Facts

On September 28, 2018, Facebook, Inc. announced that it had been the subject of a cyberattack resulting in the compromise of certain information that users had provided to Facebook. The attack was the result of a coding error, allowing hackers to steal access tokens, which were designed to enable users to stay logged into Facebook without reentering accounts. With these access tokens, the unauthorized individuals were able to take over user accounts, which affected approximately four million users in the United States. The attackers gained access to names and email addresses or phone numbers of all affected users. Additionally, for a portion of the affected users, the attackers gained access to other personally identifiable information (PII), such as a user's date of birth, workplace, education, and hometown, among others, that users had provided on their profiles. Stephen Adkins brought a class action against Facebook. The action was brought on behalf of Facebook users residing in the United States whose personal information was compromised in the data breach.

PLAINTIFFS' CONTENTIONS: Plaintiffs contended that defendant had inadequate data security and knowingly failed to adequately protect users' personal information. Specifically, plaintiffs alleged that defendants knew that the tokens were a security risk and still chose not to protect plaintiffs' PII. Plaintiffs also claimed that defendant failed to warn users of its inadequate information security practices and effectively monitor and control those on Facebook's network that present a threat. Plaintiffs also contended that defendant knew for years about the security vulnerability that led to the data breach and consciously disregarded the risk it posed to the safety of users' PII.

DEFENDANT'S CONTENTIONS: Defendant conceded that Facebook users had PII stolen as a result of the coding error but otherwise denied all contentions.

Settlement Discussions

The parties engaged in a mediation session facilitated by the Honorable Joseph C. Spero. The parties also engaged in additional communications in furtherance of settlement, including the negotiation and finalization of a proposed notice plan and settlement term sheet.

Damages

Plaintiffs claimed lost or diminished value of PII; out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of their PII; lost opportunity costs associated with attempting to mitigate the consequences of the data breach; the continued risk to their PII, which remained in defendant's possession and was subject to further unauthorized disclosures; and future costs in terms of loss of time, effort, and money that was to be expended to monitor, prevent, detect, contest, and repair the impact of the PII compromised as a result of the data breach for the remainder of the plaintiffs' lives. Plaintiffs also sought punitive damages.

Result

The case settled. Under the settlement agreement, Facebook promises to prevent attacks similar to the data breach at issue by updating Facebook's tools, processes, and systems for detecting suspicious activity and account compromise, authenticating users, and responding to and containing a security incident. In addition, Facebook committed to obtaining certain outside assessments related to product security and vulnerability management controls, and to continue employing at least one senior security executive with direct reporting authority and obligations to Facebook's Board of Directors. Facebook also certifies that the vulnerability that was exploited in the data breach has been eliminated, that it is no longer possible to generate access tokens in the manner that was done in the data breach, and that all access tokens generated through the vulnerability that was exploited have been invalidated. Facebook's promise with these commitments will be assessed annually by an independent third-party expert for a period of five years. Finally, Facebook agreed to pay $5,000 to the class representative.

Other Information

Consolidated Cases: No. C 18-06022 WHA (JSC); No. C 19-00117 WHA (JSC)