Court Declines to Dismiss Data Breach Claims Against Facebook Based on Access Token Incident–Bass v. Facebook
Background: Facebook announced a vulnerability that allowed third parties to obtain “access tokens” for certain users. Specifically, if a particular user’s account had specific attributes, when the user utilizes the “view as” feature (which allows users to see how their timeline may appear to others), the html code would display the access token of the person whose view was simulated. Hackers allegedly accessed tokens for approximately seventy thousand users and, through this, obtained information regarding millions of users. Facebook did a forced log-out of potentially affected users, which you may have experienced personally.
A flurry of class action lawsuits ensued. Judge Alsup invited the parties to educate the court on the mechanics of personal information in the context of a data breach. (Here’s a YouTube link to the “tutorial” that the parties put on.) The cases were consolidated, and an amended complaint was filed. Facebook moved to dismiss for lack of standing and for failure to state a claim. The court analyzes the motion as to each named plaintiff.
Plaintiff Adkins: Facebook notified Adkins that he had been subject to a data breach. He alleged he faced a risk of future identity theft and also spent time dealing with the data breach. He also alleged loss of value of his personal information and failure to receive the benefit of the bargain.
Risk of Future Identity Theft: Adkins alleged that he received numerous phishing emails and text messages following the breach. Facebook responded that the information in question was not highly sensitive and was publicly available. The court says the information need not be highly sensitive to support standing based on risk of identity theft. The court cited to the Zappos identity theft case for the proposition that there’s no magic category of information that is required to assert standing:
We must not forget that the hackers did not merely attack Facebook and loot it. These hackers went out of their way to run search queries on 69,000 hacked accounts for the sole purpose of culling personal information from an additional 30 million people. The attackers’ cards have been revealed: the goal was not merely to attack, the goal was to take personal information on a mass scale. It is not too great a leap to assume, therefore, that their goal in targeting and taking this information was to commit further fraud and identity theft.
That each strand of information can be painstakingly collected through a mishmash of other sources is irrelevant. Facebook is a centralized location which stores personal information for billions of users. Constructing this information from random sources bit by bit, would be hard.
The court also cites to Sixth and Seventh Circuit cases (Galaria v. Nationwide Mutual; Remijas v. Neiman Marcus) and says that where a data breach targets personal information, common sense tells us that hackers are likely to misuse the data.
Loss of time: Ninth Circuit case law has not addressed whether loss of time spent on remediation is sufficient to establish Article III standing. The court cites to a 2018 case from the Seventh Circuit (Dieffenbach v. Barnes and Noble) for the proposition that loss of one’s own time can suffice for standing. At this stage, Adkins’s allegations suffice:
True, sorting through a few dozen e-mails may or may not have taken an hour to rectify and perhaps the time spent later proves de minimis. This story, however, has yet to end. As consequences of this data breach continue to unfold, so too, will plaintiff’s invested time. More phishing emails will pile up. At this stage, the time loss alleged suffices.
Plaintiff Bass: Unlike plaintiff Adkins, plaintiff Bass had not been notified by Facebook that his data was compromised. He cited to anecdotal evidence that he was also a victim of the breach, but the court says his allegations don’t suffice “to connect the dots.” Sure, he was logged-out forcibly, he received phone calls from people claiming to be his family members, and he received spam and phishing emails. However, Bass did not adequately allege that these actions were after the breach. In fact, his allegations as to timing pointed to events which pre-dated the breach.
Regarding the increased incidences of spam messages, the court says that this is typical of the experience of any social media user:
spam e-mails and fake friend requests simply occur to most, if not all, e-mail and social media users. They are too common and therefore cannot on their own establish causation here. To hold otherwise would effectively negate the standing requirement as to data breaches. Accordingly, although these occurrences may be evidence of having been the victim of a data breach, on their own, they cannot serve to connect plaintiff Bass to the data breach.
Thus, Bass didn’t put forth sufficient evidence to satisfy standing.
Facebook’s Limitation of Liability Clause: Facebook’s terms of service contains a broad limitation of liability clause. The court cites to a California statute restricting limitations of liability clauses that purport to exempt someone from fraud, willful injury, or a violation of law. Ultimately, the court says the question is one of unconscionability and fundamental unfairness. The court says that there’s nothing on its face unfair procedurally about Facebook’s terms of service. Users are not “forced to enroll in Facebook’s . . . service.” Based on this, the court dismisses the breach of contract and breach of confidence claims. The court does grant leave to allege facts regarding unconscionability.
The result is not the same for the negligence causes of action. Clauses restricting a party’s own liability for negligence are strictly construed. The limitation of liability clause does not mention negligence. The court says at the early stages, it doesn’t make sense to preclude negligence claims. Thus, the disclaimer in Facebook’s terms of service does not neutralize the negligence claims.
Negligence Claims: As to the negligence claims, the court says that plaintiffs alleged Facebook failed to comply with minimum data-security standards. Other companies set access tokens to expire quickly, but Facebook set them to last much longer. Facebook argued that it did not owe its users a special duty of care (cf. Beckman v. Match), but the court says the factors for when a duty is owed are satisfied here.
Unfair Competition Claims: An unfair competition claim requires a plaintiff to have suffered economic harm, and specifically, that plaintiff has paid something of value to defendant. The court says this is not satisfied here. While there is a vague allegation that personal information was turned over to Facebook, there is no specific allegation that there is a market for this information (or it’s specifically valuable to him). Similarly, plaintiff fails to allege a benefit-of-the-bargain injury. This seems like a tough claim to make given that Facebook is a free service, but other judges have envisioned such a claim in similar circumstances.
__
This is obviously a mixed ruling for Facebook. On the one hand, the court takes a very broad view of what loss of information is required to allege standing. Maybe things have changed over the years? Maybe judges are also human, and are not immune from the constant drip of news of privacy-shenanigans Facebook seems to engage in. There’s a paragraph in the background section where the court details numerous Facebook privacy breaches over time, and also references the FTC consent decree. The court is clearly concerned about Facebook’s privacy practices generally.
On the other hand, the fact that the court is willing to look to the terms of service-based disclaimer to knock out the contract-based claims is a big deal. As to these claims, plaintiffs don’t need to show fault or a breach of duty, so Facebook is surely happy to have them out of the picture.
News reports about the oral arguments said Judge Alsup questioned the parties sharply on the significance of Facebook offering a service that is free. He appears to have largely sided with Facebook on this question, judging from his ruling on the unfair competition claim.
Facebook must now deal with discovery, the scope of which is sure to be contested.
Case citation: Bass v. Facebook, 2019 US Dist LEXIS 104488 (N.D. Cal. June 21, 2019)
Related posts:
Facebook Defeats Lawsuit Over Tracking Logged-Out Users–In re Facebook Internet Tracking
On Remand, Ninth Circuit Says Robins Satisfied Article III Standing
“Manufactured” TCPA Suit Fails For Lack of Standing
Seventh Circuit: Data Breach Victims Have Standing Based on Future Harm
Android and Pandora Privacy Rulings Accept Low Hurdle for Standing
9th Circuit Says Plaintiff Had Standing to Sue Spokeo for Fair Credit Reporting Violations
First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing–Katz v Pershing
Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data — Reilly v. Ceridian
LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn