November 16, 2020

On Sunday in the Northern District of California, United States District Judge William Alsup issued an order granting preliminary settlement approval between Facebook and the class of Facebook users affected by a 2018 data breach; under the settlement, Facebook has agreed to various security commitments for the next five years.

Specifically, the suit arose from a September 2018 Facebook hack, whereby “certain access tokens permitted access to Facebook users’ accounts, but a previously unknown vulnerability made these tokens sometimes visible to strangers. Hackers exploited this flaw in September 2018 to access 300,000 accounts. Once inside, the hackers ran two search queries. The first yielded the names and telephone numbers and/or e-mail addresses of fifteen million users worldwide (2.7million in the United States). The second yielded more sensitive information on fourteen million users worldwide (1.2 million in the United States), including the original 300,000.” In February 2019, five named plaintiffs filed a consolidated complaint, but in August 2019, only plaintiff Stephen Adkins and two claims. The certified class for injunctive purposes is: “all current Facebook users residing in the United States whose personal information was compromised in the data breach announced by Facebook on September 28, 2018.”

The court noted that “a class settlement must offer fair, reasonable, and adequate relief.” Furthermore, “[p]reliminary approval is appropriate if ‘the proposed settlement appears to be the product of serious, informed, non-collusive negotiations, has no obvious deficiencies, does not improperly grant preferential treatment to class representatives or segments of the class, and falls within the range of possible approval.”

Judge Alsup claimed that the settlement agreement for which the plaintiff has sought preliminary approval of “imposes a battery of security commitments to prevent future similar attacks.” For instance, Facebook must certify that the vulnerability used in the breach has been fixed, that it is not possible to create access tokens as was done in the breach and that access tokens created and granted through the exploited vulnerability are now invalid. Additionally, Facebook will take a series of security commitments for the next five years to prevent future attacks, such as “increas[ing] the frequency of integrity checks on session updates to detect account compromises,” “implement[ing] new tools to detect suspicious patterns in the generation and use of access tokens across Facebook,” “undergo[ing] annual SOC2 Type II security assessments,” among other measures. Facebook will be assessed on its compliance with these commitments annually by a third-party vendor, the results will be confidential but shared with the court and an expert to verify Facebook’s compliance. As a result, the court found the proposed settlement adequate.

In particular, Judge Alsup stated that the proposed settlement satisfies the main goal of injunctive relief in this suit, namely, “elimination of the vulnerability and Facebook’s commitment to security measures to protect not just class members but all Facebook users’ personal information.”

. . .

The plaintiff and class are represented by Cohen Milstein Sellers & Toll; Morgan & Morgan Complex Litigation Group; and Tadler Law.

The complete article can be viewed here.