LinkedIn, the professional social networking site facing a $5 million-plus lawsuit for a massive breach earlier this month, may win its impending legal battle. But victory will probably not come cheap. Legal bills mount up quickly, especially with an “aggressive” defense, which LinkedIn has promised. Unless the suit, filed on behalf of lead plaintiff Katie Szpyrka and a potential cast of millions of other coplaintiffs, is settled quickly and quietly, it is likely to provide regular public reminders, for months or possibly years, of what happened and why. That, as marketing people say, is not good for “brand identity.”
The 6.5 million member passwords, which were posted on a Russian hacker forum, had been easily decrypted because LinkedIn was using only a rudimentary hashing algorithm that is not even close to the current industry standard. And that encryption weakness is what the lawsuit cites repeatedly in its seven allegations, including violation of California business and professional code; violations of California civil code; breach of contract; breach of the implied covenant of good faith and fair dealing; breach of implied contracts; negligence; and negligence per se. Szpyrka, listed on LinkedIn as a senior associate at the Chicago offices of UGL Equis, a global real estate firm focused on business clients, is represented by Sean P. Reis of Edelson McGuire LLP, a law firm in Rancho Santa Margarita, Calif. The suit is seeking certification as a class-action lawsuit on behalf of all LinkedIn users compromised by the hack. The suit doesn’t allege violations of any specific cybersecurity law, but complains that the company violated its own privacy policy, which asserts that it will, “safeguard its users sensitive PII (personally identifiable information), specifically that: ‘All information you provide will be protected with industry standard protocols and technology.'” By its own admission, LinkedIn was not in compliance with the industry standard, which is to “salt” the hashes — merge the hashed passwords with another combination and then hash them for a second time. LinkedIn, however, invokes the classic defense in data breach cases to contend the suit is “without merit.” LinkedIn spokeswoman Erin O’Harra told Cameron Scott of the IDG News Service: “No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured. Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation.” So, now that the dueling sound bites have been issued, how vulnerable is LinkedIn really? The likelihood is, not very much. The courts have so far declined to award damages to plaintiffs who cannot prove actual damages. Legal experts viewing a string of lawsuits, also in California, over breaches of personal medical information, told CSO in April that judges are well aware that 100-percent security on the Internet simply does not exist, due to the rapidity and sophistication of attacks. There are numerous examples of breaches of companies that are in compliance, which makes it much more difficult to prove negligence. Indeed, the Oregon Supreme Court recently struck down a class-action suit against Providence Health Systems that had been settled six years ago, finding no evidence that any of 365,000 patients whose data had been on disks/tapes that were stolen from a Providence employee’s car had suffered any financial loss or other adverse consequences. “We are aware of no other jurisdiction that has allowed recovery for negligent infliction of emotional distress in circumstances where the alleged distress is based solely on concern over the increased risk that a plaintiff’s personal information will, at some point in the future, be viewed or used in a manner that could cause the plaintiff harm,” the court said then. The suit against LinkedIn goes to some length to assert that actual damages have occurred, arguing that, “plaintiff and the class members … have lost money in the form of the value of their personal data. They have lost property in the form of their breached personal data, which is of great value to LinkedIn, LinkedIn advertisers and malicious actors. SubClass members have lost money in the form of monthly membership fees.” But it does not offer specifics — only that the PII, “…has ascertainable value to be proven at trial.” It is not certain, of course, that precedent will prevail. Rebecca Herold, an information security, privacy and compliance consultant known as the “Privacy Professor,” said while the precedent so far is not to award damages that cannot be proven, “I see the trend will likely be changing as judges, courts and lawyers come to understand better how such breaches can have damages long-term, in many downstream systems that were attached in some way to the breached system.” For example, she said, many LinkedIn users may use the same password on other systems as they used on LinkedIn, even though that practice is strongly discouraged by security experts. But those other accounts may now be breached, even though the LinkedIn account itself may not have been breached, Herold said. Todd Thiemann, senior director of product marketing for Vormetric, said when the breach became public that among the still unanswered questions were, “How did the bad guys get this information? And if they got that, what else did they get?” Those questions will be at the heart of the pending litigation.