California resident Alan Claridge filed a lawsuit against RockYou for a December 2009 data breach in which 32 million users’ names, passwords, and email addresses were exposed.
Claridge, who had signed up to RockYou in 2008, sued the company for negligence, breach of contract, and violations of data protection and unfair competition laws.
RockYou filed a motion to have the lawsuit dismissed because Claridge had not demonstrated that he suffered actual harm from the breach. But Judge Phyllis Hamilton of the US District Court in the Northern District of California allowed the lawsuit to proceed.
"The court concludes that at the present pleading state, plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his PII [personally identifiable information] has caused him to lose some ascertainable but unidentified 'value' and/or property right inherent in the PII. As such, the court declines to dismiss plaintiff's breach claims on grounds that plaintiff has failed to allege damages harm as a matter of law", Hamilton wrote.
Commenting on the ruling, InfoLawGroup noted that the ruling seems to be a shift in judicial thinking on data breach lawsuits.
“In what may be a sign of an evolving judicial atmosphere and approach concerning data breach lawsuits, a federal judge in the Northern District of California recently refused to dismiss various causes of action related to a data breach involving RockYou....One could argue that the decision signals a new willingness of courts (at least California Federal Northern District Courts) to allow for a more thorough judicial review of the claims alleged by data breach plaintiffs.”