A federal judge in the Northern District of California recently added to the growing list of cases rejecting attempts to recover damages resulting from data breaches. In In re LinkedIn User Privacy Litigation, Case no. 5:12-CV-03088 EJD (March 6, 2013), the court dismissed a lawsuit brought by LinkedIn users who were upset over the June 2012 posting of 6.5 million stolen LinkedIn user passwords. The court reasoned that plaintiffs lacked standing to sue because they had not sufficiently pled either economic harm or increased risk of future harm.
All information that you provide will be protected with industry standard protocols and technology…. In order to help secure your personal information, access to your data on LinkedIn is password-protected, and sensitive data (such as credit card information) is protected by SSL encryption when it is exchanged between your web browser and the LinkedIn website. To protect any data you store on our servers, LinkedIn also regularly audits its system for possible vulnerabilities and attacks, and we use a tier-one secured-access data center. However, since the internet is not a 100% secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn.
While plaintiffs’ limitation of the purported class to paying premium LinkedIn members attempted to get around a common problem faced by data breach plaintiffs—that they have suffered no damage—the court was not persuaded and identified four problems with plaintiffs’ theory of "economic harm:"
LinkedIn’s security promises applied to all LinkedIn users, not just those who paid for premium accounts, so the premium members did not provide any monetary consideration for LinkedIn’s security services;
Plaintiffs' claims were primarily based on breach of contract for LinkedIn’s failure to use the promised level of security, but this economic loss would have occurred at some point before the breach, so the damages proffered by plaintiffs cannot form the basis of standing for their breach of contract-related claims; and
If viewed as a defective product claim, economic harm requires not only that the plaintiffs have bought the defective product, but that they have been damaged in some way by it, and plaintiffs here did not allege "something more" than overpaying for a “defective” product. The court noted that the “something more” could be a harm that occurred as a result of the alleged deficient security services and security breach, such as, for example, theft of their personally identifiable information.
One of the putative class representatives also alleged a "fear of future harm" theory, based on the fact that her LinkedIn password was posted on the Internet. But the court rejected that theory and noted that an allegation that her password was merely posted online does not equate to a legally cognizable injury, such as identify theft or theft of her personally identifiable information.
The court then dismissed the complaint without prejudice and gave plaintiffs leave to amend.
 “Salting” is an encryption process in which random values are combined with a password before the text is encrypted.