Chicago Business Litigation Lawyer Blog
It is widely accepted that the Internet is not a safe place for private or confidential information. Yet, when sensitive information gets leaked, people look for someone to blame. In some instances, they are correct and can bring a privacy claim especially when they can show direct injury due to the privacy breach. In other instances where they suffer no injury they have no claim.
In June of 2012, LinkedIn experienced a security breach and the passwords of 6.5 million users were posted online. A few days later, two premium LinkedIn users, Katie Szpyrka and Khalilah Wright, filed a class-action lawsuit against LinkedIn on behalf of all users.
The lawsuit alleged that LinkedIn had failed to store passwords in salted SHA1 hashed format. According to the lawsuit, this is basic industry standard security practice and, by failing to adhere to them, LinkedIn had failed to abide by its Privacy Policy.
What the Privacy Policy actually states is:
“In order to help secure your personal information, access to your data on LinkedIn is password-protected, and sensitive data (such as credit card information) is protected by SSL encryption when it is exchanged between your web browser and the LinkedIn website. To protect any data you store on our servers, LinkedIn also regularly audits its system for possible vulnerabilities and attacks, and we use a tierone secured-access data center.
“However, since the internet is not a 100% secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.
“It is your responsibility to protect the security of your login information. Please note that emails, instant messaging, and similar means of communication with other Users of LinkedIn are not encrypted, and we strongly advise you not to communicate any confidential information through these means.”
LinkedIn’s Privacy Policy does not promise industry standard security practices and, in fact, warns the user that, despite their efforts, breaches can occur. In court, the plaintiffs admitted that they had not even read the Privacy Policy, which no doubt weakened their argument.
The lawsuit also filed for damages based on the allegation that the premium users had paid LinkedIn in order to access the premium membership status of the social networking site. The plaintiffs expected this to include enhanced security measures but the premium membership offers no such thing. Rather, it merely offered more advanced tools and usage of LinkedIn’s services. Heightened security measures were never offered as part of the premium membership and, as such, the plaintiffs could not prove that they received any financial harm or injury.
The plaintiffs also failed to prove that the injuries they suffered as a result of the breach were “concrete and particularized” or “actual and imminent”. No one stole their identities or got into their accounts and, on these grounds, the judge dismissed the lawsuit.
Our Chicago class action lawyers bring class action, privacy law and individual consumer rights lawsuits. We bring suit for many types of consumer fraud issues and for unpaid overtime, junk fax, privacy rights violations, false advertising and other claims on a class wide basis. Super Lawyers has selected our Kane, DuPage and Cook County class action lawyers as among the top 5% in Illinois. Our Chicago class action attorneys only collect our fees if we win or settle your case. For a free consultation call us at our toll free number 630-333-0333 or contact us on the web by clicking here.