Companies that experienced data security breaches may have to contend with more than just unhappy consumers and reputational injury. Both the Federal Trade Commission and private plaintiffs' class action lawyers have filed actions against companies after data breaches, claiming that the companies misrepresented the adequacy of their security measures and are liable for violating the terms of their own privacy policies.

In Szpyrka v. LinkedIn Corporation, hackers allegedly compromised LinkedIn’s security system, stealing the passwords of approximately 6.5 million users and uploading them to a hacking forum. The plaintiff filed a class action lawsuit in the Northern District of California in June seeking damages from LinkedIn in excess of $5 million. Among other things, the complaint alleges that LinkedIn deceived users by stating in its privacy policy that members would be “protected with industry standards protocols and technology." The lawsuit charges that the company violated California's Unfair Competition Law, Business & Professions Code § 17200 and Consumer Legal Remedies Act, Civil Code § 1750, and that it breached its privacy agreement with consumers.

Similarly, in Federal Trade Commission v. Wyndham Hotels, the FTC filed a civil enforcement action in Arizona federal court, charging that the hotelier violated Section 5 of the FTC Act by failing to comply with the terms of its privacy policy. The FTC's complaint asserts that the company failed to meet its promise to "safeguard our Customers' personally identifiable information using standard industry practices" and to "take commercially reasonable efforts to create and maintain 'fire walls' and other appropriate safeguards" to protect consumer information.

Although both the LinkedIn and Wyndham actions included other allegations contending that the defendants' failures to protect the consumer data were separately actionable, in each case the companies' privacy policies provided the basis for the "deception" claims against the defendants.

For further information, see our June 2012 client alert here.