Judge Rules That A Large Data Breach Is Not Proof Of Inadequate Security

A federal judge ruled on March 5 that LinkedIn (NYSE: LNKD) is not obligated to compensate a pair of its customers who had sued following a LinkedIn data breach last year. Of particular interest to retailers is the customers' argument that the social networking site had promised to protect customer data "with industry standard protocols and technology." They then argued that the breach itself somehow proved such security was not delivered. The judge didn't buy it.

No security system is perfect, so the existence of a break-in—on its own—doesn't prove that security procedures were not followed nor that they were not appropriate.

The case—heard in U.S. District Court for the Northern District of California in San Jose—raised several other arguments for customers seeking compensation for the breach, and the court shot them all down. To start the proceedings, the customers had to make a case for how they lost money as a result of the breach, given that it appears none of their personal information was ever used by the thieves.

The LinkedIn breach involved a June 6, 2012, public posting of about 6.5 million LinkedIn user passwords, along with a suggestion from the thieves that they also had grabbed E-mail addresses. (It wasn't a far-fetched claim. If the thieves were able to access passwords, it's likely E-mail addresses would have been easily accessible, too.) After the breach, LinkedIn announced a security upgrade, from storing customers' passwords hashed to using both salting and hashing.

The essence of the customers' argument of inadequate security was this upgrade, suggesting that the need for an upgrade demonstrated the inadequacy of the earlier effort.

But the harder case is the financial loss. To argue a loss, the plaintiffs said they wanted to be reimbursed for the dollars spent on upgraded LinkedIn accounts. The decision from U.S. District Court Judge Edward J. Davila summarized the customers' position on why they were owed money.

"They did not receive the full benefit of their bargain for the paid premium memberships. Plaintiffs allege that in consideration of their payments, LinkedIn promised to secure their personal information 'with industry standard protocols and technology.' They also contend that they would not have otherwise purchased the premium memberships had they known that LinkedIn would not protect their information in the manner it had allegedly promised. The 2012 hacking incident, they argue, shows that they did not receive the promised security for which they paid—thus amounting to economic harm."

The court found against this claim because LinkedIn makes the same security promises to all users, regardless of their level of membership.

"Plaintiffs contend that in exchange for the fees they paid for the premium membership account, LinkedIn promised, among other things, to provide them with a particular level of security to protect their data. However, the User Agreement and Privacy Policy are the same for the premium membership as they are for the non-paying basic membership. Any alleged promise LinkedIn made to paying premium account holders regarding security protocols was also made to non-paying members," the court ruled. "Thus, when a member purchases a premium account upgrade, the bargain is not for a particular level of security, but actually for the advanced networking tools and capabilities to facilitate enhanced usage of LinkedIn's services. The (customers do) not sufficiently demonstrate that included in Plaintiffs' bargain for premium membership was the promise of a particular (or greater) level of security that was not part of the free membership."

In an unusual twist, the court also ruled against the customers because they didn't prove—or even claim—they had actually read the privacy policy. Unless they had submitted that they had read it, how could they have been deceived by it?The court did not raise the related question, namely, "Did the customers actually make that LinkedIn upgrade purchase based on a security promise buried within a lengthy privacy statement? Really? That's actually the argument you want to hang your case on? Shall we poll a couple of thousand random LinkedIn upgraded customers and ask them, open-ended, why upgraded and see how many cite the level of password encryption being used?"

To be clear, the prior question is ours, not the judge's. We'll get back to what the judge said now.

The court pointed out that, technically, the loss had to be related to the breach and not to a payment made long before the breach happened. "Plaintiffs contend that LinkedIn breached the contract by not providing the level of security it allegedly promised to provide. The economic loss Plaintiff alleges—not receiving the full benefit of the bargain—cannot be the 'resulting damages' of this alleged breach. Rather, this injury could only have occurred at some point before the breach, at the time the parties entered into the contract. As such, the economic damages Plaintiffs proffer cannot form the basis of standing for their breach of contract–related claims."

The court also ruled that case law—prior significant decisions from other key courts—raises the bar for this type of lawsuit.

"In cases where the alleged wrong stems from allegations about insufficient performance or how a product functions, courts have required plaintiffs to allege 'something more' than 'overpaying for a "defective" product,'" the judge wrote. "Plaintiffs do not argue that they did not receive security services. Rather, they argue the security services were defective in some way, as evinced by the 2012 hacking incident. This is not the case where consumers paid for a product, and the product they received was different from the one as advertised on the product's packaging. Because Plaintiffs take issue with the way in which LinkedIn performed the security services, they must allege 'something more' than pure economic harm. This 'something more' could be a harm that occurred as a result of the deficient security services and security breach, such as, for example, theft of their personally identifiable information."

A point the court did not address was exactly what "industry standard protocols and technology" means. Presumably, such a phrase would be a matter for various retail security experts to testify about in court, arguing whether what the retailer did at the time would have been considered reasonable. The question of "reasonable" would be determined not necessarily by current security procedures but by what was being used at the time.

Also—and this is key—the phrase isn't promising cutting-edge approaches or even the best approaches. All it's promising, in effect, is that "we're doing what almost everyone else is doing." As long as similarly sized rivals are handling their security roughly as well—or as poorly—as you are, you are indeed using industry-standard mechanisms.

If a shopper ever sues a major chain on the basis that the security of all retail is inadequate, the arguments—and decisions—might be radically different. For now, though, this was a very retail-friendly ruling.