394 F.Supp.3d 1024
N.D. Cal.2019Background
- Facebook suffered a September 2018 vulnerability in its "View As" feature that exposed access tokens; attackers stole tokens for ~69,000 accounts and harvested data for ~29 million users worldwide.
- Two named plaintiffs remained after consolidation: Stephen Adkins (notified by Facebook he was affected) and William Bass (not notified). Plaintiffs asserted ten causes of action on behalf of a nationwide class of affected U.S. users.
- Facebook moved to dismiss under Rule 12(b)(1) (Article III standing) and Rule 12(b)(6) (failure to state a claim); the court considered declarations and depositions in resolving factual standing challenges.
- The Terms of Service included a broadly worded limitation-of-liability clause disclaiming liability for loss of "information or data" and capping aggregate recoveries; Facebook invoked the clause to defeat several contract-based claims.
- The court found Adkins has Article III standing based on (1) increased risk of identity theft from the specific data stolen and (2) time spent responding to phishing and remediation. Bass lacked a plausible connection to the breach and lacked standing.
- The court dismissed breach-of-contract/implied-contract/implied-covenant/quasi-contract and breach of confidence claims under the liability clause (with leave to amend), but allowed negligence (including negligence-per-se theory) and a declaratory-judgment claim to proceed; UCL/CLRA claims were dismissed for lack of economic injury.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III standing for each named plaintiff | Adkins and Bass claim concrete harms from the breach: risk of identity theft, lost time, loss of data value, and loss of benefit of the bargain | Facebook contends plaintiffs lack concrete, particularized injuries; presents evidence showing Bass was not affected | Adkins has standing (risk of identity theft + lost time). Bass does not and his claims are dismissed for lack of standing (leave to amend) |
| Enforceability of Terms of Service limitation-of-liability clause | Plaintiffs contend clause is unconscionable or inapplicable to some claims | Facebook argues clause bars contract-based and related claims and caps damages | Clause bars breach-of-contract, implied-contract, implied-covenant, quasi-contract, and breach-of-confidence claims at this stage; plaintiff may amend to allege unconscionability |
| Viability of negligence claim and duty of care | Plaintiffs allege Facebook breached industry-standard data-security practices (e.g., token expiration) causing foreseeable harm | Facebook argues no duty to users or clause bars negligence; invokes economic-loss rule | Negligence plausibly alleged; duty exists at least at pleadings stage; limitation clause does not categorically bar negligence; economic-loss rule does not preclude claims here because plaintiffs allege non‑purely economic harm (time loss) |
| Standing under UCL and CLRA (economic statutes) | Plaintiffs allege loss of value of personal data and loss of benefit of the bargain | Facebook argues plaintiffs lack loss of money or property required for statutory standing | Dismissed for lack of economic injury; Adkins failed to allege lost money/property or a market for his data (leave to amend) |
Key Cases Cited
- White v. Lee, 227 F.3d 1214 (9th Cir.) (standing analysis context)
- Clapper v. Amnesty Int’l USA, 568 U.S. 398 (U.S. 2013) (threatened injury must be certainly impending)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (U.S. 1992) (plaintiff bears burden to establish standing at each litigation stage)
- Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir.) (stolen personal data can support injury-in-fact via increased risk of identity theft)
- In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir.) (focus on whether stolen data "gave hackers the means to commit fraud or identity theft")
- Ashcroft v. Iqbal, 556 U.S. 662 (U.S.) (pleading standard for plausibility)
- Bell Atl. Corp. v. Twombly, 550 U.S. 544 (U.S.) (facial plausibility standard)
- Kwikset Corp. v. Superior Court, 51 Cal.4th 310 (Cal.) (economic injury requirement for UCL standing)
- Robinson Helicopter Co. v. Dana Corp., 34 Cal.4th 979 (Cal.) (economic loss rule in tort/contract context)