Technology Law Alerts

May 4th, 2011

Data Security

Data security breaches are in the news, and companies that experience them are taking public relations hits and suffering loss of consumer confidence. If your business model requires you to collect personal consumer data, you may want to hear about a recent federal case that makes it much easier for consumers to sue companies for data security breaches.

Class action.

In Claridge v. RockYou, Inc., a federal district court judge declined to dismiss a class action lawsuit arising from the loss of personal consumer information gathered by RockYou.com ("RockYou"), a website that creates applications for use with social networking sites such as Facebook and MySpace. Although no money is exchanged, RockYou users must provide an e-mail address, password and, in some cases, log-in information to a social networking site. RockYou’s privacy policy states that it “uses commercially reasonable physical, managerial, and technical safeguards” to protect consumer data. In 2009, Rock You became aware that its system contained a security flaw that allowed hackers to access consumer data. After RockYou issued a press release announcing the breach and stating that it had taken immediate remedial action, one of its customers, Alan Claridge, filed a class action lawsuit, alleging that RockYou failed to employ commercially reasonable methods to safeguard the consumer data.

Is data loss – without more – a legally sufficient injury?

Claridge appeared to suffer no measurable damage from the breach, because the hackers apparently did not use Claridge’s personal data for nefarious purposes such as accessing his bank accounts, stealing his identity, or destroying his credit rating. So RockYou filed a motion to dismiss based, in relevant part, on Claridge’s lack of standing under Article 3 of the U.S. Constitution.  (In order to sue someone in federal court, you have to allege that you suffered an "injury in fact" – that is a "concrete, tangible, non-speculative harm or loss.") Claridge argued that his personal information was "valuable property" that he exchanged for RockYou’s products and services - and its promise to safeguard that information. While recognizing that personal-information-as-valuable-property was a “novel theory of damages” and expressing “doubts about [Claridge’s] ultimate ability to prove his damages,” the court denied the motion to dismiss, refusing to hold that Claridge had failed to allege an "injury in fact."

Why this matters.

If this theory of damages is adopted by other courts, companies will find it harder to dispose of weak claims at an early stage, adding yet another element to the rising cost of security breaches. In any case, companies must not ignore the importance of protecting consumer data and responding quickly to security breaches. As an initial step, companies should review their online privacy policies to ensure they are keeping their promises to protect personal data.

If you have questions about this alert or any other privacy law matters, please contact Nicole Hyland at (212) 826 5522 or nhyland@fkks.com, Brian Murphy at (212) 826 5577 or bmurphy@fkks.com, or any other member of the Frankfurt Kurnit Technology, Digital Media and Privacy Group.