Hacked LinkedIn Users Can’t Sue for Negligence

     (CN) – LinkedIn users with premium accounts do not have standing to sue over a security breach because they paid for greater networking tools, not data protection, a federal judge ruled.
     In a June 15, 2012, complaint, lead plaintiff Katie Szpyrka accused the website of failing to encrypt 120 million users’ “personally identifiable information,” including email addresses, passwords and login credentials.
     One week earlier, hackers who had previously infiltrated LinkedIn’s servers publicly posted more than 6 million passwords from LinkedIn users online.
     LinkedIn quickly announced that it had recently completed a switch of its password-encryption method from a system that stored member passwords in a hashed format to one that used both salted and hashed passwords for increased security.
     “Because LinkedIn used insufficient encryption methods to secure the user data, hackers were able to easily decipher a large number of the passwords,” the complaint stated,
     Szpyrka said the National Security Agency published the hashing function in 1995, and that industry standards require adding “salt,” or randomly assigned values, to a password, before inputting the text into a hashing function.
     She had registered for a LinkedIn account in late 2010, and has been paying $26.95 per month for a premium membership since December 2011.
     Szpyrka led a first amended complaint in on Nov. 26 with Khalilah Wright, a registered premium LinkedIn accountholder since March 2010 who pays $99.95 a month for the premium, upgraded services.
     While Wright alleges that her password was among those divulged by hackers on June 6, the first amended complaint contains no allegation that Szpyrka’s password or any other personal information was stolen or posted on the Internet.
     U.S. District Judge Edward Davila dismissed the complaint, with leave to amend, on Tuesday for lack of standing.
     The eight-page ruling notes that both premium and nonpaying basic members of LinkedIn received the same promise from the website regarding security protocols.
     “Thus, when a member purchases a premium account upgrade, the bargain is not for a particular level of security, but actually for the advanced networking tools and capabilities to facilitate enhanced usage of LinkedIn’s services,” Davila wrote. “The FAC does not sufficiently demonstrate that included in Plaintiffs’ bargain for premium membership was the promise of a particular (or greater) level of security that was not part of the free membership.”
     He further noted that the plaintiffs do not even allege that they read the privacy policy to have been misled by its alleged promises.
     Breach of contract claims fail as well because the breach did not cause the plaintiffs to lose the alleged full benefit of its bargain with LinkedIn, according to the ruling.
     Rather, this injury could only have occurred at some point before the breach, at the time the parties entered into the contract,” Davila wrote.
     He said the plaintiffs would also have to show more than that they simply overpaid for a defective product.
     “This ‘something more’ could be a harm that occurred as a result of the deficient security services and security breach, such as, for example, theft of their personally identifiable information,” the opinion states.
     Though Wright says she is at an increased risk of harm because her password was posted on the Internet, the judge found these claims lacking.

%d bloggers like this: