Data Breach Suit Allowed to Proceed Against LinkedIn

An ongoing case arising from a 2012 LinkedIn data breach incident has survived dismissal in the Northern District of California. The original plaintiffs first brought a class action lawsuit based on the 2012 data breach (see our report from when the case was filed). The breach involved hackers that infiltrated LinkedIn’s computer systems and posted approximately 6.5 million user passwords on the Internet. Plaintiffs had alleged that LinkedIn’s site misrepresented its security measures by claiming that users’ information “will be protected with industry standard protocols and technology,” when, in fact, the information was subject to a hacker attack. The plaintiffs brought several causes of action against LinkedIn; however, the complaint was dismissed for lack of standing, in particular, because the plaintiffs failed to allege that they read the LinkedIn’s privacy policy or plead a legally cognizable injury. An amended complaint was filed, alleging breach of contract and two claims for unfair competition, and asserting that the plaintiff had read the privacy policy. LinkedIn moved to dismiss. The court recently denied LinkedIn’s motion to dismiss the unfair competition claim based on fraud, holding that when a company makes false representations, … “a consumer who is induced by them to purchase a product that she otherwise would not have purchased has standing to bring an action” under California’s unfair competition law. The court did, however, dismiss the contract claim and the unfair competition claim without much analysis, but without argument from the plaintiff. The case is continuing on the remaining unfair competition allegation, and a case management conference is scheduled for June 6, 2014.   

TIP: This case is a reminder that promises of data protection may be used by plaintiffs as a potential “weapon” in a lawsuit that might arise after a data breach.