Remember the RockYou breach that was disclosed in December 2009? It still ranks as one of the 10 biggest breaches of all time in terms of number of records involved – 32 million users’ login credentials were involved. A lawsuit over the breach created a buzz last year when it did not get dismissed out of hand for lack of standing or failure to demonstrate unreimbursed financial harm. Now Craig Hoffman reports that there is a proposed settlement in the case:
The parties in the Claridge v. RockYou case submitted a proposed settlement agreement to the court for approval on November 14, 2011. This case, which was filed shortly after RockYou disclosed a breach that compromised 32 million log-in credentials, received national attention in the spring. In April 2011, the California federal district court declined to dismiss the plaintiff’s breach of contract and negligence claims by finding that: “at the present pleading stage, plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his PII has caused him to lose some ascertainable but unidentified “value” and/or property right inherent in the PII.” Notwithstanding the court’s skepticism concerning the plaintiff’s ultimate ability to prove any actual damages, the court’s recognition of a property right in personal information sufficient to meet the Article III standing requirement was immediately advanced by plaintiffs in other similar cases. Indeed, the RockYou decision and the recent First Circuit decision in Hannaford stand out from the seemingly constant stream of decisions dismissing putative class actions filed against companies who disclose data breaches.
The terms of the proposed settlement will undoubtedly raise some eyebrows because the plaintiff only gets $2,000 while the attorney gets $290,000. But the settlement would prevent a possible loss if the case goes forward and would allow the earlier ruling to stand, which might be of help to others in future cases. You can read more on Data Privacy Monitor.