As certain as death and taxes are lawsuits filed by victims after their personal information is compromised in a breach.

Historically, however, these actions haven't gotten very far. Judges traditionally have followed the mindset that if the claimants cannot prove they suffered financial harm, the cases lack legal grounding.

But in a potentially precedent-setting court ruling, a federal judge in California has declined to dismiss a lawsuit filed against social media applications developer RockYou over a 2009 breach that exposed millions of user credentials.

Allowing the case to proceed may open the door for breach victims to obtain damages, even if there is no evidence that their personal data was used to perpetrate fraud, experts said.

“It's very interesting, but it's not as if the plaintiff has won,” said Gary Kibel, a New York data security lawyer. “They have gotten past a procedural step that no one else had gotten past.”

The case was filed after a hacker in late 2009 exploited an SQL injection vulnerability in RockYou.com to steal unencrypted user login credentials. Judge Phyllis Hamilton dismissed five claims but allowed four to survive, including breach of contract and negligence.

Ron Woerner, director of cybersecurity studies at Bellevue University in Nebraska, said the judge may be making an example of RockYou to show that companies must be responsible for implementing security best practices, such as data encryption, to protect customer information.

“It will be interesting to see if other judges jump on this bandwagon,” Woerner said. “I suspect they will.”
Most claimants involved in similar cases have unsuccessfully alleged harm based on the future risk of identity theft and out-of-pocket breach remediation costs.

But the plaintiff Alan Claridge novelly argued that RockYou's users pay for products and services by providing their personal information, which constitutes valuable property, according to court documents. A breach of that information thus causes it to lose value.

The judge doubted Claridge ultimately can prove this theory, but agreed to let him try. In a statement, RockYou's lawyer said the company plans to “defend this action vigorously” and is “gratified” that most of Claridge's claims were dismissed.

“There is a possibility that a jury could be convinced that the mere exposure of personal information, without any unauthorized use, is a harm,” Kibel said. “That would be a game changer.”