This is page 2 of:
Judge Rules That A Large Data Breach Is Not Proof Of Inadequate Security
The court did not raise the related question, namely, “Did the customers actually make that LinkedIn upgrade purchase based on a security promise buried within a lengthy privacy statement? Really? That’s actually the argument you want to hang your case on? Shall we poll a couple of thousand random LinkedIn upgraded customers and ask them, open-ended, why upgraded and see how many cite the level of password encryption being used?”
To be clear, the prior question is ours, not the judge’s. We’ll get back to what the judge said now.
The court pointed out that, technically, the loss had to be related to the breach and not to a payment made long before the breach happened. “Plaintiffs contend that LinkedIn breached the contract by not providing the level of security it allegedly promised to provide. The economic loss Plaintiff alleges—not receiving the full benefit of the bargain—cannot be the ‘resulting damages’ of this alleged breach. Rather,
this injury could only have occurred at some point before the breach, at the time the parties entered into the contract. As such, the economic damages Plaintiffs proffer cannot form the basis of standing for their breach of contract–related claims.”
The court also ruled that case law—prior significant decisions from other key courts—raises the bar for this type of lawsuit.
“In cases where the alleged wrong stems from allegations about insufficient performance or how a product functions, courts have required plaintiffs to allege ‘something more’ than ‘overpaying for a “defective” product,'” the judge wrote. “Plaintiffs do not argue that they did not receive security services. Rather, they argue the security services were defective in some way, as evinced by the 2012 hacking incident. This is not the case where consumers paid for a product, and the product they received was different from the one as advertised on the product’s packaging. Because Plaintiffs take issue with the way in which LinkedIn performed the security services, they must allege ‘something more’ than pure economic harm. This ‘something more’ could be a harm that occurred as a result of the deficient security services and security breach, such as, for example, theft of their personally identifiable information.”
A point the court did not address was exactly what “industry standard protocols and technology” means. Presumably, such a phrase would be a matter for various retail security experts to testify about in court, arguing whether what the retailer did at the time would have been considered reasonable. The question of “reasonable” would be determined not necessarily by current security procedures but by what was being used at the time.
Also—and this is key—the phrase isn’t promising cutting-edge approaches or even the best approaches. All it’s promising, in effect, is that “we’re doing what almost everyone else is doing.” As long as similarly sized rivals are handling their security roughly as well—or as poorly—as you are, you are indeed using industry-standard mechanisms.
If a shopper ever sues a major chain on the basis that the security of all retail is inadequate, the arguments—and decisions—might be radically different. For now, though, this was a very retail-friendly ruling.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
