Data Security Breach Supported Contract, Negligence Claims

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

An individual could have sustained an injury in fact from the failure of a publisher and developer of online services and applications for use with social networking sites (“RockYou”) to secure and safeguard its users' sensitive personally identifiable information (PII), sufficient to support contract and negligence claims brought under California common law, on behalf of himself and a purported class of similarly situated persons, according to the federal district court in Oakland.

The individual failed, however, to allege actionable injuries in support of his claims that RockYou violated the California Unfair Competition Law, Computer Crimes Law, and Consumer Legal Remedies Act. The statutory claims were dismissed with prejudice.

Collection, Storage of Personal Information

The individual—a registered user who had given RockYou his e-mail address and password in order to sign up to use a photo sharing application—asserted that RockYou collected and stored millions of users' PII in a large-scale commercial database, in “clear” or “plain” text, with no form of encryption, so that the PII was readily accessible to anyone with access to the database.

RockYou allegedly was negligent by failing to store passwords in a “hashed” form or to use any other common and reasonable method of data protection.

In December 2009, RockYou disclosed to users that one or more hackers had illegally breached its database and acknowledged that, at the time of the breach, the hacked database had not been up to date with industry-standard security protocols.

Contract and Negligence Claims

With regard to the contract and negligence claims, the individual sufficiently alleged a general basis for the requisite injury or harm by alleging that the breach of his PII caused him to lose some ascertainable but unidentified value or property right inherent in the PII, the court said.

The claims were not automatically precluded by a provision of RockYou's privacy policy, which stated that RockYou assumed no liability for third-party breaches of its secure servers. The individual asserted that RockYou's servers were not, in fact, secure.

The individual's allegations did not, however, rise to the level of stating a breach of the implied covenant of good faith and fair dealing, the court decided. The alleged misconduct did not involve conscious or deliberate actions by RockYou.

Unfair Competition Law

Although the breach of his PII could constitute a general form of “harm,” the individual failed to allege any loss of money or property as a result of RockYou's conduct, as required for a claim under the California Unfair Competition Law, the court determined.

The individual's contention that his PII constituted “currency” strained the acceptable boundaries of injury under the Act. To the extent that the individual claimed that his PII was “property,” he could not establish that his PII was “lost,” for purposes of the Act. His e-mail login and password did not cease to belong to him or pass beyond his control.

Computer Crimes Law

RockYou’s alleged failure to secure and safeguard its users' sensitive personally identifiable information (PII) would not violate California’s Computer Crimes law, in the court’s view. The statute prohibited any person from knowingly and without permission accessing or providing a means for another to access a computer system or network.

RockYou was not a proper defendant under this provision, the court said. RockYou's alleged failure to utilize reasonable data security methods did not constitute “providing a means” for third-party hackers to illegally access RockYou's database.

Consumer Legal Remedies Act

The individual failed to allege that he was a “consumer” within the meaning of the California Consumer Legal Remedies Act. He did not “purchase or lease” any goods or services from RockYou, as required for CLRA standing. There was no authority supporting the individual's contention that the CLRA covered intangible forms of payment, such as the individual's PII, the court said.

The decision is Claridge v. RockYou. Inc., CCH Privacy Law in Marketing ¶60,620.