Plaintiff Narrowly Avoids Dismissal in Data Breach Case Based on Finding that PII Could Have Value

Published On April 20, 2011 | By Jake Sommer | Data Security, Litigation, Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

The Northern District of California denied Defendant RockYou, Inc.’s motion to dismiss in Claridge v. RockYou, Inc., No. C 09-6032 PJH, making this data-breach case one of the firsts to proceed beyond discovery.  In Claridge, the Plaintiff brought suit alleging that the defendant had failed to secure and safeguard personally identifiable information (“PII”), including email addresses, passwords and login credentials for social networks.

RockYou creates applications for use on social networking sites used to share photos or play games with others.  Claridge was an account holder with RockYou, and had submitted his e-mail address and password to use RockYou’s photo sharing application.  The complaint alleges that, in late 2009, a security firm notified RockYou of a security problem with its SQL database, and that a hacker could compromise their database through a SQL injection flaw.  Prior to fixing the flaw and prior to being warned, a hacker accessed RockYou’s database and copied the unencrypted email and social networking login credentials of approximately 32 million registered RockYou users.

The Court first addressed standing, a roadblock that has stopped many a data breach lawsuit, and found that the Plaintiffs’ admittedly “novel” damages theory was sufficient to demonstrate the necessary “injury in fact.”  Plaintiff argued that PII constitutes “valuable property that is exchanged not only for defendant’s products and services, but also in exchange for RockYou’s promise to employ commercially reasonable methods to safeguard PII that is exchanged.”  As a result of the breach, Plaintiff allegedly lost “the ‘value’ of their PII, in the form of their breached personal data.”  The Court accepted this theory, but notably expressed its skepticism, stating that “the court has doubts about plaintiff’s ultimate ability to prove his damages theory in this case…”

The Court went on to dismiss all of Plaintiffs claims except those for breach of contract and breach of implied contract and negligence and granted Plaintiffs leave to amend their SCA claim.  Specifically, the Court again noted its skepticism about Plaintiff’s loss by dismissing his claims under California’s Unfair Competition Law, stating that the injury traceable to loss of PII “strains the acceptable boundaries of ‘injury’ under the statute” because PII is neither “currency” nor “property” that was “lost” under the UCL because the PII—login and password—did not “cease to belong to him, or pass beyond his control.”

While this ruling is troubling for companies that experience data breaches of PII because it allows plaintiffs’ claims to survive through discovery, the opinion demonstrates that proving damages will ultimately remain difficult for plaintiffs, and the claims they may bring for loss of PII are limited. To view the case click here.

About The Author

Jacob Sommer's practice focuses on legal issues related to Internet-based services and social networking, with a focus on protecting client's rights in litigation or government investigations involving the Copyright Act, Lanham Act, Digital Millennium Copyright Act ("DMCA"), Electronic Communications Privacy Act (“ECPA”), the Wiretap and Communication Acts, CAN-SPAM, FISA and federal and state laws governing Internet gambling. He also helps social networks, search engines, e-mail providers, ISPs and other clients fulfill their compliance obligations pertaining to the discovery and disclosure of customer and subscriber information.

Leave a Reply

Your email address will not be published. Required fields are marked *