Exposing PII May Be Injury In Fact

The unauthorized disclosure of personal information via the Internet may be an “injury in fact” sufficient to maintain an action in federal court.

A federal judge in California refused to dismiss a case where the plaintiff pled that his personally identifiable information (PII)–including his email address, password and logon credentials–were made available to hackers because the PII was kept in plain text by the defendant with no form of encryption.  Plaintiff did not allege any monetary damages.  The judge found that “the unauthorized disclosure of personal information via the Internet—is itself relatively new, and therefore more likely to raise issues of law not yet settled in the courts.  For that reason, and although the court has doubts about plaintiff’s ultimate ability to prove his damages theory in this case, the court finds plaintiff’s allegations of harm sufficient at this state to allege a generalized injury in fact.”

The defendant, RockYou, Inc., is a publisher and developer of online services and applications for use with social networking sites such as Facebook, MySpace, hi5, and Bebo.  Users are able to share photos, write special text on a friend’s page, or play games with other users.  RockYou states on its website that it “uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information.”    However, plaintiff alleges that the PII is stored in plain text and utilizes no form of encryption, making it readily accessible to even the least capable hacker.

In December 2009, RockYou was notified of a security problem with its database and that hackers were regularly discussing the site’s vulnerability in underground hacker forums.  In at least one instance, RockYou’s 32 million registered users’ email and login credentials were accessed and copied.

Plaintiff sued under the Stored Communications Act, California’s unfair competition law, breach of contract, and negligence. The court granted defendant’s motion to dismiss as to the Stored Communications Act and unfair competition counts but allowed plaintiff to replead under the Stored Communications Act.  The judge allowed plaintiff to continue with the breach of contract and negligence claims.

Claridge v. RockYou, Inc., N.D. Calif., No. C 09-6032 PJH, issued April 11, 2011.