Loss of Personal Information in Security Breach Results in Loss of Some “Unidentified Value”

Craig Hoffman discusses a ruling in a lawsuit against RockYou over a security breach that is noteworthy for the plaintiff’s somewhat novel approach to demonstrating injury due to the breach:

A December 2009 SQL injection attack against social network application maker RockYou.com’s database resulted in the breach of 32 million log-in credentials ( e-mail address and password). Not only did RockYou.com store the log-in credentials of its users in plain text, it also stored those user’s log-in credentials for social networking sites like Facebook and MySpace in plain text as well.


In its April 18, 2011, decision, as an initial matter, the court found that the plaintiff had standing to file the suit (by alleging an injury in fact) in the form of the loss of value of PII. The basis for refusing to find that the plaintiff lacked standing was the “paucity of controlling authority regarding the legal sufficiency of plaintiff’s damages theory” as well as the court’s determination that “the unauthorized disclosure of personal information via the Internet is itself relatively new, and therefore more likely to raise issues of law not yet settled in the courts.” The court did indicate that it “has doubts about plaintiff’s ultimate ability to prove his damages theory in this case, the court finds plaintiff’s allegations of harm sufficient at this stage to allege a generalized injury in fact.”


The court’s decision also provides a practical consideration when drafting limitation of liability clauses for website privacy policies. RockYou.com’s privacy policy provided that: “RockYou! . . . assumes no liability or responsibility for . . . (III) any unauthorized access to or use of our secure servers and/or any and all personal information and/or financial information stored therein . . .” RockYou.com argued that this provision barred the plaintiff’s breach of contract claims. The court, however, found that the policy language did not automatically preclude the claim because the plaintiff alleged that the servers were not secure.

Read more on Data Privacy Monitor.

So the plaintiff lives to fight another round, although the court’s doubts suggest that this case ultimately will not prevail. It does serve as a useful reminder to companies, however, that liability disclaimers may only protect you if your servers actually are as secure as you have assured users they are.

About the author: Dissent

Comments are closed.