Premium LinkedIn Users Lack Standing In Putative Class Action Over Password Hack

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

The U.S. District Court for the Northern District of California March 5 dismissed without prejudice a putative class action against LinkedIn Corp. over its alleged failure to use industry standard protocols to safeguard sensitive user information, finding that the plaintiffs lacked standing.

The court said that lawsuits over “insufficient performance or how a product functions” require plaintiffs to allege “something more” than that they overpaid for the product. He said that in this case, such a harm might be the “theft of their personally identifiable information.”

The court also said the plaintiffs did not show the putative class of premium LinkedIn members purchased an additional level of security as compared to free users. Nor, it added, did the plaintiffs even allege that they had read the social media website's privacy policy.

Millions of Passwords Posted Online

LinkedIn confirmed in June 2012 that “approximately 6.5 million LinkedIn passwords” were posted on a hacker website (11 PVLR 925, 6/11/12). Later that month, Katie Szpyrka filed a putative class action against the online professional networking website (11 PVLR 1006, 6/25/12). Szpyrka alleged in her complaint that LinkedIn failed to live up to a statement in its privacy policy that it would protect user information “with industry standard protocols and technology.”

The Northern District of California consolidated in August four putative class action lawsuits regarding the alleged data breach (11 PVLR 1388, 9/10/12).

A first amended complaint was filed in November 2012 in the consolidated lawsuit with Szpyrka and Khalilah Gilmore-Wright as named plaintiffs. Szpyrka said she paid $26.95 monthly for a premium LinkedIn account, and Gilmore-Wright reported paying a monthly $99.95 fee. The putative class would have included any premium LinkedIn users who paid for a premium account prior to June 7, 2012.

The plaintiffs argued they had standing in the case under a theory of economic harm because they never would have purchased the premium memberships had they known LinkedIn would fail to protect their information in the manner promised in its privacy policy.

The plaintiffs' complaint argued LinkedIn did not use industry standard protocols when storing passwords. The complaint said the company should have repeatedly “hashed” and “salted” the passwords.

“Hashing,” the complaint said, inputs a password into a “cryptographic hash function” that converts the data “into an unreadable, encrypted format.” It added that “salting” refers to assigning random values to a password “before the text undergoes the hashing process.”

The court noted that LinkedIn's privacy policy told users that “since the internet is not a 100% secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.”

Not Akin to Food Labeling Cases

The court noted that the plaintiffs' theory of economic harm in the case had provided standing in food mislabeling cases. For example, the court said in Chavez v. Blue Sky Natural Beverage Co., 340 F. App'x 359 (9th Cir. 2009), the U.S. Court of Appeals for the Ninth Circuit ruled a plaintiff had standing when he alleged he would not have purchased a product if he had known its actual geographic origins.

The court said that this LinkedIn case was distinguishable from those lawsuits for four reasons. It explained that the plaintiffs failed to show they actually were promised an additional level of security for a premium membership, noting the same user agreement and privacy policy applies to premium and free members alike.

“[W]hen a member purchases a premium account upgrade, the bargain is not for a particular level of security, but actually for the advanced networking tools and capabilities to facilitate enhanced usage of LinkedIn's services,” the court said.

It added that a second problem with the plaintiffs' lawsuit was they did not allege they had read LinkedIn's privacy policy, “which would be necessary to support a claim of misrepresentation.”

A third issue, the court said, was that the case primarily brought breach-of-contract claims against LinkedIn. The plaintiffs' allegations that they did not receive the full security protections they had bargained for could not be the “resulting damages” required for a breach-of-contract claim, the court held.

A final manner in which the lawsuit was distinguishable was that courts usually require “something more” in cases where plaintiffs allege a wrong was suffered because of a product's insufficient performance or how it functioned. The court said in this case, it might be the theft of plaintiffs' personally identifiable information.

It therefore dismissed the complaint but provided the plaintiffs with leave to amend.

Jay Edelson, Ari J. Scharg, Christopher L. Dore, and Rafey S. Balabanian, of Edelson McGuire LLC's Chicago office; Sean P. Reis, of Edelson's Rancho Santa Margarita, Calif., office; Laurence D. King and Linda M. Fong, of Kaplan Fox & Kilsheimer LLP's San Francisco office; Joseph J. Siprut, of Siprut PC's Chicago office; Todd C. Atkins, of Siprut's San Diego office; and David C. Parisi and Suzanne L. Havens Beckman, of Parisi & Havens LLP, in Sherman Oaks, Calif., represented the class plaintiffs. Michael G. Rhodes, Matthew D. Brown, and Whitty Somvichian, of Cooley LLP, in San Francisco, represented LinkedIn.

Full text of the court's opinion is available at

Full text of the plaintiffs' first amended complaint is available at

Request Bloomberg Law: Privacy & Data Security