District Court (Cal.) Certifies Injunctive Data Breach Class Against Facebook, but Denies Certification of Damages Class

In Adkins v. Facebook, Inc., No. C 18-05982-WHA, 2019 U.S. Dist. LEXIS 206271 (N.D. Cal. Nov. 26, 2019), Judge Alsup granted in part and denied in part a data breach class.

This is a putative class action by plaintiff Stephen Adkins against defendant Facebook, Inc. Plaintiff asserts a claim for negligence based on Facebook’s alleged faulty security practices in collecting and storing plaintiff’s information. These faulty practices allegedly allowed hackers to break into Facebook’s platform and pilfer the personal information of 29 million Facebook users worldwide, including more than four million users in the United States. The operative complaint seeks relief in the form of a credit monitoring service for the victims, in addition to compensatory, statutory, and punitive damages. The operative complaint also seeks declaratory relief. . .  In brief, when three features on Facebook’s platform interacted, “access tokens” became visible. Similar to a password, access tokens permitted users to enter their account. Once these access tokens became visible, those accounts became vulnerable to entry by strangers. In this way, the hackers entered 300,000 accounts in September 2018 (Bream Decl. ¶¶ 11-17; Amd. Compl. ¶¶ 95-97, 100) (Dkt. Nos. 97; 193) The hackers ran two separate search queries from within these 300,000 accounts. The first yielded the names and telephone numbers and/or e-mail addresses of fifteen million users worldwide (2.7 million in the United States). The second yielded more sensitive information on fourteen million users worldwide (1.2 million in the United States). The information taken from this second group included names, telephone numbers, e-mail addresses, gender, date of birth, and, to the extent the fields were populated, workplace, education, relationship status, religious views, hometown, self-reported current city, and website. Within this second group, the hackers also obtained the user’s locale and language, the type of device used by the user to access Facebook, the last ten places the user was “tagged” in or “checked into” on Facebook, the people or pages on Facebook followed by the user, and the user’s fifteen most recent searches using the Facebook search bar. The original 300,000 users who had  their accounts entered into also had the same information taken as this second group (Bream Decl. ¶¶ 10-12, 18-19). . . .Plaintiff now seeks to certify a class of all Facebook users whose personal information became part of the September 2018 data breach.

Judge Alsup found no basis to certify a damages class.

While plaintiff Adkins has standing to sue based on his increased risk of future identity theft, in California, this risk alone does not rise to the level of appreciable harm to assert a negligence claim. California has long held that “[i]t is fundamental that a negligent act is not actionable unless it results in injury to another.” Fields v. Napa Milling Co., 164 Cal. App. 2d 442, 447, 330 P.2d 459 (1958). California also holds that “[n]ominal damages, to vindicate a technical right, cannot be recovered in a negligence action, where no actual loss has occurred.” Id. at 448. In addition, in a different context, the California Supreme Court has indicated that the mere threat of future harm is insufficient. See Jordache Enters., Inc. v. Brobeck, Phleger & Harrison, 18 Cal. 4th 739, 743, 76 Cal. Rptr. 2d 749, 958 P.2d 1062 (1998). No binding decision has ever decided whether or not future harms from a data breach can anchor a claim for negligence. In California, such an exception would follow from an already recognized exception to the present harm requirement, namely the cost of future medical monitoring due to an exposure to toxic chemicals. Potter v. Firestone Tire & Rubber Co., 6 Cal. 4th 965, 1009, 25 Cal. Rptr. 2d 550, 863 P.2d 795 (1993). The weight of persuasive decisions militates against extending this exception to cases like ours. In a non-precedential decision, our court of appeals applied Arizona law to reject extending medical monitoring to credit monitoring in a data breach when the plaintiff did not present any actual evidence of identity theft. Stollenwerk v. Tri-West Health Care All., 254 F. App’x 664, 665-67 (9th Cir. 2007). In Ruiz v. Gap, Inc., Judge Samuel Conti relied on Stollenwerk to reject that the medical monitoring exception would apply to credit monitoring under California law. Judge Conti opined that medical monitoring was a personal injury permitted to protect public health, but “[t]here is no such public health interest at stake in lostdata cases.” 622 F. Supp. 2d 908, 914-15 (N.D. Cal. 2009), aff’d, 380 F. App’x 689 (9th Cir. 2010). Judge Conti’s decision was upheld on appeal on other grounds. Since these decisions, Judge Gary Klausner and Judge Richard Seeborg have extended the medical monitoring exception to credit monitoring. Corona v. Sony Pictures Entm’t, Inc., No. 14-CV-09600 RGK (Ex), 2015 U.S. Dist. LEXIS 85865, 2015 WL 3916744, at *5 (C.D. Cal. June 15, 2015) (Judge Gary Klausner); Castillo v. Seagate Tech., LLC, No. 16-cv-01958-RS, 2016 U.S. Dist. LEXIS 187428, 2016 WL 9280242, at *4 (N.D. Cal. Sept. 14, 2016) (Judge Richard Seeborg). The undersigned judge would be inclined to follow these decisions and hold credit monitoring available to data breach victims. Yet, even these decisions cannot help plaintiff Adkins here. Specifically, Judge Klausner permitted “costs already incurred, including costs associated with credit monitoring,” and specifically dismissed the negligence theory of an increased risk of future harm. Corona, 2015 U.S. Dist. LEXIS 85865, 2015 WL 3916744, at *4-5 (emphasis added). Judge Richard Seeborg also held that “[t]hose who have incurred such out-of-pocket expenses have pleaded cognizable injuries, whereas those who claim only that they may incur expenses in the future have not.” Castillo, 2016 U.S. Dist. LEXIS 187428, 2016 WL 9280242, at *4. This dividing line is further supported by another non-precedential decision by our court of appeals. In Krottner v. Starbucks, Corporation, our court of appeals applied Washington law to dismiss a data breach claim for negligence because there was only the risk of future identity theft. 406 F. App’x 129, 131 (9th Cir. 2010). Because the claim for negligence could not proceed merely on such risk, our court of appeals expressly did not reach the issue of whether credit monitoring would be appropriate. Id. at 131-32. One district judge relied on this decision to dismiss a California negligence claim in the context of a data breach. See In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942, 963 n.17 (S.D. Cal. 2012) (Judge Anthony Battaglia) (California and Washington law not “materially different”). So too here. Plaintiff Adkins has incurred zero out-of-pocket expenses as a result of this breach. The time he spent reacting to this data breach may be recoverable as damages in its own right, but has no relationship to the remedy of future credit monitoring. To the contrary, [TEXT REDACTED BY THE COURT]. On the evidence presented, therefore, no decision supports that plaintiff Adkins can allege a viable negligence claim under a credit monitoring theory. If some members of the class bought credit monitoring because of this data breach, perhaps they can assert such a claim. Plaintiff Adkins, however, is not a member of the class he seeks to represent. He therefore cannot represent the class on this theory…”When appropriate,” Rule 23(c)(4) allows a court discretion to certify an action “as a class action with respect to particular issues.” The text does not explain when such a class would be appropriate. Here, plaintiff seeks certification of damages claims for lost time. Duty and breach would be tried on a common basis. Causation and damages would be tried individually. This order agrees with  Facebook that “issue certification is not appropriate where the determination of liability itself requires an individualized inquiry” (Dkt. No. 215 at 25 quoting 1 McLaughlin on Class Actions § 4:43 (15th ed. 2018)). That is, bifurcating elements of liability “does not materially advance the overall disposition of the case because” the court must still consider “plaintiff-specific matters such as fact of injury, causation . . . and extent of damage” (ibid. quoting McLaughlin, supra). Plaintiff’s request to certify an issues-only class under Rule 23(c)(4) is Denied.

However, Judge Alsup certified an FRCP 23b2 injunctive relief class.

What plaintiff seeks, on behalf of the class is, as follows. First, a declaration that Facebook’s existing security measures do not comply with its duties of care to provide adequate security. Second, to comply with its duties of care, Facebook must implement and maintain reasonable security measures, including that Facebook engage third-party security auditors/penetration testers as well as internal security personnel to conduct testing, including simulated attacks, penetration tests, and audits on Facebook’s systems on a periodic basis, and ordering Facebook to promptly correct any problems or issues detected by such third-party security auditors (Dkt. No. 193 ¶ 221). In addition, plaintiff seeks an order that Facebook engage third-party security auditors and internal personnel to run automated security monitoring. Any final order may also embed a monitor into Facebook’s headquarters. Other requested relief includes: ordering that Facebook audit, test, and train its security personnel regarding any new or modified procedures; ordering that Facebook user applications be segmented by, among other things, creating firewalls and access controls so that if one area is compromised, hackers cannot gain access to other portions of Facebook’s systems; ordering that Facebook conduct regular database scanning and securing checks; ordering that Facebook routinely and continually conduct internal training and education to inform internal security personnel how to identify and contain a breach when it occurs and what to do in response to a breach; and ordering Facebook to meaningfully educate its users about the threats they face as a result of the loss of their financial and private information to third parties, as well as the steps Facebook users must take to protect themselves (ibid.). Facebook argues that plaintiff does not have standing to allege prospective injunctive relief because Facebook has fixed the bug that caused the data breach. This order holds that Facebook’s repetitive losses of users’ privacy supplies a long-term need for supervision, at least at the Rule 23 stage. At this stage, there is a likelihood of future harm to warrant potential relief. Plaintiff has standing. Nor must plaintiffs specify the precise injunctive relief they will ultimately seek at the class certification stage.” B.K. by next friend Tinsley v. Snyder, 922 F.3d 957, 972 (9th Cir. 2019). Rule 23(b)(2) “[o]rdinarily will be satisfied when plaintiffs have described the general contours of an injunction that would provide relief to the whole class, that is more specific than a bare injunction to follow the law, and that can be given greater substance and specificity at an appropriate stage in the litigation through fact-finding, negotiations, and expert testimony.” Parsons v. Ryan, 754 F.3d 657, 689 n.35 (9th Cir. 2014). Here, under these circumstances, the requested relief of an order compelling Facebook to promptly correct any problems or issues detected by such third-party security auditors outlines the “general contours” of the requested injunction at this stage. A more specific remedy can be fashioned later in this litigation. Facebook ultimately has not sufficiently shown otherwise that “crafting uniform  injunctive relief will be impossible.” B.K., 922 F.3d at 973. Rule 23(b)(2) is satisfied. Plaintiff’s motion to certify a Rule 23(b)(2) class is Granted.