Typically, consumers have faced an uphill battle establishing damages following a data breach. However, in the recent case Claridge v. RockYou, Inc., the United States District Court for the Northern District of California acknowledged that claims arising out of the unauthorized disclosure of personal information are relatively new and given the lack of existing authority, declined to find as a matter of law that a plaintiff could not allege damages as a result of a data breach.
RockYou, a publisher and developer of online services and applications for use with social networking sites, learned in December 2009 that its computer system had an SQL injection flaw that would allow hackers to introduce malicious codes into the company’s network and access its users’ webmail accounts. RockYou shut its website down and issued a press release regarding the flaw. However, before doing so, at least one confirmed hacker accessed RockYou’s database and copied emails and social networking credentials for approximately 32 million registered users. A class action lawsuit was filed in California federal court against RockYou following the breach alleging, among other things, breach of contract and breach of the implied covenant of good faith and fair dealing.
RockYou moved to dismiss the complaint, in part, on the basis that plaintiff could not allege any injury and therefore lacked standing. Plaintiff argued that RockYou’s clients “pay” for certain products and services by providing PII. The PII constitutes valuable property that is exchanged not only for RockYou’s products and services, but also for RockYou’s promise to use commercially reasonable methods to safeguard the PII. By failing to protect the PII, RockYou caused plaintiff to lose the “value” of the PII.
Although the court expressed doubt that plaintiff ultimately will be able to prove his damages theory, the court nonetheless declined to hold that plaintiff had failed to allege an injury in fact. The court noted that “the context in which plaintiff’s theory arises – i.e., the unauthorized disclosure of personal information via the Internet – is itself relatively new, and therefore more likely to raise issues of law not yet settled in the courts.” Given the “paucity of controlling authority regarding the legal sufficient of plaintiff’s damages theory,” the court found that plaintiff’s allegations of harm were sufficient to survive a motion to dismiss.
While the court dismissed the vast majority of plaintiff’s claims, the court allowed plaintiff’s claims for breach of contract and breach of implied contract to stand. The court cautioned, however, the if during discovery it becomes apparent that no basis exists for plaintiff to show tangible harm as a result of the unauthorized disclosure of PII, the court will dismiss plaintiff’s claims for lack of standing.