Are Consumers Legally Damaged When a Free Service Fails to Protect Their Personal Information?


Posted on

When consumers use a paid Internet service, and the service fails to protect their personally identifiable information (“PII”), the consumers can claim that they sustained a concrete injury.  They arguably paid something for the service, and did not receive the full benefit of what they expected, namely a service that protects their PII, especially when the service’s privacy policy says that it protects consumers’ PII.  These consumers have arguably have lost money, such as the amount of money they paid for a worthless service, or at least the difference between the service as promised and the impaired value of the service they received. 

What happens, though, when consumers use free services?  Specifically, what happens when consumers give their PII to a free service, and a security breach occurs, compromising their PII?  They have not lost any money since they paid none in the first place.  Can these consumers’ PII act as a form of currency, which they use to “buy” the service?  If so, perhaps they were “damaged” by the loss of that value.  As a market reality, that scenario occurs for advertising-based free services.  In exchange for PII and receiving targeted ads, consumers obtain a service. 

Nonetheless, does the law recognize that PII can be a currency, so that if the ad-supported service allows a security breach, there is some kind of damage? A recent decision of Judge Phyllis Hamilton of the U.S. District Court for the Northern District of California addressed this novel issue of law in a case entitled Claridge v. RockYou, Inc., 2011 WL 1361588 (N.D. Cal. Apr. 11, 2011).  Judge Hamilton’s answer to the question is a “maybe” at the early stage of the case she faced.  In her decision, Judge Hamilton allowed some of the plaintiff’s claims to proceed, while eliminating others, and allowing the plaintiff to try again for two others. 

Plaintiff Alan Claridge used the free photo sharing service of RockYou.  RockYou, however, failed to implement controls to prevent SQL injection attacks, and as a result, an attacker exploited the vulnerability and compromised PII of RockYou’s users, apparently including the plaintiff’s.  Plaintiff Claridge brought a suit alleging numerous theories, and RockYou’s main argument was that Claridge did not suffer concrete injury that the law can recognize.  RockYou sought to dismiss the case at the beginning of the case.

At the outset, the judge addressed the issue of standing.  Under Article III of the Constitution, the plaintiff can proceed in federal court only if he sustained a concrete or non-speculative injury.  The judge declined to say, as a matter of law, that Claridge cannot show an injury that the law can redress at the early stage of the case that she faced.  She warned the plaintiff, however, that he will have to show tangible harm from the disclosure of PII if the plaintiff’s claims survive long enough to go to trial.

The judge then dismissed some of the claims asserted by Claridge, because his claims fail as a matter of law, namely his Unfair Competition claim, his claim under California’s cybercrime law (Penal Code Section 502), and his claim under the California Consumer Legal Remedies Act.  The cybercrime claim failed, since the law does not contemplate liability for third party hackers’ conduct.  The other two claims failed because plaintiff was not someone who lost money paying for the service. 

The judge also dismissed two other claims, but gave Claridge permission to amend his complaint to restate them.  Specifically, Judge Hamilton dismissed Claridge’s claims under the Stored Communications Act, because plaintiff conceded his complaint misstated the section of the law under which he was proceeding.  The judge also dismissed Claridge’s claim for breach of the implied covenant of good faith and fair dealing, because he did not state facts showing a conscious or deliberate act of the defendant to deprive Claridge of the benefits of his agreement with RockYou.  The judge gave Claridge additional time to file an amended complaint, under which he is entitled to try again to plead these claims. 

Finally, Judge Hamilton allowed Claridge to proceed with his breach of contract claim, implied contract claim, negligence claim, and negligence per se claim.  In both the contract and negligence contexts, the plaintiff’s claims of damages were sufficient to overcome RockYou’s motion to dismiss.  Claridge will be able to proceed with these claims without the need for further amendment. 

Reading the opinion, my sense is that Judge Hamilton has her doubts that Claridge will be able to show “tangible harm” from the security breach.  Nonetheless, she is going to let him proceed into the discovery phase of the case to allow the parties to gather evidence to support their positions.  The plaintiff will need to explain the value of the PII provided to RockYou and how it benefits from the PII.  Perhaps Claridge will have an expert to assign some sort of value to the PII provided to RockYou.  Once the factual record is fully developed, the judge will likely once more face the question of whether the plaintiff has shown sufficient damages to support his claims.

law legislation

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs