For the second time in as many months a Federal court has taken the atypical position of siding with plaintiff in a suit for damages following following a data breach.
The victory for the plaintiff in a lawsuit against RockYou claiming damages after the social gaming site suffered a cybersecurity breach may open up the gates to a flood of similar class action suits, say some experts. The suit claims negligence in the company’s security practices.
This is the second decision that goes against the grain of what has been up until now quick dismissals of such claims.
“The RockYou decision and the recent First Circuit decision in Hannaford stand out from the seemingly constant stream of decisions dismissing putative class actions filed against companies who disclose data breaches,” according to Data Privacy Monitor.
In the settlement phase of the case, the plaintiff was awarded only $2,000; however, RockYou also agreed to pay the plaintiff’s legal fees, which amounted to a hefty $290,000.
In Anderson v. Hannaford Bros., the court also said that customers whose personal information was compromised due to a breach are eligible to receive damages.
While this should keep CSOs and IT departments ever more vigilant in their efforts to protect customer data, there are some mitigating circumstances in the RockYou case.
According to the suit RockYou failed to “secure and safeguard its users personally identifiable information,” by storing customer data in an unencrypted database. The company’s password protection was also extremely weak, not allowing its subscribers to use special characters and making five-character passwords permissible.
Among other claims the plaintiff also said RockYou violated the Stored Communications Act.
Following a lengthy and obviously expensive two-year court battle, both sides cried uncle and reached the settlement presided over by the court.
RockYou denied any wrongdoing but concluded that continuing to defend the action against the company would be “burdensome and expensive.” At the same time the plaintiff asserted that while the action had merit the expense and length of time to continue the prosecution of the case, especially if there was a subsequent trial and then appeals -- along with the “uncertain” outcome -- made it best to reach a settlement.
Perhaps the most onerous part of the settlement for RockYou is having to agree to a three-year injunction during which it will have an outside firm conduct two audits of its security policies as they pertain to consumer records. On the other hand it, sounds like the company could use the audit to help improve its security.
The case was dismissed by the court with “prejudice,” leaving the door open for other consumers to assert claims for monetary damages.
Although neither the case against Hannaford nor the RockYou case resulted in a large settlement, it is obvious that like an accident waiting to happen, one day soon a company will suffer a severe breach and it will not have the courts to back it up, leaving the door open to huge payoffs.
As someone once said, “You don’t need a weatherman to tell which way the wind blows.”