LinkedIn Dodges $5M Privacy Suit Over Password Hacking (Law360)

LinkedIn Corp. on Tuesday escaped a $5 million putative class action over a security breach as a California federal judge ruled the plaintiffs had not shown they suffered an "economic harm" as a result of the hacking of 6.5 million passwords.

U.S. District Judge Edward J. Davila didn't buy the plaintiffs' "benefit of the bargain" theory that they had standing to sue because LinkedIn promised in its privacy policy to provide them with a particular level of password security in return for their purchase of paid premium memberships. The June incident in which a hacker dumped passwords onto the Internet, they argued, showed that was an empty promise.

LinkedIn's privacy policy is the same for all users, any alleged promise to premium members regarding security protocols also being made to nonpaying members, Judge Davila noted in granting LinkedIn's motion to dismiss.

"Thus, when a member purchases a premium account upgrade, the bargain is not for a particular level of security, but actually for the advanced networking tools and capabilities to facilitate enhanced usage of LinkedIn's services," he said. "The [first amended complaint] does not sufficiently demonstrate that included in plaintiffs' bargain for premium membership was the promise of a particular (or greater) level of security that was not part of the free membership."

But Judge Davila gave the plaintiffs leave to further amend their complaint, suggesting they allege "'something more' than pure economic harm" that resulted from the security breach "for example, theft of their personally identifiable information."

Katie Szpyrka, an Illinois woman who had been paying $26.95 per month for premium LinkedIn membership, filed a proposed class action June 15 alleging LinkedIn failed to use basic industry standard encryption methods to protect users' passwords. The company had confirmed the security breach nine days earlier.

"LinkedIn failed to use a modern hashing and salting function, and therefore drastically exacerbated the consequences of a hacker bypassing its outer layer of security," the suit said.

Hashing is the process for encrypting a password, while salting refers to adding random values to a password before it is put into the hashing function, which makes the encrypted password much tougher to decipher, according to the suit.

Judge Davila consolidated the suit with three similar cases in August and another premium member, Khalilah Gilmore-Wright, was added to the suit in November. The plaintiffs alleged, among other things, violations of California's unfair competition law, breach of contract and negligence.

"[The] allegations constitute nothing more than speculation about hypothetical future harm that is insufficient to establish standing to sue," LinkedIn argued in its motion to dismiss.

In granting the motion, Judge Davila said the case was distinguishable from those in which plaintiffs "had standing to sue where they alleged that they would not have purchased a food product had they known that the product was not as advertised on the product's labeling."

"The [complaint] fails to sufficiently allege that plaintiffs actually provided consideration for the security services which they claim were not provided," he said.

The plaintiffs are represented by Jay Edelson, Rafey S. Balabanian, Ari J. Scharg and Christopher L. Dore of Edelson McGuire LLC and by Laurence D. King and Linda M. Dong of Kaplan Fox & Kilsheimer LLP.

LinkedIn is represented by Michael G. Rhodes, Matthew D. Brown, Benjamin H. Kleine and Ritesh Srivastava of Cooley LLP.

The consolidated case is In re: LinkedIn User Privacy Litigation, case No. 5:12-cv-03088, in the U.S. District Court for the Northern District of California.

 All Content © 2003-2013, Portfolio Media, Inc.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.