• by Wendy Davis  @wendyndavis, April 19, 2011

In a ruling that could impact a broad swath of online privacy lawsuits, a federal judge has held that application developer RockYou can be sued for a security breach that exposed users' email addresses and passwords. U.S. District Court Judge Phyllis Hamilton in the Northern District of California rejected RockYou's argument that the case should be dismissed at an early stage on the grounds that the security breach did not result in any economic losses to consumers.

While people typically must show some sort of economic damages to get into court, Hamilton ruled that the allegations that personally identifiable information was disclosed were sufficient for the case to proceed to the next stage of litigation.

"The context in which plaintiff's theory arises -- i.e., the unauthorized disclosure of personal information via the Internet -- is itself relatively new, and therefore, more likely to raise issues of law not yet settled in the courts," Hamilton wrote in an opinion issued last week.

The ruling means that a lawsuit filed by Alan Claridge of Evansville, Indiana, alleging that RockYou improperly stored users' email addressees and passwords can now go to discovery -- the process by which parties obtain evidence in preparation for trial. But Hamilton also wrote in her ruling that she might dismiss the case at a later date. "If it becomes apparent, through discovery, that no basis exists upon which plaintiff could legally demonstrate tangible harm via the unauthorized disclosure of personal information, the court will dismiss plaintiff's claims," she wrote.

Until late last year, RockYou allegedly stored users' information without "hashing, salting or any other common and reasonable method of data protection," according to Claridge's original complaint. But a security firm informed RockYou about the potential hacking threat in early December, following which the company instituted new measures, according to the lawsuit. Before then, however, at least one person, "igigi," allegedly accessed a database with 32 million user names and passwords.

Claridge, who used a RockYou photo-sharing application, alleged that RockYou was negligent, and that it broke its contract with users by failing to adequately protect their data, among other counts.

Even though Hamilton's ruling stems from an alleged security breach and not data leakage to ad networks, the decision deals with one of the main issues that has emerged in privacy litigation: Whether users can sue Web companies for exposing data when the users haven't suffered any economic damages.

Already the ruling has surfaced in arguments in at least one other privacy lawsuit -- a potential class-action against gaming developer Zynga for allegedly leaking users' personal information through referrer headers.

Zynga is arguing that the lawsuit should be dismissed for several reasons, including that disclosing users' names doesn't harm them. But in papers filed last week with the U.S. District Court for the Northern District of California, the users who are suing say that the recent RockYou decision supports their argument that disclosure of personal information can constitute an injury.

Michael Aschenbrener, a lawyer who represents users in both the RockYou and Zynga lawsuits, says that Hamilton's decision could prove helpful to his clients in the Zynga case. "The security distinction here does separate the case somewhat, but the principles behind it are largely similar," says Aschenbrener of the firm Edelson McGuire.

At the same time, RockYou could ultimately prevail in the case despite Hamilton's recent decision, says Seattle-based Internet law expert Venkat Balasubramani. That's because the ruling only allows the case to proceed to the next stage of litigation. But RockYou will still be entitled to prevail on charges that it broke its contract with users, or was negligent, if the users didn't suffer any tangible losses.