competition Law (see first count) is automatically negligence.
So what are the class members’ damages? The plaintiffs contend that they paid for LinkedIn’s services with actual dollars (in the case of premium services) and with their personal information (first name, last name, email address, and password). Remember, the plaintiffs are divided into two classes. With respect to the first class (all LinkedIn users), those plaintiffs claim to “have lost money and/or property”, but their specific explanation of money lost is “money in the form of the value of their personal data.” (I’m skeptical that such damages will be cognizable with the court, as money is money, not personal data, but this is not totally out of left field, as the RockYou decision demonstrates). Their lost property is “in the form of their breached personal data.” With respect to the second class (premium members), those plaintiffs claim to have lost money in the form of monthly membership fees.
In sum, damages, standing, and the proper causes of action are all interesting issues that the court is sure to address at some point, depending on how long this litigation proceeds. No matter how the litigation proceeds, however, it is yet another example of consumers and their lawyers rushing to the courthouse to file lawsuits soon after a high-profile data breach. It will be interesting to see how this one unfolds . . . .
DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.