Loss of Personal Information in Security Breach Results in Loss of Some “Unidentified Value”
Craig Hoffman discusses a ruling in a lawsuit against RockYou over a security breach that is noteworthy for the plaintiff’s somewhat novel approach to demonstrating injury due to the breach:
A December 2009 SQL injection attack against social network application maker RockYou.com’s database resulted in the breach of 32 million log-in credentials ( e-mail address and password). Not only did RockYou.com store the log-in credentials of its users in plain text, it also stored those user’s log-in credentials for social networking sites like Facebook and MySpace in plain text as well.[…]
In its April 18, 2011, decision, as an initial matter, the court found that the plaintiff had standing to file the suit (by alleging an injury in fact) in the form of the loss of value of PII. The basis for refusing to find that the plaintiff lacked standing was the “paucity of controlling authority regarding the legal sufficiency of plaintiff’s damages theory” as well as the court’s determination that “the unauthorized disclosure of personal information via the Internet is itself relatively new, and therefore more likely to raise issues of law not yet settled in the courts.” The court did indicate that it “has doubts about plaintiff’s ultimate ability to prove his damages theory in this case, the court finds plaintiff’s allegations of harm sufficient at this stage to allege a generalized injury in fact.”[…]
Read more on Data Privacy Monitor.
So the plaintiff lives to fight another round, although the court’s doubts suggest that this case ultimately will not prevail. It does serve as a useful reminder to companies, however, that liability disclaimers may only protect you if your servers actually are as secure as you have assured users they are.