The parties in the Claridge v. RockYou case submitted a proposed settlement agreement to the court for approval on November 14, 2011. This case, which was filed shortly after RockYou disclosed a breach that compromised 32 million log-in credentials, received national attention in the spring. In April 2011, the California federal district court declined to dismiss the plaintiff’s breach of contract and negligence claims by finding that: “at the present pleading stage, plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his PII has caused him to lose some ascertainable but unidentified “value” and/or property right inherent in the PII.” Notwithstanding the court’s skepticism concerning the plaintiff’s ultimate ability to prove any actual damages, the court’s recognition of a property right in personal information sufficient to meet the Article III standing requirement was immediately advanced by plaintiffs in other similar cases. Indeed, the RockYou decision and the recent First Circuit decision in Hannaford stand out from the seemingly constant stream of decisions dismissing putative class actions filed against companies who disclose data breaches.
The proposed settlement is very modest—under the proposed terms RockYou: (1) consents to a 36-month injunction during which it will retain a third-party to conduct two audits of its security policies concerning consumer records; (2) agrees to pay the plaintiff $2,000 as well as the plaintiff’s attorney’s fees of $290,000; and (3) represents and warrants that it is financially unable to provide the monetary relief sought by the plaintiff. Because only the plaintiff’s claims would be dismissed with prejudice, other putative class members may still assert claims for monetary damages. It is important to note that the proposed settlement does not vacate the district court’s April 2011 decision, leaving it of record for other plaintiffs to reference in future putative class actions.