Privacy

Plaintiff Narrowly Avoids Dismissal in Data Breach Case Based on Finding that PII Could Have Value

Published: Apr. 20, 2011

Updated: Oct. 05, 2020

The Northern District of California denied Defendant RockYou, Inc.’s motion to dismiss in Claridge v. RockYou, Inc., No. C 09-6032 PJH, making this data-breach case one of the firsts to proceed beyond discovery.  In Claridge, the Plaintiff brought suit alleging that the defendant had failed to secure and safeguard personally identifiable information (“PII”), including email addresses, passwords and login credentials for social networks.

RockYou creates applications for use on social networking sites used to share photos or play games with others.  Claridge was an account holder with RockYou, and had submitted his e-mail address and password to use RockYou’s photo sharing application.  The complaint alleges that, in late 2009, a security firm notified RockYou of a security problem with its SQL database, and that a hacker could compromise their database through a SQL injection flaw.  Prior to fixing the flaw and prior to being warned, a hacker accessed RockYou’s database and copied the unencrypted email and social networking login credentials of approximately 32 million registered RockYou users.

The Court first addressed standing, a roadblock that has stopped many a data breach lawsuit, and found that the Plaintiffs’ admittedly “novel” damages theory was sufficient to demonstrate the necessary “injury in fact.”  Plaintiff argued that PII constitutes “valuable property that is exchanged not only for defendant’s products and services, but also in exchange for RockYou’s promise to employ commercially reasonable methods to safeguard PII that is exchanged.”  As a result of the breach, Plaintiff allegedly lost “the ‘value’ of their PII, in the form of their breached personal data.”  The Court accepted this theory, but notably expressed its skepticism, stating that “the court has doubts about plaintiff’s ultimate ability to prove his damages theory in this case…”

The Court went on to dismiss all of Plaintiffs claims except those for breach of contract and breach of implied contract and negligence and granted Plaintiffs leave to amend their SCA claim.  Specifically, the Court again noted its skepticism about Plaintiff’s loss by dismissing his claims under California’s Unfair Competition Law, stating that the injury traceable to loss of PII “strains the acceptable boundaries of ‘injury’ under the statute” because PII is neither “currency” nor “property” that was “lost” under the UCL because the PII—login and password—did not “cease to belong to him, or pass beyond his control.”

While this ruling is troubling for companies that experience data breaches of PII because it allows plaintiffs’ claims to survive through discovery, the opinion demonstrates that proving damages will ultimately remain difficult for plaintiffs, and the claims they may bring for loss of PII are limited. To view the case click here.