Facebook should not face financial damage claims after the hack of 29 million accounts, but can pressure for better security
A US federal judge has ruled that Facebook should not face financial damages in a lawsuit when hackers stolen user data last year.
Facebook was slapped with the lawsuit in August this year, after a breach in September 2018, when hackers were able to steal data from the Facebook accounts of 29 million people.
Facebook initially thought that the hackers had accessed 50 million accounts, but after an investigation the company revised this figure down to 29 million accounts.
The hackers were able to access a range of data depending on what people had on their profiles.
The stolen data included names, contact details (phone number, email etc); and in some cases username; gender; locale/language; relationship status; religion; hometown; self-reported current city; birthdate; device types used to access Facebook; education; work; the last 10 places they checked into or were tagged in; website, people or Pages they follow; and the 15 most recent searches.
The lawsuit had been filed in the US District Court for the Northern District of California in San Francisco.
But now Reuters reported that US District Judge William Alsup in San Francisco on Tuesday night ruled that neither credit monitoring costs nor the reduced value of stolen personal information was a “cognizable injury” that supported a class action for damages.
Judge Alsup also said damages for time users spent to mitigate harm required individualized determinations rather than a single classwide assessment.
However he did permit affected users to sue as a group to require Facebook to employ automated security monitoring, improve employee training, and educate people better about hacking threats.
Judge Alsup also reportedly rejected Facebook’s claim that these were unnecessary because it had fixed the bug that caused the breach.
“Facebook’s repetitive losses of users’ privacy supplies a long-term need for supervision,” at least at this stage of the litigation, Alsup wrote.
Allowing a damages class action could have exposed Facebook to a higher total payout.
Lawyers for the Facebook users, as well as Facebook itself, did not respond to Reuters request for comment.
It is not clear how many of those hacked are in Europe, but the data breach does raise the nightmare possibility for Facebook’s management of a General Data Protection Regulation (GDPR) fine in Europe.
The Irish Data Protection Commission, which is acting as the lead investigator on this side of the pond as Facebook has its European headquarters in Ireland, is investigating the breach.
Similar investigations are also reportedly underway in the US states of Connecticut and New York.
In Europe, the hack could result in Facebook being issued with a maximum fine of up to $1.63bn (£1.25bn), which is approximately 4 percent of its annual global revenue.