Court Preliminarily Approves Facebook Data Breach Settlement

On Sunday in the Northern District of California, United States District Judge William Alsup issued an order granting preliminary settlement approval between Facebook and the class of Facebook users affected by a 2018 data breach; under the settlement, Facebook has agreed to various security commitments for the next five years.

Specifically, the suit arose from a September 2018 Facebook hack, whereby “certain access tokens permitted access to Facebook users’ accounts, but a previously unknown vulnerability made these tokens sometimes visible to strangers. Hackers exploited this flaw in September 2018 to access 300,000 accounts. Once inside, the hackers ran two search queries. The first yielded the names and telephone numbers and/or e-mail addresses of fifteen million users worldwide (2.7million in the United States). The second yielded more sensitive information on fourteen million users worldwide (1.2 million in the United States), including the original 300,000.” In February 2019, five named plaintiffs filed a consolidated complaint, but in August 2019, only plaintiff Stephen Adkins and two claims. The certified class for injunctive purposes is: “all current Facebook users residing in the United States whose personal information was compromised in the data breach announced by Facebook on September 28, 2018.”

The court noted that “a class settlement must offer fair, reasonable, and adequate relief.” Furthermore, “[p]reliminary approval is appropriate if ‘the proposed settlement appears to be the product of serious, informed, non-collusive negotiations, has no obvious deficiencies, does not improperly grant preferential treatment to class representatives or segments of the class, and falls within the range of possible approval.”

Judge Alsup claimed that the settlement agreement for which the plaintiff has sought preliminary approval of “imposes a battery of security commitments to prevent future similar attacks.” For instance, Facebook must certify that the vulnerability used in the breach has been fixed, that it is not possible to create access tokens as was done in the breach and that access tokens created and granted through the exploited vulnerability are now invalid. Additionally, Facebook will take a series of security commitments for the next five years to prevent future attacks, such as “increas[ing] the frequency of integrity checks on session updates to detect account compromises,” “implement[ing] new tools to detect suspicious patterns in the generation and use of access tokens across Facebook,” “undergo[ing] annual SOC2 Type II security assessments,” among other measures. Facebook will be assessed on its compliance with these commitments annually by a third-party vendor, the results will be confidential but shared with the court and an expert to verify Facebook’s compliance. As a result, the court found the proposed settlement adequate.

In particular, Judge Alsup stated that the proposed settlement satisfies the main goal of injunctive relief in this suit, namely, “elimination of the vulnerability and Facebook’s commitment to security measures to protect not just class members but all Facebook users’ personal information.” Most of the commitments are voluntary measures, but two are prior practices that Facebook has agreed to continue. Facebook claimed that none of these measures have been taken as a result of another court or regulatory order. The court emphasized that an outside third-party would assess Facebook’s compliance with these commitments, which it felt “becomes the real value for the class” and noted that if “legal or technological developments render any provision of the proposal obsolete, the parties will work to update the settlement agreement.” The court also found that the proposal “appears to be the product of serious, non-collusive negotiations,” as required for approval. Moreover, the court stated that class notice is “reasonably calculated” in these circumstances, but had three minor changes for the proposed notices, such as a final approval hearing taking place telephonically because of the COVID-19 pandemic. Angeion Group will be the class administrator in this suit.

The court has also agreed to seal certain documents around Facebook’s “specific testing parameters and triggering events,” which Facebook alleged, could harm users if hackers obtained access to this information.

The class will be notified by December 30, 2020, and counsel will move for final approval, fees, costs, and the plaintiff’s service award by February 8, 2021. The final approval hearing is set for April 8, 2021.

Facebook is represented by Latham & Watkins. The plaintiff and class are represented by Cohen Milstein Sellers & Toll; Morgan & Morgan Complex Litigation Group; and Tadler Law.