Saturday, March 16, 2013

Class action against LinkedIn for password breach dismissed for lack of harm

Earlier this month, a US district court judge dismissed a $5 million class action lawsuit brought against LinkedIn related to the breach of its password database. (Here's the decision [PDF].) The plaintiffs claimed that LinkedIn failed to use industry-standard best practices to secure passwords (hashes and salts) and also argued that LinkedIn Premium members paid for but didn't get a premium level of security.

What is most interesting about this case is how typical it is for many privacy-related class actions. Some security snafu results in a password database being compromised, so the service provider has to notify users and rest passwords. Seldom are they associated with actual misuse that causes actual harm to the user, other than some angst and the bother of having to reset passwords. But the most important thing is that there is no actual, discernable harm to the user. No out of pocket costs and no detected fraud against the user.

Negligence law, under which most of these claims are founded, is based on a breach of a legal duty that results in harm. If you have no harm, you have no negligence -- at least in law. So in this case, counsel for the plaintiffs argued that this was actually a breach of contract based on the LinkedIn terms of use. The argument was that premium members contracted for premium security. The judge dismissed this argument saying that premium members were promised the same security as free members. However, in contract cases, the court said that the degree of harm suffered by the plaintiff is relevant:

... in cases where the alleged wrong stems from allegations about insufficient performance or how a product functions, courts have required plaintiffs to allege “something more” than “overpaying for a ‘defective’ product.” Plaintiffs do not argue that they did not receive security services; rather, they argue the security services were defective in some way, as evinced by the 2012 hacking incident. This is not the case where consumers paid for a product, and the product they received was different from the one as advertised on the product’s packaging. Because Plaintiffs take issue with the way in which LinkedIn performed the security services, they must alleged “something more” than pure economic harm. This “something more” could be a harm that occurred as a result of the deficient security services and security breach, such as, for example, theft of their personally identifiable information. [citations omitted]

The court also dismissed the argument that the harm suffered by the plaintiff was a risk of future harm. This argument suggests that the password breach meant that the plaintiff was now at risk of identity theft or other financial fraud, and this is a harm in and of itself. The Court said:

C. Increased Risk of Future Theory

Plaintiff Wright offers an additional theory of injury-in-fact to support her claim of standing. She contends that, as a result of the 2012 hacking incident and the posting of her password on the Internet, there is now an increased risk of future harm. The Court finds that standing on this ground has not been met because these allegations have not been alleged in the FAC. Plaintiff Wright merely alleges that her LinkedIn password was “publically posted on the Internet on June 6, 2012.” In doing so, Plaintiff Wright fails to show how this amounts to a legally cognizable injury, such as, for example, identify theft or theft of her personally identifiable information.

This case highlights an important characteristic of most data breaches that aren't directly linked to financial harm: it is difficult to show any kind of harm that the courts will consider compensating. That doesn't mean that the right facts will show up one day to permit a court to open the door, but for now privacy class actions are likely to be more of a nuisance to the defendant than a clear path to compensation for putative plaintiffs.

For more background, see: Infosecurity - LinkedIn's $5M class-action data breach lawsuit dismissed.

No comments: