Adkins v. Facebook, Inc.

Filing 314


Download PDF
1 2 3 4 5 UNITED STATES DISTRICT COURT 6 7 NORTHERN DISTRICT OF CALIFORNIA 8 9 10 11 STEPHEN ADKINS, on behalf of himself and those similarly situated, No. C 18-05982 WHA United States District Court Northern District of California Plaintiffs, 12 v. 13 14 FACEBOOK, INC., Defendant. ORDER GRANTING PRELIMINARY SETTLEMENT APPROVAL 15 16 INTRODUCTION 17 In this data-breach class action, plaintiffs move for preliminary approval of a class 18 settlement agreement. The proposal appearing non-collusive and within the realm of 19 approvable, the motion is GRANTED. 20 STATEMENT 21 This case arises from the September 2018 hack of Facebook. A prior order detailed the 22 facts (Dkt. No. 153). In brief, certain access tokens permitted access to Facebook users’ 23 accounts, but a previously unknown vulnerability made these tokens sometimes visible to 24 strangers. Hackers exploited this flaw in September 2018 to access 300,000 accounts. Once 25 inside, the hackers ran two search queries. The first yielded the names and telephone numbers 26 and/or e-mail addresses of fifteen million users worldwide (2.7 million in the United States). 27 28 1 The second yielded more sensitive information on fourteen million users worldwide (1.2 million 2 in the United States), including the original 300,000. 3 In February 2019, five named plaintiffs filed a consolidated complaint asserting several 4 claims. Following consolidation and motion practice, in August 2019, only one named plaintiff, 5 Stephen Adkins, and two claims remained. Six months later, plaintiff Adkins sought to certify a 6 class of affected Facebook users. The motion outlined three classes under Rule 23(b)(2), Rule 7 23(b)(3), and Rule 23(c)(4). A November 2019 order certified a worldwide class for injunctive 8 purposes only (Dkt. No. 260). One month later, on the parties’ motion, a December 19 order 9 limited the injunctive class to users within the United States and removed the requirement of class notice via first-class mail (Dkt. No. 271). The certified class for injunctive purposes only 11 United States District Court Northern District of California 10 became: 12 13 All current Facebook users residing in the United States whose personal information was compromised in the data breach announced by Facebook on September 28, 2018. 14 On January 8, under the supervision of Chief Magistrate Judge Joseph Spero, the parties 15 reached a settlement in principle (Dkt. No. 281). During the settlement conference, the parties 16 discussed potential security commitments Facebook could make as part of a settlement. 17 Following those discussions, with the assistance of plaintiff’s expert, the parties reached a final 18 set of security commitments and came to a proposed settlement agreement. Plaintiff now 19 moves for preliminary approval of the settlement agreement and to direct notice of the 20 settlement. This order follows briefing and oral argument. 21 ANALYSIS 22 Our court of appeals maintains a “strong judicial policy” in favor of settlement of 23 “complex class action litigation.” Class Plaintiffs v. City of Seattle, 955 F.2d 1268, 1276 (9th 24 Cir. 1992). But a class settlement must offer fair, reasonable, and adequate relief. Lane v. 25 Facebook, Inc., 696 F.3d 811, 818 (9th Cir. 2012). Preliminary approval is appropriate if “the 26 proposed settlement appears to be the product of serious, informed, non-collusive negotiations, 27 has no obvious deficiencies, does not improperly grant preferential treatment to class 28 representatives or segments of the class, and falls within the range of possible approval.” In re 2 1 Tableware Antitrust Litig., 484 F. Supp. 2d 1078, 1079 (N.D. Cal. 2007) (Chief Judge Vaughn 2 Walker). 3 The proposed settlement imposes a battery of security commitments to prevent future 4 similar attacks. Facebook will certify that the vulnerability exploited in the breach has been 5 eliminated, that it is no longer possible to generate access tokens in the manner that was done in 6 the breach, and that all access tokens generated through the vulnerability have been invalidated. 7 Then, for the next five years, Facebook will adopt the following security commitments to 8 prevent future attacks: 9 10 United States District Court Northern District of California 11 12 13 (1) Increase the frequency of integrity checks on session updates to detect account compromises. (2) Implement new tools to detect suspicious patterns in the generation and use of access tokens across Facebook. (3) Implement new tools to help Facebook promptly contain a security incident involving the improper issuance of access tokens. 14 (4) Implement automatic alerts for specified types of suspicious activity to ensure prompt response. 15 (5) Undergo annual SOC2 Type II security assessments. 16 (6) Limit the capabilities of applications that rely on access tokens. 17 18 19 20 21 (7) Eliminate “NoConfidence authentication proofs” and require cryptographic proofs of valid logins before generating credentials. (8) Employ at least one senior security executive with direct reporting authority and obligations to Facebook’s Board of Directors. 22 (9) Expand the logging of access token generation and use metadate to facilitate the detection, investigation, and identification of the compromise of user access tokens. 23 Compliance with these commitments will be assessed annually by an “unbiased, independent 24 third-party vendor selected by Facebook,” though with class counsel’s approval. Other than 25 sharing the results with the Court and an expert retained to verify compliance, class counsel will 26 keep the results confidential. For the present purposes, the proposed settlement is adequate. 27 First, this proposal provides the primary injunctive goal of this suit: elimination of the 28 vulnerability and Facebook’s commitment to security measures to protect not just class 3 1 members but all Facebook users’ personal information. Seven of the nine commitments reflect 2 voluntary measures implemented in response to the breach intended to detect, investigate, 3 contain, and prevent access-token theft or abuse. The remaining two (numbers 5 and 8) reflect 4 previously existing practices that Facebook has committed to continuing as part of the proposal. 5 Following the hearing, Facebook submitted a sworn declaration verifying that none of the 6 security measures have been undertaken as a result of any other court order or regulatory 7 directive. 8 9 Second, the proposal ensures Facebook’s commitment to these measures for the next five years under external assessment. Given Facebook has already voluntarily implemented the security measures, this external oversight becomes the real value for the class. Facebook will 11 United States District Court Northern District of California 10 provide the results of the security assessment to class counsel, a third-party expert, and the 12 Court. Moreover, the ongoing review ensures the continued efficacy of the agreement. Should 13 legal or technological developments render any provision of the proposal obsolete, the parties 14 will work to update the settlement agreement. 15 Third, the proposal appears to be the product of serious, non-collusive negotiations. Class 16 counsel’s fees and costs, and Mr. Adkins’s service award are appropriately reserved for the 17 Court’s discretion at final approval. Facebook may oppose counsel’s fee request and, given the 18 relief here is injunctive, class counsel’s fee will not detract from plaintiffs’ recovery. The 19 proposed scope of waiver is adequately narrow. Plaintiffs agree to waive all injunctive or 20 declaratory relief claims made in this case, but retain all claims for damages, with the exception 21 of plaintiff Adkins, who releases all claims in exchange for his service award. And, as it 22 provides for uniform injunctive relief, the proposal treats class members equitably relative to 23 each other. 24 Fourth, notice to the class is “reasonably calculated, under all the circumstances, to 25 apprise interested parties of the pendency of the action and afford them an opportunity to 26 present their objections.” Mullane v. Central Hanover Bank & Tr. Co., 339 U.S. 306, 314 27 (1950). A prior order approved the notice program (Dkt. No. 271). Class notice will be 28 distributed via the email addresses linked to the class members’ Facebook accounts, via reverse 4 1 phone look-up to identify the few Facebook users who did not input their email address, a 2 dedicated website, social media campaigns, internet banner ads, and a traditional media 3 campaign. Counsel have selected Angeion Group, whom the undersigned has recently 4 approved as administrator in another case, as the class administrator here. See In re Glumetza 5 Antitrust Litigation¸ No. C 19-05822 WHA, Dkt. No. 389 (N.D. Cal. Oct. 15, 2020). Following the hearing, the parties have appropriately simplified the process for plaintiffs 7 to object to the proposed settlement. However, the proposed notice requires three more minor 8 changes. Counsel shall please clarify that a class member need only mail an objection letter to 9 one of the several addresses for the class administrator and class counsel. Then, given the 10 impact of COVID-19, the proposed notice shall please indicate both that the final approval 11 United States District Court Northern District of California 6 hearing may take place telephonically and that the Clerk’s office hours have also been 12 impacted. If in the coming months it appears that an in-person fairness hearing will be out of 13 the question due to public health, the Court will appreciate counsel’s assistance in providing a 14 certain number of class members the opportunity to speak at the hearing by phone, should they 15 wish. 16 17 * * * The parties seek to seal several documents submitted in support of the proposed settlement 18 (Dkt. Nos. 280, 296, 299). Public policy heartily favors openness in our court system as the 19 public is entitled to know to whom we are providing relief (or not). See Kamakana v. City & 20 Cty. of Honolulu, 447 F.3d 1172, 1179–80 (9th Cir. 2006). Generally, “a court may seal records 21 only when it finds a compelling reason and articulates the factual basis for its ruling, without 22 relying on hypothesis or conjecture.” Ctr. for Auto Safety v. Chrysler Grp., 809 F.3d 1092, 23 1096–97 (9th Cir. 2016) (quotations and citations omitted). 24 Facebook asserts that malicious actors with public access to this information could 25 leverage it to evade Facebook’s security systems and circumvent detection, endangering user 26 information. The redactions are limited to specific testing parameters and triggering events that, 27 although important, are not so determinative of the relief afforded that a meaningful evaluation 28 of the proposal cannot be made without them. Against the risk of endangering the user 5 1 information this relief is designed to protect, narrow redactions are warranted. To the following 2 extent, the motions are GRANTED and the following redactions approved: 3 4 5 6 7 (1) Facebook’s proposed and limited redaction to “Exhibit 1 — Facebook’s Security Commitments” (Dkt. Nos. 280-3, 285-1). (2) The proposed redactions to sub-exhibit A-1, of exhibit 6, to plaintiffs’ supplemental brief (Dkt. No. 296-3). (3) Facebook’s proposed redactions to the Bream declaration (Dkt. No. 299). CONCLUSION 8 The proposed settlement falling within the realm of adequate, preliminary approval is 9 GRANTED. The settlement administrator and notice plan are APPROVED. Class notice shall be 10 disseminated by DECEMBER 30. Counsel shall move for final approval, fees, costs, and for Mr. United States District Court Northern District of California 11 Adkins’s service award by FEBRUARY 8, 2021. Class member objections are due MARCH 8. 12 Counsel shall promptly arrange to pick-up any objections mailed to the Court and shall reply to 13 the objections by MARCH 26. In the meantime, the affidavit attesting to the dissemination of 14 class notice is due MARCH 24. The final approval hearing is set for APRIL 8 AT 11:00 A.M. 15 IT IS SO ORDERED. 16 17 Dated: November 15, 2020. 18 19 20 WILLIAM ALSUP UNITED STATES DISTRICT JUDGE 21 22 23 24 25 26 27 28 6

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.

Why Is My Information Online?