A December 2009 SQL injection attack against social network application maker RockYou.com’s database resulted in the breach of 32 million log-in credentials ( e-mail address and password).  Not only did RockYou.com store the log-in credentials of its users in plain text, it also stored those user’s log-in credentials for social networking sites like Facebook and MySpace in plain text as well.

After the RockYou.com breach was disclosed by the hacker and RockYou.com notified its users, a RockYou.com user filed a putative class action complaint in U.S. District Court for the Northern District of California (Claridge v. Rockyou, Case No. 4:09-cv-06032-PJH).  The amended complaint asserted nine claims, including violations of the Stored Communications Act, three different California statutory claims, breach of contract, and negligence.   The amended complaint, to demonstrate the existence of some tangible harm caused by the breach, alleged RockYou.com users “pay”  RockYou.com for its product and services by providing RockYou.com with their personally identifiable information (PII) with the promise from RockYou.com that it would use commercially reasonable methods to secure their PII .  The amended complaint further alleges that as a result of RockYou.com’s role in allowing  the breach that exposed users’ PII, the users’ lost the “value” of their PII. 

RockYou.com moved to dismiss all of the claims.  In its April 18, 2011, decision,  as an initial matter, the court found that the plaintiff had standing to file the suit (by alleging an injury in fact) in the form of the loss of value of PII.  The basis for refusing to find that the plaintiff lacked standing  was the “paucity of controlling authority regarding the legal sufficiency of plaintiff’s damages theory” as well as the court’s determination that “the unauthorized disclosure of personal information via the Internet is itself relatively new, and therefore more likely to raise issues of law not yet settled in the courts.”  The court did indicate that  it “has doubts about plaintiff’s ultimate ability to prove his damages theory in this case, the court finds plaintiff’s allegations of harm sufficient at this stage to allege a generalized injury in fact.”  

With regard to the nine claims, the court dismissed the Stored Communications Act claim and all three claims based on California statutes.  The court, however, declined to dismiss the breach of contract and negligence claims by finding that: “at the present pleading stage, plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his PII has caused him to lose some ascertainable but unidentified “value” and/or property right inherent in the PII.”  The court also concluded that “plaintiff’s allegations that he was injured by defendant’s actions in permitting the unauthorized and public disclosure of his PII, which had some unidentified but ascertainable value, are sufficient to allege an actual injury at this stage.”

The court’s decision also provides a practical consideration when drafting limitation of liability clauses for website privacy policies.  RockYou.com’s privacy policy provided that: “RockYou! . . . assumes no liability or responsibility for . . . (III) any unauthorized access to or use of our secure serversand/or any and all personal information and/or financial information stored therein . . .”  RockYou.com argued that this provision barred the plaintiff’s breach of contract claims.  The court, however, found that the policy language did not automatically preclude the claim because the plaintiff alleged that the servers were not secure.