Facebook fails to kill class-action lawsuit over data breach

Judge William Alsup warned Facebook he would authorize a “bone-crushing” discovery process on behalf of affected users.
Facebook hate speech takedown

A proposed class action lawsuit against Facebook will move forward after a judge disagreed with the company’s contention it should not be held liable for failing to protect users’ information.

Facebook last year announced that a data breach allowed hackers to make off with information about some 30 million people. A vulnerability in Facebook’s code enabled outsiders to access to users’ digital access tokens, which make it possible to visit the site without logging in each time.

The company had previously claimed that some of the plaintiffs’ information was not “sensitive” because it was accessible on a public Facebook profile and no real harm had been done because attackers had failed to steal users’ financial information and passwords. Additionally, the company said it should be absolved from responsibility due to the sophistication of the hack.

U.S. District Judge William Alsup disagreed, ruling on June 21 that the evidence-gathering phase of the case should proceed “with alacrity.”


“The lack of reasonable care in the handling of personal information can foreseeably harm the individuals providing the information,” Alsup ruled. “Further, some of the information here was private, and plaintiff plausibly placed trust in Facebook to employ appropriate data security. From a policy standpoint, to hold that Facebook has no duty of care here ‘would create perverse incentives for businesses who profit off the use of consumers’ personal data to turn a blind eye and ignore known security risks.’”

Facebook learned of the data breach on September 14, 2018 and its security team isolated the engineering flaws on September 25. The company told users who might have been affected on September 28, forcing them to log-out and re-enter their credentials. The incident sparked eleven class action lawsuits, which were consolidated into this case, and distilled to include ten complaints including breach of contract, negligence and violations of unfair competition law.

Judge Alsup previously warned Facebook’s legal team he would authorize a “bone-crushing” discovery process on behalf of affected users, according to Law360. Alsup also said user concerns are worth “real money,” rather than “some cosmetic injunctive relief.”

This is one of the many legal matters besieging Facebook. The Silicon Valley giant’s data-sharing deals with technology companies are under criminal investigation, according to the New York Times. Meanwhile, the company is preparing to pay a reported $5 billion to settle a Federal Trade Commission probe into whether it improperly shared information about tens of millions of users with Cambridge Analytica.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts