On March 6, 2013, the United States District Court for the Northern District of California held that a putative class of LinkedIn premium users lacked standing to pursue state law unfair competition, breach of contract, and negligence claims resulting from a hacking incident. The court dismissed the complaint, concluding that the plaintiffs failed to establish any legally cognizable injury and any causation between the alleged incident and any alleged economic harm. The case is In re LinkedIn User Privacy Litigation (N.D. Cal. Mar. 6, 2013).
A putative class of premium LinkedIn users filed an amended complaint alleging unfair competition, breach of contract, and negligence claims. LinkedIn filed a motion to dismiss for lack of standing, which the court granted.
The plaintiffs claimed that they suffered “economic harm” because they were denied the full benefit of their bargain for the paid premium memberships. Specifically, the plaintiffs alleged that they would not have purchased the premium product absent the security guarantees, and that the 2012 hacking incident shows they did not receive the promised security. The court rejected the plaintiffs’ “economic harm” argument for several reasons.
In addition to rejecting the plaintiffs’ “economic harm” arguments, the court also held that the increased risk of future harm did not establish an injury sufficient to confer standing. The court concluded that the plaintiffs failed to state a legally cognizable injury by merely alleging that their passwords were publicly posted as opposed to alleging identity theft.
Based on the pleadings before it, this court concluded that the mere allegation of a security breach does not automatically confer Article III standing or provide the basis for cognizable state common law claims. Rather, the failure here to allege an injury beyond “overpaying” for a service, e.g., identity theft, required dismissal of these claims. The court also rejected the plaintiffs’ claimed injury stemming from an increased risk of future identity theft, deeming it speculative and thus insufficient to sustain the claims. Entities in any industry that promise to provide certain levels of security certainly should endeavor to adhere to those representations. This decision, however, bolsters the “lack of standing” defense to claims premised on data incidents alone brought in federal court – at least where the incident does not result in any identity theft.