This article first appeared in Cyberlaw Currents, a Frankfurt Kurnit legal blog.
Originally published May 3, 2011
These days, companies rely increasingly on e-commerce and social networking to enhance sales. In the process, however, they are collecting enormous amounts of personal consumer data that may be vulnerable to security breaches. The costs of those breaches can be high. Companies that fail adequately to protect consumer data may be subject to Federal and State regulatory investigations, as well as civil lawsuits. Just yesterday, in fact, Sony announced that it had suffered a massive security breach in connection with its popular PlayStation Network, which has already led to a class action lawsuit. Companies that experience data security breaches can also suffer crippling public relations blows and loss of consumer confidence. While most regulatory efforts focus on the loss of financial data, such as bank account numbers and passwords, consumers can get just as riled up over the loss of less sensitive information, such as user IDs and e-mail addresses. Now, a recent federal case in California may make it easier for consumers to sue companies for those losses.
In Claridge v. RockYou, Inc., a federal district court judge declined to dismiss a class action lawsuit arising from the loss of personal consumer information gathered by RockYou.com ("RockYou"), a Web site that creates applications for use with social networking sites such as Facebook and MySpace. Although no money is exchanged, users must provide an e-mail address, password and, in some cases, log-in information to a social networking site. RockYou's privacy policy states that it "uses commercially reasonable physical, managerial, and technical safeguards" to protect consumer data. In 2009, Rock You became aware that its system contained a security flaw that allowed hackers to access consumer data. After RockYou issued a press release announcing the breach and stating that it had taken immediate remedial action, one of its customers, Alan Claridge, filed a class action lawsuit, alleging that RockYou failed to employ commercially reasonable methods to safeguard the consumer data.
Claridge appeared to suffer no measurable damage from the breach, because the hackers apparently did not use Claridge's personal data for nefarious purposes such as accessing his bank accounts, stealing his identity, or destroying his credit rating. So RockYou filed a motion to dismiss based, in relevant part, on Claridge's lack of standing under Article 3 of the U.S. Constitution. (In order to sue someone in federal court, you have to allege that you suffered an "injury in fact" – that is a "concrete, tangible, non-speculative harm or loss.") Not to be deterred, Claridge argued that his personal information was "valuable property" that he exchanged for RockYou's products and services, as well as its promise to safeguard that information. While recognizing this was a "novel theory of damages" and expressing "doubts about [Claridge's] ultimate ability to prove his damages," the court denied the motion to dismiss, refusing "to hold at this juncture" that Claridge had failed to allege an "injury in fact."
It is too early to predict whether other federal judges will follow Judge Hamilton's lead and hold that the mere loss of personal information – without more – will suffice to establish "injury in fact." If this "novel damages theory" becomes a popular trend, companies may find it harder dispose of weak claims at the pleading stage, adding yet another element to the rising cost of security breaches.
What is clear is that companies cannot ignore the importance of protecting consumer data and responding quickly to security breaches. As an initial step, companies should review their online privacy policies to ensure they are keeping their promises to protect personal data.
This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.
