Hot Docs: No breach of contract for LinkedIn security breach, court rules

March 14, 2013

Hacked LinkedInLast June, we covered the class action lawsuit against LinkedIn over the data breach that led to the public release of 6 million LinkedIn users’ passwords.

The lawsuit alleged several different causes of action all related to a breach of contract by LinkedIn.  This “breach” by LinkedIn was allegedly its failure to “utilize long-standing industry standard protocols and technology to protect” the plaintiffs’ personally identifiable information.

The complaint claimed that the data breach would not have happened had LinkedIn used a more sophisticated data protection system – one that, as stated above, the complaint claimed had long been “the industry standard.”

Further, the complaint stated that, had it not been for LinkedIn’s promises that “[a]ll information that [users] provide [to LinkedIn] will be protected with industry standards protocols and technology,” the plaintiffs would not have paid for premium LinkedIn accounts.

Last week, the court ruled on LinkedIn’s motion to dismiss the complaint in LinkedIn’s favor, dismissing the complaint (but without prejudice).

The court found that the plaintiffs had lacked standing to bring the suit as alleged in the complaint.

Hot Doc: In re LinkedIn User Privacy Litig.

Source: Thomson Reuters News & Insight – National Litigation

Specifically, the court held that the plaintiffs’ allegation that the breach of contract caused them economic harm – that they did not receive “the full benefit of their bargain for the paid premium memberships” – was deficient in several ways.

First, the court noted that “[a]ny alleged promise LinkedIn made to paying premium account holders regarding security protocols was also made to non-paying members.”  As such, the court found that there was no economic harm resulting from an alleged breach because the premium account holders were not paying for heightened security protocols, they were paying for “the advanced networking tools and capabilities to facilitate enhanced usage of LinkedIn’s services.”

Second, the court noted that the complaint didn’t “even allege that [the plaintiffs] actually read the alleged misrepresentation – the Privacy Policy – which would be necessary to support a claim of misrepresentation.”

Third, the court noted that, since the alleged economic harm was suffered at the time the parties entered into the contract, it couldn’t have resulted from a breach of contract, something that must occur after a contract’s formation and (in this case) after the plaintiffs’ contractual performance.

Fourth, the court cited case law “where the alleged wrong stems from allegations about insufficient performance or how a product functions,” noting that, in those cases, “courts have required plaintiffs to allege ‘something more’ than ‘overpaying for a “defective” product.’”  Since the plaintiffs only alleged economic harm, the complaint is not sufficient to support the plaintiffs’ claims.

The ruling, although certainly a setback, was not fatal to the lawsuit, since, as mentioned above, the order only dismissed the complaint without prejudice, giving the plaintiffs 30 days to file an amended complaint.

Although many of the breach of contract claims are likely unsalvageable without additional facts, the court did offer some guidance on the claim about “overpaying for a defective product;” namely, that the claim’s requisite “something more” could be “a harm that occurred as a result of the deficient security services and security breach, such as, for example, theft of their personally identifiable information.”

So while the amended complaint will likely be a bit lighter than previous incarnations (unless, of course, the plaintiffs have more facts to add to support their weaker claims), it seems likely that at least a claim or two will survive.

The broader implications from this ruling are certainly interesting, though.

The foremost civil cause of action that can be used against websites that collect and store personally identifiable information is some form of contract claim.  Therefore, it’s significant that the court ruled that allegedly deficient security measures that existed at the time of the contract formation cannot be the basis for economic damages resulting from a breach.

Also significant is the finding that there is no misrepresentation as a matter of law since the plaintiffs did not show that they had read the privacy policy.  The vast majority of Internet users do not read the entirety of privacy policies or terms of use before agreeing to them, yet the majority of courts would still find that the users were nonetheless bound to follow them (see this post for more).

What this ruling really signifies is a narrow reading and application of contract formation law on Internet transactions.

Although it’s certainly much safer for a judge to stick to more traditional legal principles when delving into facts involving legally unprecedented technologies, such interpretations often miss critical elements introduced by the new technology.

Then again, it is cases like this one that allow for the development (and, presumably, expansion of) traditional legal principles to accommodate the introduction of new technology.