Class Action Claims LinkedIn Failed to Secure Customer Information

A recent class action filed in California federal court alleges that the popular networking site LinkedIn failed to adhere to industry best practices and its own privacy policy by improperly safeguarding users personally identifiable information. The class action follows shortly after news broke that hackers had stolen and published 6.5 million user passwords from LinkedIn. The company has indicated that although the majority of the passwords accessed were encoded, a subset were decoded by the hackers. According to the complaint, although LinkedIn represented in its privacy policy that “all information that you provide [to LinkedIn] will be protected with industry standard protocols and technology,” it fell short of these representations by not securing sensitive information using industry standard encryption protocols. Plaintiffs argue that LinkedIn failed to live up to current industry standards by using outdated security protocols. By failing to live up to the alleged industry standard, plaintiffs claim that LinkedIn deceived its customers in its privacy policy, acted in bad faith and with negligence, breached its customer contracts, and violated California’s Unfair Competition Law and Consumer Law. LinkedIn has stated to the press that no users’ accounts have been accessed by unauthorized individuals, and that it intends to fight this lawsuit vigorously.

TIP: This case suggests that plaintiffs’ attorneys are taking steps to investigate what security measures companies are actually using, and are taking action based on the results of their investigations. For those companies that, like many others, represent that they use “industry standard” measures to protect information, it may be worth conducting diligence to find out what measures are in place. It may also be worthwhile reviewing those measures on a regular basis to ensure that they meet with the most recent, accepted, industry norm.