After a massive breach of LinkedIn passwords, the social network was sued for failing to live up to its own privacy policy. Will the organization be held liable?
In June, a group of hackers stole more than six million LinkedIn passwords and posted them to a Russian website. The passwords were protected with only basic encryption, and the hackers posted them looking for help cracking the passwords, a feat which was quickly accomplished for most of them.
After the passwords were posted, LinkedIn confirmed it had been breached. In a blog post acknowledging the breach, LinkedIn noted that the site had only recently started using advanced security measures, including “salting” passwords — a process that adds user-specific information to encryption keys, making the passwords harder to crack.
After becoming aware of the incident, LinkedIn invalidated the passwords for affected accounts and sent a notice to those users telling them they had to change their passwords.
Lawsuit filed against LinkedIn
Despite those actions, a class action suit was filed, seeking $5 million in damages for the users whose LinkedIn passwords were stolen.
The complaint against LinkedIn doesn’t claim the social network violated any specific laws relating to information security. Rather, the suit argues that LinkedIn broke a promise to users laid out in the site’s Privacy Policy, which says “all information that [users] provide will be protected with industry standard protocols and technology.”
According to the complaint, LinkedIn failed to follow industry standards when it neglected to salt its password database and when it failed to detect the breach and instead found out about it from the public.
Do the victims have a case? Even if the company deserves a portion of the blame for the breach, LinkedIn may avoid legal liability. First, what exactly is considered “industry standard” could be open to considerable debate.
Second, so far there haven’t been any reports of a LinkedIn user suffering any tangible harm as a result of the breach — and previous data breach lawsuits have been dismissed after victims failed to show they suffered damages.