|October 21, 2013|
Previously published on October 18, 2013
re LinkedIn User Privacy Litig., 2013 U.S. Dist. LEXIS 31131 (N.D. Cal., 3/6/13)
After a hacker obtained 6.5 million passwords and email addresses from LinkedIn (the professional networking site), two of its users brought a putative class action claiming that LinkedIn had misrepresented its level of security. However, the plaintiffs ran into a threshold problem seen in many data breach cases: Article III standing.
Among the requirements for standing in any case brought in federal court is that the plaintiff must allege an injury in fact that is concrete and particularized, as well as actual and imminent. Without standing, there is no case in controversy, and the court lacks subject matter jurisdiction.
In the LinkedIn matter, the plaintiffs argued they had standing to sue under an economic harm theory. The plaintiffs claimed they paid to be “premium” LinkedIn users (as opposed to the free account) and did not receive the benefit of the bargain since LinkedIn failed to protect its information.
Further, the fact that one of the plaintiffs’ passwords was posted on the Internet did not amount to a legally cognizable injury. In other words, there were no allegations of actual identity theft or fraudulent use of the information. Accordingly, the court held that the plaintiffs failed to meet the requirements of Article III standing.
Of course, the plaintiffs will continue to push for class action status in the wake of mass data breaches that expose personal information. However, without actual harm, the mere exposure of personal information is generally not enough, and such cases are subject to dismissal for lack of standing.