Any damage done to LinkedIn users over the massive June 2012 data breach was abstract, not actual, a US judge has ruled.
Thus did a $5 million class-action lawsuit against the networking site get dismissed, before the case ever breathed the air of a court trial.
The breach resulted in the compromise of 6.5 million users’ passwords.
Within hours of the passwords being posted online, over 60% of the stolen passwords had been cracked.
Within days of the June breach, the lawsuit was filed on behalf of all users by two premium LinkedIn users in the US, Katie Szpyrka and Khalilah Gilmore-Wright.
It charged LinkedIn with failing to use basic industry standard security practices – a failing that, the plaintiffs claimed, led to the data leak.
In order to help secure your personal information, access to your data on LinkedIn is password-protected, and sensitive data (such as credit card information) is protected by SSL encryption when it is exchanged between your web browser and the LinkedIn website. To protect any data you store on our servers, LinkedIn also regularly audits its system for possible vulnerabilities and attacks, and we use a tierone secured-access data center.
However, since the internet is not a 100% secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.
It is your responsibility to protect the security of your login information. Please note that emails, instant messaging, and similar means of communication with other Users of LinkedIn are not encrypted, and we strongly advise you not to communicate any confidential information through these means.
Unfortunately for the plaintiffs, they failed to provide evidence of injury coming out of the breach that was "concrete and particularized," as well as "actual and imminent," US District Judge Edward J. Davila wrote in his decision (PDF).
The thing is, Davila responded, the plaintiffs didn't pay extra for that security, given that it was promised to both premium and basic (free) memberships alike.
Rather, what the premium account holders actually got in return for their fees were advanced networking tools and enhanced usage of LinkedIn's services, not great security.
Thus, when a member purchases a premium account upgrade, the bargain is not for a particular level of security, but actually for the advanced networking tools and capabilities to facilitate enhanced usage of LinkedIn’s services.
The [suit] does not sufficiently demonstrate that included in Plaintiffs’ bargain for premium membership was the promise of a particular (or greater) level of security that was not part of the free membership.
As far as injury goes, while Wright claimed that her password had been posted online, it didn't result in identity theft or somebody getting into her account, the judge said, so the claim of financial harm or injury just doesn't fly.
Wright merely alleges that her LinkedIn password was "publicly posted on the Internet on June 6, 2012". In doing so, Wright fails to show how this amounts to a legally cognizable injury, such as, for example, identify theft or theft of her personally identifiable information.
One lesson we can take from this is, apparently, that users have to take security promises and privacy policies with a grain of salt.
Beyond that, the nuances of whether a company will be found liable for security lapses, and the whys and why-nots, intrigue me.
I initially conjectured, when the lawsuit was first filed, that LinkedIn had its work cut out for it in defending itself. I was clearly wrong.
What do you think: should LinkedIn get off the hook this easily? Should a company be held liable for not meeting industry standards for security?
Please share your thoughts in the comments section below.