Peter A Clarke

Data breaches can attract litigation, both in the form of class actions but also individual claims arising out the unauthorised disclosure of health records.  It can compound heavy reputational loss. The article LinkedIn’s Data Breach Settlement Moves Forward reports on the resolution of a lawsuit arising out of the 2012 breach of Linked In’s network.  The tentative agreement of $1.25 million seems significant until the class size ranges from 20,000 to 50,000 claimants.

The article provides:

A federal judge has tentatively approved LinkedIn’s $1.25 million settlement of a class-action lawsuit stemming from a 2012 data breach.

“The settlement agreement falls within the range of possible approval as fair, reasonable, adequate, and in the best interests of the class,” U.S. District Court Judge Edward Davila in the Northern District of California wrote in an order issued on Thursday.

Davila’s order only grants the deal “preliminary” approval, meaning that he could still reject the settlement after a final hearing.

The settlement agreement calls for LinkedIn to pay up to $50 to some of the users who purchased premium memberships to the service. The social-networking company also promises that for the next five years, it will protect users’ passwords by “salting” and “hashing” them.

LinkedIn’s paid users can submit a claim, but only if they declare that they read the privacy policy and were influenced by the company’s statements about security. Between 2007 and 2012, LinkedIn garnered around 800,000 premium subscribers, who paid at least $19.95 a month for membership, according to court papers.

But class counsel estimates in court papers that only 20,000 to 50,000 subscribers will be able to qualify for payments from the settlement fund. Any money that isn’t distributed to class members will go to three nonprofits: the Center for Democracy and Technology, World Privacy Forum and the Carnegie Mellon CyLab Usable Privacy and Security Laboratory.

The litigation stems from an incident in 2012 when hackers obtained access to the company’s servers and then posted 6.4 million users’ passwords online. Shortly after the data breach, Virginia resident Khalilah Gilmore-Wright, a paid LinkedIn subscriber, alleged in a class-action lawsuit that she wouldn’t have purchased a premium LinkedIn membership if she had known the company used “obsolete” security measures.

Davila’s order requires LinkedIn or a settlement administrator to notify users about the deal via email by Feb. 26. He will hold the next hearing on June 18, when he will hear arguments about whether to grant final approval to the settlement.