RockYou.com Breach: $292K per user

There are many interesting elements to the recent decision on the RockYou.com case (Claridge v. Rockyou, Case No. 4:09-cv-06032-PJH) as clearly explained on the Data Privacy Monitor blog. Here are just a couple examples:

1) The company was found liable, due to marketing language found in their public privacy policy, for not preventing a breach.

The court’s decision also provides a practical consideration when drafting limitation of liability clauses for website privacy policies. RockYou.com’s privacy policy provided that: “RockYou! . . . assumes no liability or responsibility for . . . (III) any unauthorized access to or use of our secure servers and/or any and all personal information and/or financial information stored therein . . .” RockYou.com argued that this provision barred the plaintiff’s breach of contract claims. The court, however, found that the policy language did not automatically preclude the claim because the plaintiff alleged that the servers were not secure.

The servers stored passwords in plain text. The breach was based on a SQL injection attack that simply dumped all the passwords. Definitely not secure.

2) While the court dismissed 8 out of 9 complaints they still heard the plaintiff’s argument that PII loses value (e.g. harmed) if breached. It ended in settlement but the plaintiff’s argument was left standing.

The proposed settlement is very modest—under the proposed terms RockYou: (1) consents to a 36-month injunction during which it will retain a third-party to conduct two audits of its security policies concerning consumer records; (2) agrees to pay the plaintiff $2,000 as well as the plaintiff’s attorney’s fees of $290,000; and (3) represents and warrants that it is financially unable to provide the monetary relief sought by the plaintiff. Because only the plaintiff’s claims would be dismissed with prejudice, other putative class members may still assert claims for monetary damages. It is important to note that the proposed settlement does not vacate the district court’s April 2011 decision, leaving it of record for other plaintiffs to reference in future putative class actions.

Ok, so the $292K is really $290K in legal fees — maybe RockYou.com put up quite a fight before settling. But they left themselves, and other companies, open to face others who want to make the same arguments.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.