Court Dismisses Data Security Suit Against LinkedIn for Lack of Standing | Practical Law

Court Dismisses Data Security Suit Against LinkedIn for Lack of Standing | Practical Law

In In re LinkedIn User Privacy Litigation, the US District Court for the Northern District of California dismissed a class action lawsuit against LinkedIn stemming from a breach of its system because the plaintiffs, two LinkedIn users, failed to allege a sufficient injury under Article III's case or controversy requirement.

Court Dismisses Data Security Suit Against LinkedIn for Lack of Standing

Practical Law Legal Update 3-525-0327 (Approx. 3 pages)

Court Dismisses Data Security Suit Against LinkedIn for Lack of Standing

by PLC Intellectual Property & Technology
Published on 11 Mar 2013USA (National/Federal)
In In re LinkedIn User Privacy Litigation, the US District Court for the Northern District of California dismissed a class action lawsuit against LinkedIn stemming from a breach of its system because the plaintiffs, two LinkedIn users, failed to allege a sufficient injury under Article III's case or controversy requirement.

Key Litigated Issue

The key issue in this order granting the defendant's motion to dismiss is whether the plaintiffs had Article III standing to pursue their claims in federal court.

Background

In June 2012, hackers infiltrated LinkedIn's computer systems and allegedly stole 6.5 million LinkedIn users' passwords and e-mail addresses. LinkedIn provides an online community for professional networking and offers both free and premium membership. As part of its User Agreement and Privacy Policy, LinkedIn promises its users that all information provided to it will be protected with industry standard protocols and technology.
After the 2012 data breach, two premium LinkedIn subscribers, brought a class action lawsuit against LinkedIn on behalf of themselves and:
  • All individuals and entities in the US who paid a monthly fee to LinkedIn for a premium account prior to June 7, 2012 (Premium Account Class).
  • All Premium Account Class members whose personal information was compromised as a result of the data breach that occurred on or around June 6, 2012.
The plaintiffs alleged nine causes of action stemming from the data breach. These causes of action were based primarily on breach of contract claims. On December 20, 2012, LinkedIn filed a motion to dismiss for lack of Article III standing.

Outcome

In its March 6, 2013 order, the US District Court for the Northern District of California held that the plaintiffs failed to allege that they suffered sufficient injury under Article III's case or controversy requirement and granted LinkedIn's motion to dismiss. The court rejected the plaintiffs' argument that they have standing to sue under a theory of economic harm.
The plaintiffs argued that they did not receive the full benefit of their bargain for the paid premium memberships because the 2012 hacking showed that they did not receive the security LinkedIn promised in the User Agreement and Privacy Policy. The court rejected this argument because:
  • The plaintiffs failed to sufficiently allege in their complaint that they actually provided consideration for the security services that they claim were not provided. Rather, these security services were offered both to paying and nonpaying LinkedIn users.
  • The plaintiffs did not allege that they actually read the alleged misrepresentation (the Privacy Policy), which therefore could not demonstrate the causal connection necessary to support standing based on a claim of misrepresentation.
  • The economic damages the plaintiffs claimed, not receiving the full benefit of their bargain, could not form the basis of standing for their breach of contract–related claims. A breach of contract claim requires resulting damages occurring after the breach, whereas the purported injury in fact occurred at some point before the breach.
  • The plaintiffs argument that LinkedIn's security services were defective was an allegation of insufficient performance. The plaintiffs were therefore required, but failed, to allege "something more" than pure economic harm, such as theft of their personally identifiable information.

Practical Implications

Plaintiffs in federal cases involving online data breaches must still meet Article III's case or controversy standing requirements. Even where the plaintiffs have paid for the relevant services, alleging a benefit of the bargain theory of economic harm in data breach cases may be insufficient to meet the stringent standing requirements. Plaintiffs should be prepared to allege something more than pure economic harm, such as an actual theft of their personally identifiable information.
Companies facing data breach litigation based on a contract claim should consider the plaintiffs' failure to demonstrate a causal link between the purported harm and the bargained for terms of the agreement. To avoid a claim of misrepresentation, companies should also be mindful that their policies do not overpromise in a manner where their actual practices could ultimately fall short.

Court Document