By Douglas F. Brent
If your business collects personal information, you want to assure your customers you will do your best to protect that information. But be careful with how you word that assurance. If you are ever the victim of a cyber-intrusion, you might face a surprising type of lawsuit.
In late February business social networking site LinkedIn agreed to a seven-figure settlement of a nationwide class action lawsuit claiming that its “security measures that have been outdated since at least 2006” were all that stood between paid customers and the hackers that gained access to user credentials during a data breach of encrypted information.
But why settle a case where the stolen info was encrypted? After all, breach notification statutes typically provide safe harbors for encrypted information. Moreover, courts are often unwilling to find standing to sue when the claimed harms from a breach are speculative. In other words, the fear of a possible future misuse of stolen personal information is not enough to claim damages in court. So if the stolen info was encrypted to boot, where’s the harm?
Here, the harm itself isn’t claimed to be in the breach itself. The lawsuit doesn’t even claim personal information was misused. Instead, this suit alleges breach of a bargained promise to provide adequate security.
What were those measures? Plaintiffs alleged LinkedIn was using the SHA-1 algorithm to “hash” end user credentials. This is an encryption method to protect a database from exploitation in the event of a breach. But was it the “industry-standard?” Apparently not.
Lawyers for the putative class claimed the National Institute of Standards and Technology had advised government agencies in 2006 to stop using SHA-1 for various security procedures. Yet, this was the process LinkedIn was allegedly using when its database was breached and a list of 6.4 million “hashed” passwords was posted online. The suit claims that to have met industry standards LinkedIn should have “salted” the users’ personal information before hashing and storing it. Moreover, the suit alleges that after the breach was publicized, the majority of the publicly posted hashed passwords were decoded within days. The suit does not claim the decoded information was actually exploited, however.
So the claim here isn’t harm from the breach of the information. Instead, the putative class claims they had overpaid for LinkedIn’s premium service, because they had relied on the claim of “industry-standard” privacy protection when they made the decision to purchase the premium service at the price offered. The class complaint claimed customers “paid for, but never received, the valuable security protections to which [they] were entitled.” To use the most colorful description from the complaint, it was filed “to remedy LinkedIn’s decision to dupe its customers into paying for services, and then supplying them with entirely different, less useful, and less valuable services instead.” If the proposed settlement is approved by the federal district court, members of the putative LinkedIn class could receive distributions of up to fifty dollars each.
For assistance in reviewing your own online contracts or privacy policies, contact a member of SKO’s Privacy and Information Security Practice.
 Encryption is not only a good idea, it can also backstop against mandatory disclosure requirements under various state breach notification laws. This is because some of those laws limit the definition of “personally identifiable information” to computerized data that is unencrypted.