Nearly as predictable as the sun coming up in the morning, the recent theft of 6.5 million LinkedIn user passwords has resulted in the filing of a class action lawsuit in a California federal court. In her complaint, a LinkedIn premium subscriber asserts claims on behalf of all LinkedIn users for breach of implied and express contractual obligations, negligence and violation of California’s Unfair Competition Law, Cal. Bus. & Prof. Code § 17200.
Although the attack affected the passwords of just over 5% of LinkedIn’s approximately 120 million users, plaintiff purports to assert claims on behalf of all LinkedIn users. Although plaintiff alleges classwide damages in excess of $5,000,000 (the jurisdictional threshold for federal court jurisdiction over the state law claims advanced in the complaint) it is unclear what damages plaintiff alleges that the class actually sustained by reason of merely losing passwords. Some commentators have hypothesized that the propensity to use a single password for multiple online accounts could result in losses where non-LinkedIn accounts are accessed using an individual’s LinkedIn password. Proving that such losses have occurred, however, would require highly individualized showings that would likely preclude adjudicating plaintiff’s claims as a class action. Even less clear is what conceivable damages were allegedly sustained by LinkedIn users whose passwords were not stolen. Thus, as with most privacy class actions, damages issues appear to pose the greatest obstacle to the success of the claims against LinkedIn.