March 2, 2015

Why the Promise of the “Industry-Standard” in Data Protection May Be a Bad Idea: Lessons from the LinkedIn Privacy Class Action Settlement

Related Attorneys

By Douglas F. Brent

If your business collects personal information, you want to assure your customers you will do your best to protect that information.  But be careful with how you word that assurance.  If you are ever the victim of a cyber-intrusion, you might face a surprising type of lawsuit.

In late February business social networking site LinkedIn agreed to a seven-figure settlement of a nationwide class action lawsuit claiming that its “security measures that have been outdated since at least 2006” were all that stood between paid customers and the hackers that gained access to user credentials during a data breach of encrypted information.  

But why settle a case where the stolen info was encrypted?  After all, breach notification statutes typically provide safe harbors for encrypted information.  Moreover, courts are often unwilling to find standing to sue when the claimed harms from a breach are speculative.  In other words, the fear of a possible future misuse of stolen personal information is not enough to claim damages in court.  So if the stolen info was encrypted to boot, where’s the harm?

Here, the harm itself isn’t claimed to be in the breach itself.  The lawsuit doesn’t even claim personal information was misused.  Instead, this suit alleges breach of a bargained promise to provide adequate security. 

The California woman who sued LinkedIn claimed that she and others expected that part of their subscription fee was going toward the secure storage of the personal information using practices that met or exceeded industry standards.  After all, LinkedIn’s standard agreement for its paid service said the company would use “industry-standard data privacy and security measures.”  Moreover, LinkedIn’s privacy policy incorporated into its standard terms and conditions stated “all information that you provide will be protected using industry-standard security protocols.”

What were those measures?  Plaintiffs alleged LinkedIn was using the SHA-1 algorithm to “hash” end user credentials.  This is an encryption[1] method to protect a database from exploitation in the event of a breach.  But was it the “industry-standard?”  Apparently not.

Lawyers for the putative class claimed the National Institute of Standards and Technology had advised government agencies in 2006 to stop using SHA-1 for various security procedures.  Yet, this was the process LinkedIn was allegedly using when its database was breached and a list of 6.4 million “hashed” passwords was posted online.  The suit claims that to have met industry standards LinkedIn should have “salted” the users’ personal information before hashing and storing it.  Moreover, the suit alleges that after the breach was publicized, the majority of the publicly posted hashed passwords were decoded within days.  The suit does not claim the decoded information was actually exploited, however.

So the claim here isn’t harm from the breach of the information.  Instead, the putative class claims they had overpaid for LinkedIn’s premium service, because they had relied on the claim of “industry-standard” privacy protection when they made the decision to purchase the premium service at the price offered.  The class complaint claimed customers “paid for, but never received, the valuable security protections to which [they] were entitled.”  To use the most colorful description from the complaint, it was filed “to remedy LinkedIn’s decision to dupe its customers into paying for services, and then supplying them with entirely different, less useful, and less valuable services instead.”  If the proposed settlement is approved by the federal district court, members of the putative LinkedIn class could receive distributions of up to fifty dollars each.

Are there options when you need to communicate about data protection?  Use specific language to describe security measures, unless naming a specific standard could itself compromise security.  Realize that you must be accurate in your statements, not only when the language is initially used, but each time that the online contract or privacy policy is accessed by a user.  Understand the state of the art in network security is evolving, so if you want to refer to an industry standard, be specific, if possible, and know the use of the terminology means that you must constantly update security so that your statement is accurate at all times.  And think about other places where you make statements about your capabilities, like marketing collateral.  Finally, be aware that the Federal Trade Commission has brought enforcement actions against businesses accused of overstating their security procedures.

For assistance in reviewing your own online contracts or privacy policies, contact a member of SKO’s Privacy and Information Security Practice.



[1] Encryption is not only a good idea, it can also backstop against mandatory disclosure requirements under various state breach notification laws.  This is because some of those laws limit the definition of “personally identifiable information” to computerized data that is unencrypted.