[Post by Venkat Balasubramani]
This is a lawsuit filed in the wake of a widely reported data breach at LinkedIn. Plaintiffs alleged benefit-of-the-bargain type claims against LinkedIn, saying LinkedIn failed to live up to its security practices. The first time around, the court rejected these claims and granted LinkedIn’s motion to dismiss. (“Court Dismisses Data Breach Lawsuit Against LinkedIn Based on Compromised Passwords – In re LinkedIn User Privacy Litigation.”) This time around, the named plaintiff slightly adjusts her pleadings, and part of her claim survives.
Standing: She alleges that she was a premium subscriber from March through August 2010 and that:
Plaintiff states a claim: LinkedIn raised a variety of arguments on the merits, including that the representation in question was not material, that the precise method of data encryption was disclosed, and that this isn’t something that would register with an average consumer. None of these is sufficient at the motion to dismiss stage. Plaintiff alleged “plausible” explanations and arguments for why the statement was false and would be likely to mislead customers, and that’s the extent of the court’s inquiry. As to her explanation of falsity, the court cites to the fact that (1) LinkedIn’s encryption practices were not in line with prevailing industry recommendations (by the National Institute of Standards and Technology), and (2) a few days after the data breach, LinkedIn publicly stated that it would revise its encryption practices to bring them in line with prevailing industry standards.
The court dismissed the breach of contract and UCL claim based on the unfairness prong previously, and dismisses those claims with prejudice. The UCL claim based on the fraud prong survives.
Privacy plaintiffs who happen to be paying customers are continuously fine-tuning their claims, and it was inevitable that they would find some sort of hook, at least to survive a motion to dismiss. To their benefit, the theory advanced doesn’t require a showing of harm flowing from the breach – i.e., they need not show that their information was ultimately misused. But they would have to prove up their allegations that they read and relied on the policies in question, and that’s where they will face some serious challenges. The case may also not lend itself to class resolution, and this may derail the case as a class action as well. (See the Gmail privacy litigation ruling.)
Case Citation: In re LinkedIn User Privacy Litigation, 12-CV-03088-EJD (N.D. Cal. Mar. 28, 2014)