An Illinois woman has filed a US$5 million (NZ$6.27 million) lawsuit against LinkedIn, saying the social network violated promises to consumers by not having better security in place when more than 6 million customer passwords were stolen.
The lawsuit, which was brought in federal court in San Jose, California, on June 15 and seeks class-action status, was filed less than two weeks after the stolen passwords turned up on websites frequented by computer hackers.
The attack on Mountain View, California-based LinkedIn, an employment and professional networking site with more than 160 million members, was the latest massive corporate data breach to have attracted the attention of class-action lawyers.
A federal judicial panel last week consolidated nine proposed class-action lawsuits in Nevada federal court against online shoe retailer Zappos, a unit of Amazon.com, over its January disclosure that hackers had siphoned information affecting 24 million customers.
The LinkedIn lawsuit was filed by Katie Szpyrka, a user of the website from Illinois. In court papers, her Chicago-based law firm, Edelson McGuire, said LinkedIn had "deceived customers" by having a security policy "in clear contradiction of accepted industry standards for database security."
LinkedIn spokeswoman Erin O'Harra said the lawsuit was without merit and was driven "by lawyers looking to take advantage of the situation."
"No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured," O'Harra said on Wednesday.
Legal experts say that meaty settlements in online customer data theft cases will likely be difficult to obtain because plaintiffs will have to show that they were actually harmed by a breach.
"In consumer security class actions, the demonstration of harm is very challenging," said Ira Rothken, a San Francisco-based lawyer at the Rothken Law Firm, which handles similar cases for plaintiffs.
If it turns out that the LinkedIn breach was limited to customer passwords and not corresponding email addresses, it will be that much harder for plaintiffs to prove they were harmed by the hack, Rothken said.
Edelson, a boutique firm that has long litigated data breach and Internet privacy lawsuits, scored a success in March when it obtained a settlement against social gaming company RockYou over a 2009 data breach.
In that case, a federal judge in Oakland, California, allowed a suit handled by Edelson against RockYou to proceed on breach of contract grounds - allegations Edelson has repeated against LinkedIn. Under the March 28 settlement, RockYou denied wrongdoing, but agreed to pay Edelson US$290,000 in legal fees.