Co-authored by: Peter Ormerod

Steven Roosa is a Partner in our New York office

On March 28, the California federal judge presiding over the suit against LinkedIn Corp. (LinkedIn) — which stems from a data breach from 2012 — denied LinkedIn's motion to dismiss, and permitted the suit to proceed based on the plaintiffs' allegations that the site's privacy policy made misrepresentations to users of the site.

U.S. District Judge Edward Davila concluded that the lead plaintiff, Khaliah Wright, had successfully met the standing requirements to bring claims against LinkedIn under California's Unfair Competition Law. On Ms. Wright's third attempt, Judge Davila concluded that the standing requirements were met when Ms. Wright asserted that she had based her decision to purchase a premium LinkedIn account after reading the allegedly misleading privacy policy.

Developments In Previous Breach Cases

Judge Davila's decision has potentially wide-ranging effects for data breach suits, because the judge endorsed a new strategy that is likely to be popular with plaintiffs' attorneys in analogous suits.

In prior breach cases, plaintiffs have experienced repeated setbacks while attempting to demonstrate the requirements of standing — and thus survive the defendant's motion to dismiss. Many previous data breach lawsuits have been dismissed on standing grounds when the plaintiffs were unable to demonstrate that the breach led to the misuse of the plaintiffs' personal or financial data.

Responding to these setbacks, plaintiffs' attorneys have largely abandoned the argument that the threat of data misuse was sufficient to confer standing.

The Successful "Deceptive Labeling" Analogy

Instead, plaintiffs have turned to increasingly creative pleading theories, including the argument that Judge Davila ultimately agreed with here: Consumers had been misled about the level of security that the defendant-company had employed to protect the consumers' personal data, and there is no reason to treat privacy policy misrepresentations differently from misleading labels.

Companies increasingly include assurances about the strength of their data security measures in their privacy policies. Judge Davila's ruling may provide plaintiffs' attorneys a blueprint for successfully defeating a defendant's arguments that the plaintiffs lack standing.

Some experts, however, caution that Judge Davila's reasoning may be less successful in other jurisdictions, citing the strength of California's unfair competition statute and the sense that California is more sympathetic to plaintiffs' privacy claims than other jurisdictions.

Yet other states have similar false labeling restrictions, and these jurisdictions are ripe candidates for the proliferation of the pleading tactic that Judge Davila found persuasive.

Potential Strategies for Defeating the "Deceptive Labeling" Argument

Companies are advised—in light of these recent developments — to carefully consider each and every word in their privacy policies. Ensuring that privacy policies accurately reflect the company's practices will improve companies' chances of defeating the "deceptive labeling" argument that succeeded in California.

The case is Szpyrka v. Linkedin Corp., 5:12-cv-03088, U.S. District Court for the Northern District of California.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.