Michael H. Rubin

Rubin is global vice chair of Latham & Watkins’ technology industry group, where he specializes in data privacy and security, class action defense, regulatory investigations and emerging companies. Clients include Facebook Inc., Apple Inc., Lyft Inc., Turn Inc., LG Electronics Inc. and Norton LifeLock Inc.

He co-led the successful defense for Facebook in a consolidated consumer data breach potential class action in which the plaintiffs asserted a $6 billion damages claim. Rubin and colleagues pared the case down to a single named plaintiff pursuing a single cause of action for negligence with an individual damages claim of $36 plus potential injunctive relief regarding security practices. Adkins v. Facebook Inc., 3:18-cv-05982 (N.D. Cal., filed Sept. 28, 2018).

The Latham team defeated class certification in November 2019. This year the parties agreed to a no-damages settlement, which is pending court approval. Rubin obtained the big win using techniques similar to those he employed in achieving dismissal of another major potential class action against online ad tech company Turn in 2019.

In both cases, “Our aggressive discovery undercut allegations regarding things that turned out not to have actually happened,” Rubin said.

The Facebook case arose from a criminal attack on the social media giant’s web platform that affected some 29 million users globally. Eleven lawsuits with 16 named plaintiffs asserting 10 causes of action were filed in the U.S. and consolidated before U.S. District Judge William H. Alsup of San Francisco. “From the start, we made sure we took meaningful plaintiff depositions,” Rubin said. “When we got them in the chair and talked to them, it became clear their claims of harm were flimsy.” News of the tough questions Rubin and his team asked in the first depos reached those still waiting to be deposed, leading some to exit the case altogether.

In his opposition to class certification, Rubin pointed out that the plaintiffs sued on the same day Facebook notified the public of the breach. “The strategy of sue first, sort later, has revealed its own vulnerabilities,” he wrote, including the fact that 16 of the 18 plaintiffs had dropped out of the case, the court had dismissed another for failure to identify any harm traceable to the attack and the court had dismissed with prejudice most of the claims in the complaint.

The remaining plaintiff admitted that his assertion that he was “bombarded” with phishing emails following the attack and lost time “sorting through” them was incorrect, Rubin noted.

“Like the Turn case, once we cut through the noise of inflated allegations to the nub, we could get the court to see what was happening,” Rubin said. “So many data breach cases are assumed to be settlement cases from the start that they are not really litigated. That’s not true with our defendants. Not with Latham.”

— John Roemer