LinkedIn Seeks Dismissal Of Data-Breach Lawsuit

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.mediapost.com/publications/article/202519/linkedin-seeks-dismissal-of-data-breach-lawsuit.html#axzz2WV7G7p1P

Social networking service LinkedIn is asking a judge to slam the
courthouse door on a user who is trying to bring a class-action
lawsuit against the company for failing to prevent a data breach.

LinkedIn says that the consumer, Virginia resident Khalilah Wright,
still hasn't set out sufficient allegations to proceed with their
lawsuit, which alleges that the company didn't use basic encryption
techniques to secure personally identifiable information.

A previous version of Wright's lawsuit was dismissed in March, but the
dismissal was without prejudice -- which enabled Wright to amend her
claims and try again.

The lawsuit stems from an incident last June, when hackers obtained
access to the company's servers and then posted 6.4 million users'
passwords online. Wright, who purchased a premium LinkedIn membership,
says in her latest complaint that she wouldn't have done so had she
known the company used “obsolete” security measures.

“Had LinkedIn informed its Premium Subscribers that it would use
security measures that were obsolete before the iPhone or Twitter were
first released, Wright would not have been willing to purchase her
LinkedIn Premium Subscription at the price charged, if at all,” she
alleges in her most recent court papers, filed in April.

She alleges that LinkedIn violated various California business laws
and also broke its contract with her.

When Davila dismissed the earlier version of the case, he said in the
ruling that Wright hadn't shown that she paid membership fees in
exchange for additional security measures. But Wright's latest
complaint includes a declaration from an expert, computer scientist
Serge Egelman, who says his research shows that consumers who pay Web
sites for memberships expect extra security.

“Through a survey I conducted the week of April 1, 2013, I determined
that when consumers pay for a 'premium” social networking service,
they expect their information to be protected with a heightened level
of security, and that, at a bare minimum, industry-standard security
protocols will be used to guard their information,” Egelman stated in
court papers.

LinkedIn argues that Wright shouldn't be able to proceed in federal
court without first showing that she suffered an injury. “Wright does
not allege any harm other than her allegation that she overpaid,”
LinkedIn argues in papers filed on Thursday with U.S. District Court
Judge Edward Davila in San Jose, Calif. “She does not allege that the
criminal password theft resulted in or will result in any harm to her;
indeed, she does not even allege that her password was stolen.”

LinkedIn is asking Davila to dismiss Wright's complaint with
prejudice, which would prevent her from bringing it again
.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.