The professional networking site LinkedIn won a class-action lawsuit before it even went to trial after a judge this week dismissed claims from two premium users who maintained the company failed to provide the level of data security outlined in its privacy policy.
Northern California U.S. District Judge Edward Davila wrote that the two class-action defendents were unable to prove actual – and not theoretical – harm from the 2012 data breach in which passwords for 6.5 million user accounts were compromised and posted online. The data breach came to light in June 2012 and within weeks, a lawsuit was filed by Illinois resident Katie Szpyrka and days later by Khalilah Wright of Virginia.
The two sued shortly after learning that the company used encrypted user passwords using the outdated SHA-1 algorithm and without salting them to elevate their protection.
The two had sought compensation for what they considered a breach of contract in that the company had not taken appropriate security measures to ensure the safety of user passwords, especially those who paid monthly for a premium upgrade. They claimed they would not have purchased the upgrade had they known the encryption was the same as the free version.
“Any alleged promise LinkedIn made to paying premium account holders regarding security protocols was also made to non-paying members. Thus, when a member purchases a premium account upgrade, the bargain is not for a particular level of security, but actually for the advanced networking tools and capabilities to facilitate enhanced usage of LinkedIn’s services,” Davila wrote.
The judge also noted that the two plaintiffs admitted they never read the privacy policy to know whether or not the company had misrepresented its security offering. That policy at the time read: “In order to help secure your personal information, access to your data on LinkedIn is password-protected, and sensitive data (such as credit card information) is protected by SSL encryption when it is exchanged between your web browser and the LinkedIn website. To protect any data you store on our servers, LinkedIn also regularly audits its system for possible vulnerabilities and attacks, and we use a tier-one secured-access data center. However, since the Internet is not a 100% secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. It is your responsibility to protect the security of your login information. Please note that emails, instant messaging, and similar means of communication with other Users of LinkedIn are not encrypted, and we strongly advise you not to communicate any confidential information through these means.”
Additionally, Davila said the economic loss alleged from the breach could not be proven. He also rejected an additional claim by Wright that posting her password on the Internet posed a future risk of identity theft and the financial reprecussions that posed.
“Plaintiff Wright merely alleges that her LinkedIn password was ‘publically posted on the Internet on June 6, 2012.’ … In doing so, Plaintiff Wright fails to show how this amounts to a legally cognizable injury, such as, for example, identify theft or theft of her personally identifiable information.”