Judge denies LinkedIn's motion to toss password hacking suit

Summary:A user claims privacy policy was false advertising in 2012 theft of 6.5 million passwords.

A federal judge in California denied LinkedIn's motion to throw out a putative class action lawsuit over a 2012 breach that resulted in 6.5 million stolen passwords, citing the plaintiff's claim she was swayed by false and misleading labeling on the company's level of security.

U.S. District Judge Edward J. Davila in his order issued on Friday said LinkedIn would have to answer the plaintiff's allegations that the company did not accurately represent the site's security in its User Agreement and Privacy Policy.

The judge wrote that the plaintiff satisfied California’s Unfair Competition Law (UCL) by stating "she would not have bought the product but for the misrepresentation."

The judge dismissed two other claims the plaintiff, Kahlilah Wright, made in what was her second amended complaint against LinkedIn over the 2012 breach. The first, a $5 million class action lawsuit , was thrown out in March of last year by Judge Davila, who said Wright failed to prove harm.

In the second complaint, Wright offered new information, stating she had read LinkedIn's privacy policy regarding the use of industry standard security and relied on that information in her decision to purchase a premium account with LinkedIn.

It was that admission that Judge Davila focused on. He ruled that the plaintiff's allegations were sufficient to bring claims under the UCL and Article III of the U.S. Constitution. Further, the court ruled that Wright's "injury is likely to be redressed by a favorable decision because restitution is an available remedy under the UCL."

Wright had cited previous cases where deceptively labeled or advertised products led a consumer to purchase that product.

In its arguments, LinkedIn held the labeling/advertising cases were different because LinkedIn's privacy policy was not contained in a label or advertisement. Davila's order said the privacy policy was within the scope of other labeling and advertising cases.

LinkedIn said that Wright would not have understood its security level even if it had stated it was using SHA-1 encryption. Wright, however, contended that given such a disclosure that consumers would have learned that the encryption was not "industry standard" by word-of-mouth or through the media.

Judge Davila scheduled a management conference on June 6 for the two sides to discuss the case. Ironically, it was that same date in 2012 when hackers posted approximately 6.5 million stolen LinkedIn passwords on the Internet including Wright's password.

Topics: Security

About

John Fontana is a journalist focusing on access control, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he writes and edits a blog, as well as, directs several social media channels and represents Yubico at the FIDO Alliance. Prior to Yubico, John spent five y... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.