Enter to open, tab to navigate, enter to select
LinkedIn's $1.25 Million Data Breach Settlement Approved: N.D. Cal.
Practical Law Legal Update 1-618-9797 (Approx. 3 pages)
LinkedIn's $1.25 Million Data Breach Settlement Approved: N.D. Cal.
by Practical Law Intellectual Property & Technology
| Published on 25 Sep 2015 • USA (National/Federal) |
The US District Court for the Northern District of California has approved a $1.25 million settlement in In re LinkedIn User Privacy Litigation. Among other things, the settlement requires Linkedin to pay approximately $15 to each user who purchased a premium membership to the service.
On September 15, 2015, the US District Court for the Northern District of California approved a proposed class action settlement in In re LinkedIn User Privacy Litigation, where customers who paid for a premium membership alleged that their personal information was compromised in a 2012 data breach (No. 12-CV-03088, (N.D. Cal. Sept. 15, 2015) (Order)). The settlement requires LinkedIn Corporation to:
- Pay a total of $1.25 million into a settlement fund. Approximately $15 will be paid to each of the nearly 50,000 class members who purchased premium memberships to the site.
- Employ both "salting" and "hashing" security measures to protect users' passwords for at least five years.
LinkedIn, the owner and operator of an online professional network for its users, sold premium accounts at prices ranging from $19.95 to $499.95 a month, which offered alleged premium services, including:
- LinkedIn's social and professional networking services.
- Increased networking tools and capabilities.
- Industry standard data privacy and security services.
On June 6, 2012, Linkedin suffered a data breach that compromised approximately 6.4 million LinkedIn users' passwords. Less than ten days later, a LinkedIn user sued the company in the Northern District of California.
The court initially dismissed the plaintiff's claims for lack of standing, based on claims that she had not suffered an injury in fact. However, by November 2012, the court had consolidated three similar suits, and let the class of plaintiffs proceed on behalf of LinkedIn users who had paid for a monthly premium account and whose personal information was compromised in the data breach. The plaintiffs alleged that:
- LinkedIn's Privacy Policy states that users' information will be protected by industry standard protocols and technologies.
- LinkedIn used outdated data security measures.
- They would not have purchased premium memberships if they had known LinkedIn's security measures were out of date.
In approving the settlement, the court reasoned:
- The proposed settlement was appropriately advertised to class members through several methods, including:
- a direct e-mail to members of the settlement class to the addresses used in connection with their LinkedIn accounts; and
- the creation of a detailed settlement website which allowed class members to file a claim online.
- Although the plaintiffs' claimed that they paid for industry standard data security which LinkedIn failed to provide, proving these claims would have entailed a "battle of the experts" with an uncertain outcome.
- The approximately $15 per class member represents a significant portion of the recovery that class members could expect if they were to achieve total victory at trial.
While attorneys' fees will also be paid out of the settlement fund, the court denied the amount requested by the parties on the basis that it exceeded the benchmark for fees established in the district. The court thus ordered a fee in accordance with the benchmark amount. In addition, the court rejected the parties' request that the plaintiff representative be awarded a $7,500 incentive fee and instead ordered that the plaintiff was entitled to a $5,000 fee.