A federal judge in California denied LinkedIn's motion to throw out a putative class action lawsuit over a 2012 breach that resulted in 6.5 million stolen passwords, citing the plaintiff's claim she was swayed by false and misleading labeling on the company's level of security.
The judge wrote that the plaintiff satisfied California’s Unfair Competition Law (UCL) by stating "she would not have bought the product but for the misrepresentation."
The judge dismissed two other claims the plaintiff, Kahlilah Wright, made in what was her second amended complaint against LinkedIn over the 2012 breach. The first, a $5 million class action lawsuit, was thrown out in March of last year by Judge Davila, who said Wright failed to prove harm.
It was that admission that Judge Davila focused on. He ruled that the plaintiff's allegations were sufficient to bring claims under the UCL and Article III of the U.S. Constitution. Further, the court ruled that Wright's "injury is likely to be redressed by a favorable decision because restitution is an available remedy under the UCL."
Wright had cited previous cases where deceptively labeled or advertised products led a consumer to purchase that product.
LinkedIn said that Wright would not have understood its security level even if it had stated it was using SHA-1 encryption. Wright, however, contended that given such a disclosure that consumers would have learned that the encryption was not "industry standard" by word-of-mouth or through the media.
Judge Davila scheduled a management conference on June 6 for the two sides to discuss the case. Ironically, it was that same date in 2012 when hackers posted approximately 6.5 million stolen LinkedIn passwords on the Internet including Wright's password.