Legal battle over LinkedIn breach could be costly

LinkedIn, the professional social networking site facing a $5 million-plus lawsuit for a massive breach earlier this month, may win its impending legal battle. But victory will probably not come cheap. Legal bills mount up quickly, especially with an "aggressive" defense, which LinkedIn has promised.

Unless the suit, filed on behalf of lead plaintiff Katie Szpyrka and a potential cast of millions of other coplaintiffs, is settled quickly and quietly, it is likely to provide regular public reminders, for months or possibly years, of what happened and why. That, as marketing people say, is not good for "brand identity."

The 6.5 million member passwords, which were posted on a Russian hacker forum, had been easily decrypted because LinkedIn was using only a rudimentary hashing algorithm that is not even close to the current industry standard.

And that encryption weakness is what the lawsuit cites repeatedly in its seven allegations, including violation of California business and professional code; violations of California civil code; breach of contract; breach of the implied covenant of good faith and fair dealing; breach of implied contracts; negligence; and negligence per se.

[See also: Companies focus on growth, lagging behind threat]

Szpyrka, listed on LinkedIn as a senior associate at the Chicago offices of UGL Equis, a global real estate firm focused on business clients, is represented by Sean P. Reis of Edelson McGuire LLP, a law firm in Rancho Santa Margarita, Calif. The suit is seeking certification as a class-action lawsuit on behalf of all LinkedIn users compromised by the hack.

The suit doesn't allege violations of any specific cybersecurity law, but complains that the company violated its own privacy policy, which asserts that it will, "safeguard its users sensitive PII (personally identifiable information), specifically that: 'All information you provide will be protected with industry standard protocols and technology.'"

By its own admission, LinkedIn was not in compliance with the industry standard, which is to "salt" the hashes -- merge the hashed passwords with another combination and then hash them for a second time.

LinkedIn, however, invokes the classic defense in data breach cases to contend the suit is "without merit."

LinkedIn spokeswoman Erin O'Harra told Cameron Scott of the IDG News Service: "No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured. Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation."

So, now that the dueling sound bites have been issued, how vulnerable is LinkedIn really?

The likelihood is, not very much. The courts have so far declined to award damages to plaintiffs who cannot prove actual damages. Legal experts viewing a string of lawsuits, also in California, over breaches of personal medical information, told CSO in April that judges are well aware that 100-percent security on the Internet simply does not exist, due to the rapidity and sophistication of attacks.

There are numerous examples of breaches of companies that are in compliance, which makes it much more difficult to prove negligence. Indeed, the Oregon Supreme Court recently struck down a class-action suit against Providence Health Systems that had been settled six years ago, finding no evidence that any of 365,000 patients whose data had been on disks/tapes that were stolen from a Providence employee's car had suffered any financial loss or other adverse consequences.

"We are aware of no other jurisdiction that has allowed recovery for negligent infliction of emotional distress in circumstances where the alleged distress is based solely on concern over the increased risk that a plaintiff's personal information will, at some point in the future, be viewed or used in a manner that could cause the plaintiff harm," the court said then.

The suit against LinkedIn goes to some length to assert that actual damages have occurred, arguing that, "plaintiff and the class members ... have lost money in the form of the value of their personal data. They have lost property in the form of their breached personal data, which is of great value to LinkedIn, LinkedIn advertisers and malicious actors. SubClass members have lost money in the form of monthly membership fees."

But it does not offer specifics -- only that the PII, "...has ascertainable value to be proven at trial."

It is not certain, of course, that precedent will prevail. Rebecca Herold, an information security, privacy and compliance consultant known as the "Privacy Professor," said while the precedent so far is not to award damages that cannot be proven, "I see the trend will likely be changing as judges, courts and lawyers come to understand better how such breaches can have damages long-term, in many downstream systems that were attached in some way to the breached system."

For example, she said, many LinkedIn users may use the same password on other systems as they used on LinkedIn, even though that practice is strongly discouraged by security experts.

But those other accounts may now be breached, even though the LinkedIn account itself may not have been breached, Herold said.

Todd Thiemann, senior director of product marketing for Vormetric, said when the breach became public that among the still unanswered questions were, "How did the bad guys get this information? And if they got that, what else did they get?"

Those questions will be at the heart of the pending litigation.

Read more about access control in CSOonline's Access Control section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place