To date, consumers have been largely unsuccessful in suing companies that have allowed their personal information to be exposed through a data security breach. However, a California plaintiff suing LinkedIn recently fended off an early attempt by the defendant to dismiss her claims.
Khalilah Wright sued LinkedIn in a California federal court, alleging that the company violated California’s Unfair Competition Law (the “UCL”) by falsely claiming in its User Agreement and Privacy Policy that “[a]ll information that [users] provide will be protected with industry standard protocols and technology.” In re LinkedIn Privacy Litigation, No. 5:12-cv-03088-EJD, 2014 WL 13237413 (N.D. Cal. Mar. 28, 2014). After Ms. Wright’s password was allegedly retrieved by hackers in 2012, she filed a class action suit, alleging that she and her fellow class members relied upon this false statement to their detriment when they decided to purchase a premium subscription to LinkedIn. The plaintiff alleged that industry standard protection would have included “salting ” and “hashing ” encryption. Had she known that LinkedIn’s security practices did not include salting and hashing, Ms. Wright claims she would have either declined to pay for the premium subscription, or she would have sought to obtain a lower price for that subscription.
Under California’s UCL, a consumer has standing to bring a claim if she alleges that she was induced by a company’s false representations to purchase a product that she otherwise would not have purchased. Accordingly, the court held that the plaintiff had sufficient standing to survive the defendant’s motion to dismiss. LinkedIn also argued that the alleged misrepresentation was not “material” because it is implausible that any consumer would have relied upon that single sentence in its User Agreement and Privacy Policy when deciding whether or not to purchase a premium subscription, particularly where that policy was applicable to all members of LinkedIn, whether or not they were premium subscribers. The court rejected that argument, however, stating that “[t]he materiality of a misrepresentation is typically an issue of fact, and therefore should not be decided at the motion to dismiss stage.”
Although Ms. Wright ‘s claim survived the motion to dismiss (a procedural context which assumes that all of the plaintiff’s allegations are true) that does not mean that she would win at trial. LinkedIn has a point that the plaintiff’s reliance on this single sentence may be far-fetched. Most consumers rarely, if ever, actually read increasingly lengthy provider agreements before signing up for an online service. Furthermore, the UCL only provides injunctive relief and restitution as remedies for successful plaintiffs. If the court decides that this case is not appropriate for a class action, Ms. Wright’s damages in this case will likely be limited to restitution for her subscription fees.
This case does serve as a reminder for companies, however, that a stray statement about data security and privacy standards may result in a claim in the event of a data security breach. Plaintiffs’ counsel are continually fine tuning their allegations and complaints as data security litigation evolves. Companies with an online presence need to be proactive about taking reasonable steps to protect their customers’ private information.
1 “Salting” is an encryption process that protects information by joining a plaintext password with a series of randomly generated characters prior to hashing.
2 “Hashing” is an encryption process that protects information by applying a one-way function to it such that minor changes in inputs result in major changes to outputs.