Skip Links

Legal battle over LinkedIn breach could be costly

In addition to legal costs, the social networking site's brand could be hurt if the case is not settled quickly

By Taylor Armerding, CSO
June 28, 2012 08:25 AM ET

CSO - LinkedIn, the professional social networking site facing a $5 million-plus lawsuit for a massive breach earlier this month, may win its impending legal battle. But victory will probably not come cheap. Legal bills mount up quickly, especially with an "aggressive" defense, which LinkedIn has promised.

The worst data breaches of 2012

Unless the suit, filed on behalf of lead plaintiff Katie Szpyrka and a potential cast of millions of other coplaintiffs, is settled quickly and quietly, it is likely to provide regular public reminders, for months or possibly years, of what happened and why. That, as marketing people say, is not good for "brand identity."

The 6.5 million member passwords, which were posted on a Russian hacker forum, had been easily decrypted because LinkedIn was using only a rudimentary hashing algorithm that is not even close to the current industry standard.

And that encryption weakness is what the lawsuit cites repeatedly in its seven allegations, including violation of California business and professional code; violations of California civil code; breach of contract; breach of the implied covenant of good faith and fair dealing; breach of implied contracts; negligence; and negligence per se.

[See also: Companies focus on growth, lagging behind threat]

Szpyrka, listed on LinkedIn as a senior associate at the Chicago offices of UGL Equis, a global real estate firm focused on business clients, is represented by Sean P. Reis of Edelson McGuire LLP, a law firm in Rancho Santa Margarita, Calif. The suit is seeking certification as a class-action lawsuit on behalf of all LinkedIn users compromised by the hack.

The suit doesn't allege violations of any specific cybersecurity law, but complains that the company violated its own privacy policy, which asserts that it will, "safeguard its users sensitive PII (personally identifiable information), specifically that: 'All information you provide will be protected with industry standard protocols and technology.'"

By its own admission, LinkedIn was not in compliance with the industry standard, which is to "salt" the hashes -- merge the hashed passwords with another combination and then hash them for a second time.

LinkedIn, however, invokes the classic defense in data breach cases to contend the suit is "without merit."

LinkedIn spokeswoman Erin O'Harra told Cameron Scott of the IDG News Service: "No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured. Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation."

So, now that the dueling sound bites have been issued, how vulnerable is LinkedIn really?

The likelihood is, not very much. The courts have so far declined to award damages to plaintiffs who cannot prove actual damages. Legal experts viewing a string of lawsuits, also in California, over breaches of personal medical information, told CSO in April that judges are well aware that 100-percent security on the Internet simply does not exist, due to the rapidity and sophistication of attacks.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News