In re LinkedIn User Privacy Litigation
Filing
70
ORDER granting 59 Motion to Dismiss. Signed by Judge Edward J. Davila on 3/5/2013. (ejdlc3, COURT STAFF) (Filed on 3/5/2013)
<![CDATA[
1
2
3
4
5
6
7
UNITED STATES DISTRICT COURT
8
NORTHERN DISTRICT OF CALIFORNIA
United States District Court
For the Northern District of California
9
SAN JOSE DIVISION
10
11
IN RE LINKEDIN USER PRIVACY
LITIGATION
12
13
14
15
16
)
)
)
)
)
)
)
)
)
)
)
Case No.: 5:12-CV-03088 EJD
ORDER GRANTING DEFENDANT’S
MOTION TO DISMISS THE FIRST
AMENDED CONSOLIDATED CLASS
ACTION COMPLAINT
[Re: Docket No. 59]
17
Plaintiffs Katie Szpyrka (“Szpyrka”) and Khalilah Wright (“Wright”), collectively
18
“Plaintiffs,” bring this putative class action against Defendant LinkedIn Corporation (“Defendant”
19
or “LinkedIn”). Presently before the Court is LinkedIn’s Motion to Dismiss Plaintiffs’ First
20
Amended Consolidated Complaint (the “FAC”). Having reviewed the parties’ papers and after
21
having heard oral arguments of counsel, the Court has determined that LinkedIn’s Motion will be
22
GRANTED.
23
24
I.
Background
25
LinkedIn owns and operates the website www.LinkedIn.com, which provides an online
26
community for professional networking. First Am. Consolidated Class Action Compl. (“FAC”)
27
28
1
Case No.: 5:12-CV-03088 EJD
ORDER GRANTING DEFENDANT’S MOTION TO DISMISS THE FIRST AMENDED
CONSOLIDATED CLASS ACTION COMPLAINT
1
¶ 12, Docket Item No. 54. Prospective members may sign up for a membership by providing a
2
valid email address and registration password, which LinkedIn stores on its database. Id. ¶ 13.
3
Once registered, a member may create a free online professional profile containing such
4
information as employment and educational history. Id.
5
When members register, they are required to confirm that they agree to LinkedIn’s User
6
Agreement (“User Agreement”) and Privacy Policy (“Privacy Policy”). 1 Id. ¶¶ 15–16; Declaration
7
of Eric Heath in Supp. of Def.’s Mot. to Dismiss Exs. A, B. The “Introduction” to the Privacy
8
Policy states,
United States District Court
For the Northern District of California
9
Of course, maintaining your trust is our top concern, so we adhere to the following
principles to protect your privacy:
10
***
11
•
12
13
All information that you provide will be protected with industry standard
protocols and technology.
Id. The “Security” section of the Privacy Policy states,
14
In order to help secure your personal information, access to your data on LinkedIn
is password-protected, and sensitive data (such as credit card information) is
protected by SSL encryption when it is exchanged between your web browser and
the LinkedIn website. To protect any data you store on our servers, LinkedIn also
regularly audits its system for possible vulnerabilities and attacks, and we use a tierone secured-access data center. However, since the internet is not a 100% secure
environment, we cannot ensure or warrant the security of any information you
transmit to LinkedIn. There is no guarantee that information may not be accessed,
disclosed, altered, or destroyed by breach of any of our physical, technical, or
managerial safeguards. It is your responsibility to protect the security of your login
information. Please note that emails, instant messaging, and similar means of
communication with other Users of LinkedIn are not encrypted, and we strongly
advise you not to communicate any confidential information through these means.
15
16
17
18
19
20
21
22
Id.
23
24
For a monthly fee, members can upgrade to a paid “premium” account which grants them
increased networking tools and capabilities. FAC ¶ 14. Members who purchase a premium account
25
26
27
1
28
2
Case No.: 5:12-CV-03088 EJD
ORDER GRANTING DEFENDANT’S MOTION TO DISMISS THE FIRST AMENDED
CONSOLIDATED CLASS ACTION COMPLAINT
The Privacy Policy is incorporated by reference to the User Agreement. Heath Decl. ¶ 3.
1
agree to the same terms and services of the User Agreement and Privacy Policy as if they were
2
non-paying members. Heath Decl. ¶ 3, Exs. A, C.
3
Plaintiffs allege that sometime in 2012 hackers infiltrated LinkedIn’s computer systems and
services. FAC ¶ 4. On June 6, 2012, the hackers posted approximately 6.5 million stolen LinkedIn
5
users’ passwords on the Internet. Id. ¶ 27. Plaintiffs also allege that the stolen information also
6
included the users’ email addresses. Id. ¶ 29. On or around June 9, 2012, LinkedIn released a
7
statement on its blog stating that it had recently completed a switch of its password encryption
8
method from a system that stored member passwords in a hashed 2 format to one that used both
9
United States District Court
For the Northern District of California
4
salted 3 and hashed passwords for increased security. Id. ¶ 31.
10
Plaintiff Wright registered for a premium LinkedIn account on or around March 2010,
11
paying a monthly fee of $99.95 for the premium, upgraded services. Id. ¶¶ 46–47. She alleges that
12
her password was one of the ones retrieved by the hackers and posted on the Internet on June 6,
13
2012. Id. ¶ 49. Plaintiff Szpyrka registered for a LinkedIn account in late 2010, and since
14
December 2011 she has been paying $26.95 per month for a premium membership. Id. ¶¶ 38–40.
15
The FAC contains no allegation that Szpyrka’s password or any other personal information was
16
stolen or posted on the Internet as a result of the 2012 hacking incident.
17
Plaintiffs’ FAC was filed on November 26, 2012 as a class action pursuant to Federal Rule
18
of Civil Procedure 23. Plaintiffs Szpyrka and Wright bring the action on behalf of themselves and a
19
“Premium Account Class” (the “Class”) which is defined in the FAC as “All individuals and
20
entities in the United States who paid a monthly fee to LinkedIn for a premium account prior to
21
June 7, 2012.” Id. ¶ 54. Additionally, Plaintiff Wright brings the action on behalf of a “Data Breach
22
Subclass” (the “Subclass”) which includes “[a]ll Premium Account Class members whose personal
23
information was compromised as a result of the data breach that occurred on or around June 6,
24
2012.” Id.
25
2
26
27
28
According to the FAC, “hashing” is a process by which a password is inputted into a cryptographic hash function
and converted into an unreadable, encrypted format. FAC ¶ 18 n.3.
3
According to the FAC, “salting” is an encryption process in which random values are combined with a password
before the text undergoes the hashing process. FAC. ¶ 19.
3
Case No.: 5:12-CV-03088 EJD
ORDER GRANTING DEFENDANT’S MOTION TO DISMISS THE FIRST AMENDED
CONSOLIDATED CLASS ACTION COMPLAINT
1
The FAC contains a total of nine Causes of Action. Seven Causes of Action are brought on
2
behalf of the Class: violation of California’s Unfair Competition Law (“UCL”), Cal. Bus. & Prof.
3
Code §§ 17200, et seq. (Count 1); breach of contract (Count 2); restitution or unjust enrichment
4
(Count 3, as an alternative to Count 2); breach of the implied covenant of good faith and fair
5
dealing (Count 6); breach of an implied contract to reasonably safeguard user information (Count
6
7); negligence (Count 8); and negligence per se (Count 9). Two Causes of Action are brought on
7
behalf of the Subclass: breach of contract (Count 4); restitution or unjust enrichment (Count 5, as
8
an alternative to Count 4).
United States District Court
For the Northern District of California
9
LinkedIn filed the present Motion to Dismiss the FAC on December 20, 2012. See Docket
10
Item No. 59. A hearing was held before the Court on February 8, 2013. See Minute Entry, Docket
11
Item No. 69.
12
13
II.
Discussion
14
A. Article III Standing
15
An Article III federal court must ask whether a plaintiff has suffered sufficient injury to
16
satisfy the “case or controversy” requirement of Article III of the U.S. Constitution. To satisfy
17
Article III standing, plaintiff must allege: (1) an injury in fact that is concrete and particularized, as
18
well as actual and imminent; (2) that the injury is fairly traceable to the challenged action of the
19
defendant; and (3) that it is likely (not merely speculative) that injury will be redressed by a
20
favorable decision. Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167,
21
180–81 (2000); Lujan v. Defenders of Wildlife, 504 U.S. 555, 561–62 (1992). A suit brought by a
22
plaintiff without Article III standing is not a “case or controversy,” and an Article III federal court
23
therefore lacks subject matter jurisdiction over the suit. Steel Co. v. Citizens for a Better
24
Environment, 523 U.S. 83, 101 (1998). In that event, the suit should be dismissed under Rule
25
12(b)(1). See id. at 109–10. A defendant may challenge standing through a Federal Rule of Civil
26
Procedure 12(b)(1) motion and may either attack the complaint on its face or the existence of
27
28
4
Case No.: 5:12-CV-03088 EJD
ORDER GRANTING DEFENDANT’S MOTION TO DISMISS THE FIRST AMENDED
CONSOLIDATED CLASS ACTION COMPLAINT
1
jurisdiction in fact. Thornhill Publ’g Co. v. Gen. Tel. & Elecs. Corp., 594 F.2d 730, 732–33 (9th
2
Cir. 1979). At least one named plaintiff must have suffered an injury in fact. See Lierboe v. State
3
Farm Mut. Auto. Ins. Co., 350 F.3d 1018, 1022 (9th Cir. 2003) (“[I]f none of the named plaintiffs
4
purporting to represent a class establishes the requisite of a case or controversy with the
5
defendants, none may seek relief on behalf of himself or any other member of the class.”). The
6
party seeking to invoke federal court jurisdiction has the burden of establishing the constitutional
7
elements of standing. See Lujan, 504 U.S. at 561.
8
United States District Court
For the Northern District of California
9
10
B. Economic Harm
Plaintiffs argue that they have standing to sue under a theory of economic harm. In support
11
of this theory, they contend that they did not receive the full benefit of their bargain for the paid
12
premium memberships. Plaintiffs allege that in consideration of their payments, LinkedIn promised
13
to secure their personal information “with industry standard protocols and technology.” They also
14
contend that they would not have otherwise purchased the premium memberships had they known
15
that LinkedIn would not protect their information in the manner it had allegedly promised. The
16
2012 hacking incident, they argue, shows that they did not receive the promised security for which
17
they paid—thus amounting to economic harm.
18
Economic harm based on the “benefit of the bargain” theory Plaintiff proffers has been
19
recognized as a viable basis for standing. See, e.g., Chavez v. Blue Sky Natural Beverage Co., 340
20
Fed. App’x 359, 360–61 (9th Cir. 2009) (finding a sufficient pleading of injury-in-fact where a
21
plaintiff alleged that he would not have paid for allegedly mislabeled products had he known the
22
truth about the products’ geographic origins); Khasin v. Hershey, No. 12-CV-01862 EJD, 2012
23
WL 5471153, at *6 (N.D. Cal. Nov. 9, 2012) (finding sufficient standing where a plaintiff alleged
24
that he had “lost money or property when he purchased the [food] products in question because he
25
did not receive the full value of those products as advertised and labeled due to the alleged
26
misrepresentation”). In such cases, plaintiffs had standing to sue where they alleged that they
27
28
5
Case No.: 5:12-CV-03088 EJD
ORDER GRANTING DEFENDANT’S MOTION TO DISMISS THE FIRST AMENDED
CONSOLIDATED CLASS ACTION COMPLAINT
1
would not have purchased a food product had they known that the product was not as advertised on
2
the product’s labeling. Id. The Court distinguishes those cases from the present case for several
3
reasons.
4
First, the FAC fails to sufficiently allege that Plaintiffs actually provided consideration for
the security services which they claim were not provided. Plaintiffs contend that in exchange for
6
the fees they paid for the premium membership account, LinkedIn promised, among other things,
7
to provide them with a particular level of security to protect their data. However, the User
8
Agreement and Privacy Policy are the same for the premium membership as they are for the non-
9
United States District Court
For the Northern District of California
5
paying basic membership. Any alleged promise LinkedIn made to paying premium account holders
10
regarding security protocols was also made to non-paying members. Thus, when a member
11
purchases a premium account upgrade, the bargain is not for a particular level of security, but
12
actually for the advanced networking tools and capabilities to facilitate enhanced usage of
13
LinkedIn’s services. The FAC does not sufficiently demonstrate that included in Plaintiffs’ bargain
14
for premium membership was the promise of a particular (or greater) level of security that was not
15
part of the free membership.
16
Second, unlike in the food-labeling misrepresentation cases, Plaintiffs do not even allege
17
that they actually read the alleged misrepresentation—the Privacy Policy—which would be
18
necessary to support a claim of misrepresentation. See Chavez, 340 Fed. App’x at 361–62; Kwikset
19
Corp. v. Superior Court, 51 Cal.4th 310 (2011). Because a causal connection between a
20
defendant’s actions and plaintiff’s alleged harm is required for standing, Plaintiffs have not
21
established standing based on an alleged misrepresentation.
22
Third, as Plaintiffs’ counsel asserted in oral arguments before the Court, Plaintiffs’ suit is
23
primarily based on an alleged breach of contract. 4 The essential elements of a breach of contract
24
25
26
27
28
4
Seven of the nine causes of action asserted in the FAC are rooted in breach of contract–related theories. The
remaining two—negligence and negligence per se—are inextricably connected to the agreement between Plaintiffs and
LinkedIn. In support of these causes of action Plaintiffs assert that LinkedIn had a duty to maintain a particular level of
security, this duty arising from the agreement. See FAC ¶ 123 (“By agreeing to accept Plaintiffs’ and the Class
members’ sensitive PII and the monthly fees paid to Defendant in order to use its services, Defendant assumed a duty,
6
Case No.: 5:12-CV-03088 EJD
ORDER GRANTING DEFENDANT’S MOTION TO DISMISS THE FIRST AMENDED
CONSOLIDATED CLASS ACTION COMPLAINT
claim are (1) the contract, (2) plaintiff’s performance or excuse for nonperformance, (3)
2
defendant’s breach, and (4) the resulting damages to plaintiff. See Hamilton v. Greenwich
3
Investors XXVI, LLC, 195 Cal.App.4th 1602, 1614 (2011) (quoting Reichert v. General Ins. Co.,
4
68 Cal.2d 822, 830 (1968)). Plaintiffs contend that LinkedIn breached the contract by not providing
5
the level of security it allegedly promised to provide. The economic loss Plaintiff alleges—not
6
receiving the full benefit of the bargain—cannot be the “resulting damages” of this alleged breach.
7
Rather, this injury could only have occurred at some point before the breach, at the time the parties
8
entered into the contract. As such, the economic damages Plaintiffs proffer cannot form the basis of
9
United States District Court
For the Northern District of California
1
standing for their breach of contract–related claims. 5
10
And fourth, in cases where the alleged wrong stems from allegations about insufficient
11
performance or how a product functions, courts have required plaintiffs to allege “something more”
12
than “overpaying for a ‘defective’ product.” In re Toyota Motor Corp., 790 F. Supp. 2d 1152, 1165
13
n.11 (C.D. Cal 2011); see also Whitson v. Bumbo, No. C 07-05597 MHP, 2009 WL 1515597
14
(N.D. Cal. Apr. 16, 2009); Boysen v. Wallgreen Co., No. 11-CV-6262, 2012 WL 2953069 (N.D.
15
Cal. July 19, 2012). Plaintiffs do not argue that they did not receive security services; rather, they
16
argue the security services were defective in some way, as evinced by the 2012 hacking incident.
17
This is not the case where consumers paid for a product, and the product they received was
18
different from the one as advertised on the product’s packaging. See, e.g., Khasin, No. 12-CV-
19
01862 EJD, 2012 WL 5471153. Because Plaintiffs take issue with the way in which LinkedIn
20
performed the security services, they must alleged “something more” than pure economic harm.
21
See Toyota Motor Corp., 790 F. Supp. 2d at 1165. This “something more” could be a harm that
22
occurred as a result of the deficient security services and security breach, such as, for example,
23
theft of their personally identifiable information.
24
25
26
27
28
which required it to exercise reasonable care and safeguard that information and to utilize industry standard protocols
and technology to do so.”).
5
Plaintiff Wright does argue that the alleged security failure did cause damage to her in the form of an “increased
risk of future harm.” Pls.’ Opp’n to Def.’s Mot. to Dismiss 10. This argument will be address in Part II.B of this Order.
7
Case No.: 5:12-CV-03088 EJD
ORDER GRANTING DEFENDANT’S MOTION TO DISMISS THE FIRST AMENDED
CONSOLIDATED CLASS ACTION COMPLAINT
1
2
For the foregoing reasons, Plaintiffs cannot rely solely on the “benefit of the bargain”
theory of economic harm to sufficiently meet the requirements for Article III standing.
3
C. Increased Risk of Future Theory
5
Plaintiff Wright offers an additional theory of injury-in-fact to support her claim of
6
standing. She contends that, as a result of the 2012 hacking incident and the posting of her
7
password on the Internet, there is now an increased risk of future harm. Pls.’ Opp’n to Def.’s Mot.
8
to Dismiss 10. The Court finds that standing on this ground has not been met because these
9
United States District Court
For the Northern District of California
4
allegations have not been alleged in the FAC. Plaintiff Wright merely alleges that her LinkedIn
10
password was “publically posted on the Internet on June 6, 2012.” FAC ¶ 49. In doing so, Plaintiff
11
Wright fails to show how this amounts to a legally cognizable injury, such as, for example, identify
12
theft or theft of her personally identifiable information.
13
14
III.
Conclusion and Order
15
Because the Court has found that Plaintiffs have failed to meet the requirements of Article
16
III standing, Defendant LinkedIn’s Motion to Dismiss for lack of standing is GRANTED without
17
prejudice. Accordingly, Plaintiffs’ FAC will be DISMSSED WITH LEAVE TO AMEND. Any
18
amended
19
20
21
IT IS SO ORDERED.
22
Dated: March 5, 2013
23
24
_________________________________
EDWARD J. DAVILA
United States District Judge
25
26
27
28
8
Case No.: 5:12-CV-03088 EJD
ORDER GRANTING DEFENDANT’S MOTION TO DISMISS THE FIRST AMENDED
CONSOLIDATED CLASS ACTION COMPLAINT
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
