The breach, which resulted in the compromise of 6.5 million users' passwords, prompted Katie Szpyrka and Khalilah Gilmore-Wright to file for class-action status in US District Court in Northern California. The complaint alleged that LinkedIn failed to use a combination of hashing and salting to secure user passwords, resulting in the exposure of passwords to hackers. It also sought damages on the merit that the plaintiffs had paid for a premium membership – but did not get a premium level of security.
To the first point, “LinkedIn violated its own User Agreement and Privacy Policy by failing to utilize long-standing industry standard protocols and technology to protect Plaintiff and the Class members’ PII [personally identifiable information]’, the complaint alleged.
The petition added, “LinkedIn failed to use a modern hashing and salting function, and therefore drastically exacerbated the consequences of a hacker bypassing its outer layer of security.”
US District Judge Edward J. Davila, however, concluded that the breach did not result in any actual identity theft or other injury that would be considered "concrete and particularized," or "actual and imminent.” Despite the passwords being posted online, the plaintiffs failed to demonstrate any compromise of personally identifiable information, let alone actual identity theft.
As far as LinkedIn failing to provide industry-standard security as part of premium memberships, the judge said that the security policy applies to all LinkedIn users, whether paying for a premium tier or not. Thus, the plaintiffs didn't pay extra for that security, despite alleging that LinkedIn’s privacy policy said otherwise.
“The User Agreement and Privacy Policy are the same for the premium membership as they are for the nonpaying basic membership,” he wrote. “Any alleged promise LinkedIn made to paying premium account holders regarding security protocols was also made to non-paying members.”
He added, “The [suit] does not sufficiently demonstrate that included in Plaintiffs’ bargain for premium membership was the promise of a particular (or greater) level of security that was not part of the free membership.”
LinkedIn may have dodged a bullet, but the incident is illustrative. Data breaches are on the rise, and the scope of the amount of data stolen is getting wider. That in turn is opening up the potential for class action suits in such cases to become the norm. And that can add millions of dollars to the cost of the incident.
“Big data breaches…potentially produce large class sizes, making such lawsuits attractive to plaintiffs’ lawyers,” write Sharon Klein and Jeff Vagle, attorneys at the Pepper Hamilton law firm, which has offices across the US. “Companies that store or process personal information face an increasing risk of class action lawsuits based not only on the company’s use of that information, but also on the theft or misuse of that personal information due to data breach.”