Adkins v. Facebook, Inc.
Filing
314
ORDER GRANTING 281 MOTION FOR PRELIMINARY APPROVAL. SIGNED BY JUDGE ALSUP. (whalc2, COURT STAFF) (Filed on 11/15/2020)
1
2
3
4
5
UNITED STATES DISTRICT COURT
6
7
NORTHERN DISTRICT OF CALIFORNIA
8
9
10
11
STEPHEN ADKINS, on behalf of himself
and those similarly situated,
No. C 18-05982 WHA
United States District Court
Northern District of California
Plaintiffs,
12
v.
13
14
FACEBOOK, INC.,
Defendant.
ORDER GRANTING
PRELIMINARY
SETTLEMENT APPROVAL
15
16
INTRODUCTION
17
In this data-breach class action, plaintiffs move for preliminary approval of a class
18
settlement agreement. The proposal appearing non-collusive and within the realm of
19
approvable, the motion is GRANTED.
20
STATEMENT
21
This case arises from the September 2018 hack of Facebook. A prior order detailed the
22
facts (Dkt. No. 153). In brief, certain access tokens permitted access to Facebook users’
23
accounts, but a previously unknown vulnerability made these tokens sometimes visible to
24
strangers. Hackers exploited this flaw in September 2018 to access 300,000 accounts. Once
25
inside, the hackers ran two search queries. The first yielded the names and telephone numbers
26
and/or e-mail addresses of fifteen million users worldwide (2.7 million in the United States).
27
28
1
The second yielded more sensitive information on fourteen million users worldwide (1.2 million
2
in the United States), including the original 300,000.
3
In February 2019, five named plaintiffs filed a consolidated complaint asserting several
4
claims. Following consolidation and motion practice, in August 2019, only one named plaintiff,
5
Stephen Adkins, and two claims remained. Six months later, plaintiff Adkins sought to certify a
6
class of affected Facebook users. The motion outlined three classes under Rule 23(b)(2), Rule
7
23(b)(3), and Rule 23(c)(4). A November 2019 order certified a worldwide class for injunctive
8
purposes only (Dkt. No. 260). One month later, on the parties’ motion, a December 19 order
9
limited the injunctive class to users within the United States and removed the requirement of
class notice via first-class mail (Dkt. No. 271). The certified class for injunctive purposes only
11
United States District Court
Northern District of California
10
became:
12
13
All current Facebook users residing in the United States whose
personal information was compromised in the data breach
announced by Facebook on September 28, 2018.
14
On January 8, under the supervision of Chief Magistrate Judge Joseph Spero, the parties
15
reached a settlement in principle (Dkt. No. 281). During the settlement conference, the parties
16
discussed potential security commitments Facebook could make as part of a settlement.
17
Following those discussions, with the assistance of plaintiff’s expert, the parties reached a final
18
set of security commitments and came to a proposed settlement agreement. Plaintiff now
19
moves for preliminary approval of the settlement agreement and to direct notice of the
20
settlement. This order follows briefing and oral argument.
21
ANALYSIS
22
Our court of appeals maintains a “strong judicial policy” in favor of settlement of
23
“complex class action litigation.” Class Plaintiffs v. City of Seattle, 955 F.2d 1268, 1276 (9th
24
Cir. 1992). But a class settlement must offer fair, reasonable, and adequate relief. Lane v.
25
Facebook, Inc., 696 F.3d 811, 818 (9th Cir. 2012). Preliminary approval is appropriate if “the
26
proposed settlement appears to be the product of serious, informed, non-collusive negotiations,
27
has no obvious deficiencies, does not improperly grant preferential treatment to class
28
representatives or segments of the class, and falls within the range of possible approval.” In re
2
1
Tableware Antitrust Litig., 484 F. Supp. 2d 1078, 1079 (N.D. Cal. 2007) (Chief Judge Vaughn
2
Walker).
3
The proposed settlement imposes a battery of security commitments to prevent future
4
similar attacks. Facebook will certify that the vulnerability exploited in the breach has been
5
eliminated, that it is no longer possible to generate access tokens in the manner that was done in
6
the breach, and that all access tokens generated through the vulnerability have been invalidated.
7
Then, for the next five years, Facebook will adopt the following security commitments to
8
prevent future attacks:
9
10
United States District Court
Northern District of California
11
12
13
(1) Increase the frequency of integrity checks on session updates
to detect account compromises.
(2) Implement new tools to detect suspicious patterns in the
generation and use of access tokens across Facebook.
(3) Implement new tools to help Facebook promptly contain a
security incident involving the improper issuance of access tokens.
14
(4) Implement automatic alerts for specified types of suspicious
activity to ensure prompt response.
15
(5) Undergo annual SOC2 Type II security assessments.
16
(6) Limit the capabilities of applications that rely on access
tokens.
17
18
19
20
21
(7) Eliminate “NoConfidence authentication proofs” and require
cryptographic proofs of valid logins before generating credentials.
(8) Employ at least one senior security executive with direct
reporting authority and obligations to Facebook’s Board of
Directors.
22
(9) Expand the logging of access token generation and use
metadate to facilitate the detection, investigation, and identification
of the compromise of user access tokens.
23
Compliance with these commitments will be assessed annually by an “unbiased, independent
24
third-party vendor selected by Facebook,” though with class counsel’s approval. Other than
25
sharing the results with the Court and an expert retained to verify compliance, class counsel will
26
keep the results confidential. For the present purposes, the proposed settlement is adequate.
27
First, this proposal provides the primary injunctive goal of this suit: elimination of the
28
vulnerability and Facebook’s commitment to security measures to protect not just class
3
1
members but all Facebook users’ personal information. Seven of the nine commitments reflect
2
voluntary measures implemented in response to the breach intended to detect, investigate,
3
contain, and prevent access-token theft or abuse. The remaining two (numbers 5 and 8) reflect
4
previously existing practices that Facebook has committed to continuing as part of the proposal.
5
Following the hearing, Facebook submitted a sworn declaration verifying that none of the
6
security measures have been undertaken as a result of any other court order or regulatory
7
directive.
8
9
Second, the proposal ensures Facebook’s commitment to these measures for the next five
years under external assessment. Given Facebook has already voluntarily implemented the
security measures, this external oversight becomes the real value for the class. Facebook will
11
United States District Court
Northern District of California
10
provide the results of the security assessment to class counsel, a third-party expert, and the
12
Court. Moreover, the ongoing review ensures the continued efficacy of the agreement. Should
13
legal or technological developments render any provision of the proposal obsolete, the parties
14
will work to update the settlement agreement.
15
Third, the proposal appears to be the product of serious, non-collusive negotiations. Class
16
counsel’s fees and costs, and Mr. Adkins’s service award are appropriately reserved for the
17
Court’s discretion at final approval. Facebook may oppose counsel’s fee request and, given the
18
relief here is injunctive, class counsel’s fee will not detract from plaintiffs’ recovery. The
19
proposed scope of waiver is adequately narrow. Plaintiffs agree to waive all injunctive or
20
declaratory relief claims made in this case, but retain all claims for damages, with the exception
21
of plaintiff Adkins, who releases all claims in exchange for his service award. And, as it
22
provides for uniform injunctive relief, the proposal treats class members equitably relative to
23
each other.
24
Fourth, notice to the class is “reasonably calculated, under all the circumstances, to
25
apprise interested parties of the pendency of the action and afford them an opportunity to
26
present their objections.” Mullane v. Central Hanover Bank & Tr. Co., 339 U.S. 306, 314
27
(1950). A prior order approved the notice program (Dkt. No. 271). Class notice will be
28
distributed via the email addresses linked to the class members’ Facebook accounts, via reverse
4
1
phone look-up to identify the few Facebook users who did not input their email address, a
2
dedicated website, social media campaigns, internet banner ads, and a traditional media
3
campaign. Counsel have selected Angeion Group, whom the undersigned has recently
4
approved as administrator in another case, as the class administrator here. See In re Glumetza
5
Antitrust Litigation¸ No. C 19-05822 WHA, Dkt. No. 389 (N.D. Cal. Oct. 15, 2020).
Following the hearing, the parties have appropriately simplified the process for plaintiffs
7
to object to the proposed settlement. However, the proposed notice requires three more minor
8
changes. Counsel shall please clarify that a class member need only mail an objection letter to
9
one of the several addresses for the class administrator and class counsel. Then, given the
10
impact of COVID-19, the proposed notice shall please indicate both that the final approval
11
United States District Court
Northern District of California
6
hearing may take place telephonically and that the Clerk’s office hours have also been
12
impacted. If in the coming months it appears that an in-person fairness hearing will be out of
13
the question due to public health, the Court will appreciate counsel’s assistance in providing a
14
certain number of class members the opportunity to speak at the hearing by phone, should they
15
wish.
16
17
*
*
*
The parties seek to seal several documents submitted in support of the proposed settlement
18
(Dkt. Nos. 280, 296, 299). Public policy heartily favors openness in our court system as the
19
public is entitled to know to whom we are providing relief (or not). See Kamakana v. City &
20
Cty. of Honolulu, 447 F.3d 1172, 1179–80 (9th Cir. 2006). Generally, “a court may seal records
21
only when it finds a compelling reason and articulates the factual basis for its ruling, without
22
relying on hypothesis or conjecture.” Ctr. for Auto Safety v. Chrysler Grp., 809 F.3d 1092,
23
1096–97 (9th Cir. 2016) (quotations and citations omitted).
24
Facebook asserts that malicious actors with public access to this information could
25
leverage it to evade Facebook’s security systems and circumvent detection, endangering user
26
information. The redactions are limited to specific testing parameters and triggering events that,
27
although important, are not so determinative of the relief afforded that a meaningful evaluation
28
of the proposal cannot be made without them. Against the risk of endangering the user
5
1
information this relief is designed to protect, narrow redactions are warranted. To the following
2
extent, the motions are GRANTED and the following redactions approved:
3
4
5
6
7
(1) Facebook’s proposed and limited redaction to “Exhibit 1 —
Facebook’s Security Commitments” (Dkt. Nos. 280-3, 285-1).
(2) The proposed redactions to sub-exhibit A-1, of exhibit 6, to
plaintiffs’ supplemental brief (Dkt. No. 296-3).
(3) Facebook’s proposed redactions to the Bream declaration (Dkt.
No. 299).
CONCLUSION
8
The proposed settlement falling within the realm of adequate, preliminary approval is
9
GRANTED. The settlement administrator and notice plan are APPROVED. Class notice shall be
10
disseminated by DECEMBER 30. Counsel shall move for final approval, fees, costs, and for Mr.
United States District Court
Northern District of California
11
Adkins’s service award by FEBRUARY 8, 2021. Class member objections are due MARCH 8.
12
Counsel shall promptly arrange to pick-up any objections mailed to the Court and shall reply to
13
the objections by MARCH 26. In the meantime, the affidavit attesting to the dissemination of
14
class notice is due MARCH 24. The final approval hearing is set for APRIL 8 AT 11:00 A.M.
15
IT IS SO ORDERED.
16
17
Dated: November 15, 2020.
18
19
20
WILLIAM ALSUP
UNITED STATES DISTRICT JUDGE
21
22
23
24
25
26
27
28
6
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?