Judge denies LinkedIn's motion to toss password hacking suit

A federal judge in California denied LinkedIn's motion to throw out a putative class action lawsuit over a 2012 breach that resulted in 6.5 million stolen passwords, citing the plaintiff's claim she was swayed by false and misleading labeling on the company's level of security.

U.S. District Judge Edward J. Davila in his order issued on Friday said LinkedIn would have to answer the plaintiff's allegations that the company did not accurately represent the site's security in its User Agreement and Privacy Policy.

The judge wrote that the plaintiff satisfied California’s Unfair Competition Law (UCL) by stating "she would not have bought the product but for the misrepresentation."

The judge dismissed two other claims the plaintiff, Kahlilah Wright, made in what was her second amended complaint against LinkedIn over the 2012 breach. The first, a $5 million class action lawsuit, was thrown out in March of last year by Judge Davila, who said Wright failed to prove harm.

In the second complaint, Wright offered new information, stating she had read LinkedIn's privacy policy regarding the use of industry standard security and relied on that information in her decision to purchase a premium account with LinkedIn.

It was that admission that Judge Davila focused on. He ruled that the plaintiff's allegations were sufficient to bring claims under the UCL and Article III of the U.S. Constitution. Further, the court ruled that Wright's "injury is likely to be redressed by a favorable decision because restitution is an available remedy under the UCL."

Wright had cited previous cases where deceptively labeled or advertised products led a consumer to purchase that product.

In its arguments, LinkedIn held the labeling/advertising cases were different because LinkedIn's privacy policy was not contained in a label or advertisement. Davila's order said the privacy policy was within the scope of other labeling and advertising cases.

LinkedIn said that Wright would not have understood its security level even if it had stated it was using SHA-1 encryption. Wright, however, contended that given such a disclosure that consumers would have learned that the encryption was not "industry standard" by word-of-mouth or through the media.

Judge Davila scheduled a management conference on June 6 for the two sides to discuss the case. Ironically, it was that same date in 2012 when hackers posted approximately 6.5 million stolen LinkedIn passwords on the Internet including Wright's password.