LinkedIn still involved in security breach class action

Posted on: May 2nd, 2014 by Steve Larson
Share

Data SecurityA California federal judge has refused to throw out a putative class action over LinkedIn Corp.’s 2012 security breach that resulted in 6.5 million hacked passwords, finding that the plaintiff had adequately stated a claim under a state false labeling law.  U.S. District Judge Edward Davila denied LinkedIn’s motion to dismiss the suit alleging the company made misrepresentations about the website’s security in its privacy policy, applying the same standard for standing as cases in which plaintiffs rely on misleading labels when purchasing products, according to the order.

“The court finds that plaintiff has alleged facts sufficient to confer standing,” the order said. “The representation in LinkedIn’s privacy policy falls within the scope of the labeling/advertising cases.”

After Judge Davila dismissed lead plaintiff’s first amended complaint in March 2013 for failure to state any economic harm, the lead plaintiff filed a second amended complaint and added the allegation that LinkedIn failed to provide industry-standard security as it had represented, which Wright claims enticed her and other customers to purchase premium accounts, the order said.  Wright alleges she would not have purchased a premium account if not for LinkedIn’s misrepresentations about the level of security..

In refusing to dismiss the suit, the court ruled that the lead plaintiff met the standing requirements to bring claims under California’s Unfair Competition Law. In 2011, the California Supreme Court ruled that a consumer who relies on a product label and challenges a misrepresentation contained in the label satisfies the standing requirements of the law by alleging that he or she would not have bought the product but for the misrepresentation.

In its motion to dismiss, LinkedIn argued that the alleged misrepresentation in the privacy policy was not contained in a label or an advertisement and the privacy policy applies to all members, both paying and nonpaying, the order said.

“Under no plausible theory can this single sentence in the privacy policy that applies to all LinkedIn members be considered an ‘inducement’ to the purchase of a premium subscription, the ‘advertisement’ of premium services or an ‘effective marketing technique’ for premium service,” LinkedIn said in its motion.

However, Judge Davila said that Wright has alleged facts sufficient for standing.

“Applying one set of standing requirements to labeling/advertising and another set of standing requirements to other types of misrepresentations, as LinkedIn advocates, would be untenable given the lack of distinction California law places between misleading advertising and other forms of misleading statements,” the order said.

After the ruling on the motion to dismiss, the case was transferred to private alternative dispute resolution, which may mean that the case has been referred to mediation.

The case is In re: LinkedIn User Privacy Litigation, case number 5:12-cv-03088, in the U.S. District Court for the Northern District of California.