To date, consumers have been largely unsuccessful in suing companies that have allowed their personal information to be exposed through a data security breach. However, a California plaintiff suing LinkedIn recently fended off an early attempt by the defendant to dismiss her claims.
Although Ms. Wright ‘s claim survived the motion to dismiss (a procedural context which assumes that all of the plaintiff’s allegations are true) that does not mean that she would win at trial. LinkedIn has a point that the plaintiff’s reliance on this single sentence may be far-fetched. Most consumers rarely, if ever, actually read increasingly lengthy provider agreements before signing up for an online service. Furthermore, the UCL only provides injunctive relief and restitution as remedies for successful plaintiffs. If the court decides that this case is not appropriate for a class action, Ms. Wright’s damages in this case will likely be limited to restitution for her subscription fees.
This case does serve as a reminder for companies, however, that a stray statement about data security and privacy standards may result in a claim in the event of a data security breach. Plaintiffs’ counsel are continually fine tuning their allegations and complaints as data security litigation evolves. Companies with an online presence need to be proactive about taking reasonable steps to protect their customers’ private information.
1 “Salting” is an encryption process that protects information by joining a plaintext password with a series of randomly generated characters prior to hashing.
2 “Hashing” is an encryption process that protects information by applying a one-way function to it such that minor changes in inputs result in major changes to outputs.