Class Action Complaint, Carla Echavarria and Derrick Walker v. Facebook, Inc., No. 5:18-cv-05982 (N.D. Cal. Sept. 28, 2018), complaint hosted by SCRIBD.
On September 28, Facebook announced it had discovered a security breach three days earlier that had affected 50 million users. According to Facebook’s press release, the hackers capitalized on three different bugs in the “View As” feature to steal users’ “access tokens,” which are the “equivalent of digital keys” to an account. Facebook has not yet identified who the hackers are.
Mere hours later, individuals Carla Echavarria and Derrick Walker filed a Class Action suit against Facebook, Inc. (“Facebook”) in the U.S. District Court in the Northern District of California. The complaint was filed as a class action suit on behalf of all persons in the United States with a Facebook account whose personal data was compromised, with an additional claim for a California resident subclass. The complaint suggests that information including “names, email address, recovery email accounts, telephone numbers, birthdates, passwords, and security question answers” was exposed to hackers. The plaintiffs claim that Facebook collects and stores users’ personal information, and its inadequate data security measures and policies allowed the “massive breach.”
The complaint alleges that Facebook not only did not uphold its duty to securely store users’ personal information safely but also falsely represented the security of its databases to users. More specifically, the complaint lists four general claims for relief, including unlawful business practice, deceit by concealment, and negligence; it also states an additional claim for relief for the California Subclass under the Consumer Records Act for inadequate security. The plaintiffs seek compensatory and punitive damages, among other remedies.
Beyond being the worst data breach in Facebook’s history, this incident also comes on the heels of other news about Facebook’s controversial use of private data. Both Facebook’s heavily scrutinized role during the 2016 Presidential Election and the Cambridge Analytica controversy, where the data of millions of Facebook users was mined without permission, have sparked many debates about much control individual users have over their own data. As commentators have noted, however, Facebook’s most recent breach was the result of a hack, not poor policy, making it fundamentally different from the Cambridge Analytica scandal but no less pressing. Other data breaches in the past few years (such as Equifax and Target) have heightened public anxiety and generated additional pressure on entities that store personal data to do so in a way that exercises reasonable care and foresight.
One likely outcome of this class action suit is a stronger call for government regulation of data security. Leaders like Sen. Mark Warner (D-VA) have said that Congress should “take action and protect the privacy and security of social media users,” and the congressional hearings investigating Facebook earlier this year have already begun to raise questions about the form such regulations might take. In addition to any American governmental regulation, Facebook may also be subject to up to $1.6 billion in fines in the European Union because of the breach.
And how has Facebook responded? First and foremost, it fixed the technical vulnerability found in the three bugs. It then notified the 50 million people directly affected by the breach, and it also required an additional 40 million to log into their accounts again as a precautionary measure. Facebook also informed both law enforcement and all users of the breach. But is this enough to convince the public that Facebook is protecting users’ data effectively? The ongoing response to both the breach and the class action lawsuit will be well worth watching as a potential bellwether for the future of data security.