Nearly as predictable as the sun coming up in the morning, the
recent theft of 6.5 million LinkedIn user passwords has
resulted in the filing of a class action lawsuit in a California
federal court. In her complaint, a LinkedIn premium subscriber
asserts claims on behalf of all LinkedIn users for breach of
implied and express contractual obligations, negligence and
violation of California's Unfair Competition Law, Cal. Bus.
& Prof. Code § 17200.
Although the attack affected the passwords of just over 5% of
LinkedIn's approximately 120 million users, plaintiff purports
to assert claims on behalf of all LinkedIn users. Although
plaintiff alleges classwide damages in excess of $5,000,000 (the
jurisdictional threshold for federal court jurisdiction over the
state law claims advanced in the complaint) it is unclear what
damages plaintiff alleges that the class actually sustained by
reason of merely losing passwords. Some commentators have
hypothesized that the propensity to use a single password for
multiple online accounts could result in losses where non-LinkedIn
accounts are accessed using an individual's LinkedIn
password. Proving that such losses have occurred,
however, would require highly individualized showings that would
likely preclude adjudicating plaintiff's claims as a class
action. Even less clear is what conceivable damages were
allegedly sustained by LinkedIn users whose passwords were not
stolen. Thus, as with most privacy class actions, damages
issues appear to pose the greatest obstacle to the success of the
claims against LinkedIn.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The 2010 theft of an unencrypted laptop containing confidential health care information made front-page news in 2013, not because a huge number of patients were affected, but for the exact opposite reason.
Any company that collects personal data from consumers should take proactive steps to have appropriate legal counsel review its data security practices, as well as its terms of service or privacy practices, to identify any potential problem areas.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published on its website a series of factsheets designed to educate consumers unfamiliar with their rights under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.