LinkedIn Dodges $5M Privacy Suit Over Password Hacking (Law360)

LinkedIn Corp. on Tuesday escaped a $5 million putative class action over a security breach as a California federal judge ruled the plaintiffs had not shown they suffered an "economic harm" as a result of the hacking of 6.5 million passwords.

U.S. District Judge Edward J. Davila didn't buy the plaintiffs' "benefit of the bargain" theory that they had standing to sue because LinkedIn promised in its privacy policy to provide them with a particular level of password security in return for their purchase of paid premium memberships. The June incident in which a hacker dumped passwords onto the Internet, they argued, showed that was an empty promise.

LinkedIn's privacy policy is the same for all users, any alleged promise to premium members regarding security protocols also being made to nonpaying members, Judge Davila noted in granting LinkedIn's motion to dismiss.

"Thus, when a member purchases a premium account upgrade, the bargain is not for a particular level of security, but actually for the advanced networking tools and capabilities to facilitate enhanced usage of LinkedIn's services," he said. "The [first amended complaint] does not sufficiently demonstrate that included in plaintiffs' bargain for premium membership was the promise of a particular (or greater) level of security that was not part of the free membership."

But Judge Davila gave the plaintiffs leave to further amend their complaint, suggesting they allege "'something more' than pure economic harm" that resulted from the security breach "for example, theft of their personally identifiable information."

Katie Szpyrka, an Illinois woman who had been paying $26.95 per month for premium LinkedIn membership, filed a proposed class action June 15 alleging LinkedIn failed to use basic industry standard encryption methods to protect users' passwords. The company had confirmed the security breach nine days earlier.

"LinkedIn failed to use a modern hashing and salting function, and therefore drastically exacerbated the consequences of a hacker bypassing its outer layer of security," the suit said.

Hashing is the process for encrypting a password, while salting refers to adding random values to a password before it is put into the hashing function, which makes the encrypted password much tougher to decipher, according to the suit.

Judge Davila consolidated the suit with three similar cases in August and another premium member, Khalilah Gilmore-Wright, was added to the suit in November. The plaintiffs alleged, among other things, violations of California's unfair competition law, breach of contract and negligence.

"[The] allegations constitute nothing more than speculation about hypothetical future harm that is insufficient to establish standing to sue," LinkedIn argued in its motion to dismiss.

In granting the motion, Judge Davila said the case was distinguishable from those in which plaintiffs "had standing to sue where they alleged that they would not have purchased a food product had they known that the product was not as advertised on the product's labeling."

"The [complaint] fails to sufficiently allege that plaintiffs actually provided consideration for the security services which they claim were not provided," he said.

The plaintiffs are represented by Jay Edelson, Rafey S. Balabanian, Ari J. Scharg and Christopher L. Dore of Edelson McGuire LLC and by Laurence D. King and Linda M. Dong of Kaplan Fox & Kilsheimer LLP.

LinkedIn is represented by Michael G. Rhodes, Matthew D. Brown, Benjamin H. Kleine and Ritesh Srivastava of Cooley LLP.

The consolidated case is In re: LinkedIn User Privacy Litigation, case No. 5:12-cv-03088, in the U.S. District Court for the Northern District of California.

 All Content © 2003-2013, Portfolio Media, Inc.

Related Contacts
Michael Rhodes Partner, San Francisco
Matthew D. Brown Partner, San Francisco
Benjamin Kleine Partner, San Francisco