It is widely accepted that the Internet is not a safe place for private or confidential information. Yet, when sensitive information gets leaked, people look for someone to blame. In some instances, they are correct and can bring a privacy claim especially when they can show direct injury due to the privacy breach. In other instances where they suffer no injury they have no claim.
In June of 2012, LinkedIn experienced a security breach and the passwords of 6.5 million users were posted online. A few days later, two premium LinkedIn users, Katie Szpyrka and Khalilah Wright, filed a class-action lawsuit against LinkedIn on behalf of all users.
“In order to help secure your personal information, access to your data on LinkedIn is password-protected, and sensitive data (such as credit card information) is protected by SSL encryption when it is exchanged between your web browser and the LinkedIn website. To protect any data you store on our servers, LinkedIn also regularly audits its system for possible vulnerabilities and attacks, and we use a tierone secured-access data center.
“However, since the internet is not a 100% secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.
“It is your responsibility to protect the security of your login information. Please note that emails, instant messaging, and similar means of communication with other Users of LinkedIn are not encrypted, and we strongly advise you not to communicate any confidential information through these means.”
The lawsuit also filed for damages based on the allegation that the premium users had paid LinkedIn in order to access the premium membership status of the social networking site. The plaintiffs expected this to include enhanced security measures but the premium membership offers no such thing. Rather, it merely offered more advanced tools and usage of LinkedIn’s services. Heightened security measures were never offered as part of the premium membership and, as such, the plaintiffs could not prove that they received any financial harm or injury.
The plaintiffs also failed to prove that the injuries they suffered as a result of the breach were “concrete and particularized” or “actual and imminent”. No one stole their identities or got into their accounts and, on these grounds, the judge dismissed the lawsuit.