424 F.Supp.3d 686
N.D. Cal.2019Background
- September 2018 Facebook vulnerability exposed “access tokens,” allowing attackers to access ~300,000 accounts and extract data for ~29 million users worldwide (≈4+ million U.S.).
- Stephen Adkins is the lone remaining named plaintiff alleging negligence; he seeks (a) injunctive relief (security reforms), (b) class damages for credit monitoring and diminished value of personal information, and (c) individual damages for time spent responding to the breach.
- Procedural posture: motion for class certification under Rule 23(b)(2), 23(b)(3), and 23(c)(4); Daubert motions to strike two plaintiff experts (James Van Dyke and Ian Ratner).
- Court held Adkins has Article III standing based on a substantial risk of identity theft from permanently sensitive data and a loss of time (~1.8 hours).
- Court excluded identity‑theft expert Van Dyke as unreliable and admitted CPA Ratner’s damages testimony. The court denied certification of a Rule 23(b)(3) damages class and a Rule 23(c)(4) issues class, but granted certification of a nationwide Rule 23(b)(2) injunctive‑only class (all users whose data were compromised).
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III standing | Adkins: theft of DOB, phone, etc. creates substantial risk of identity theft; spent time responding | Facebook: no SSNs/CC numbers taken; only minimal phishing to date; no concrete misuse | Standing satisfied: substantial future‑harm risk + lost time establish injury‑in‑fact |
| Admissibility of Van Dyke (Daubert) | Van Dyke: industry experience shows any breach increases identity‑theft risk; credit monitoring appropriate | Facebook: methodology boilerplate, factual errors, recycled opinions, produced inconsistent risk scores | Excluded: opinions unreliable, based on erroneous inputs and boilerplate conclusions |
| Admissibility of Ratner (Daubert) | Ratner: economic models support class‑wide valuation of data and class damages for time/risk | Facebook: models speculative, ignore individual variation, unreliable for class‑wide damages | Admitted: methodology may be imperfect but admissible; weaknesses for cross‑examination |
| Rule 23(b)(3) damages class (credit monitoring & diminished value) | Adkins: nationwide class under CA law; credit monitoring and lost data value are cognizable harms calculable class‑wide | Facebook: individual issues predominate; no cognizable negligence injury absent out‑of‑pocket expenses; diminished‑value theory speculative | Denied: no cognizable negligence injury for credit monitoring absent expenditures by class rep; diminished value theory too speculative; Adkins not representative for damages |
| Rule 23(b)(2) injunctive class | Adkins: seeks structural security reforms and audits applicable classwide | Facebook: bug fixed; no standing for prospective relief; relief too diffuse | Granted: injunctive‑only nationwide class certified; requested remedies give sufficient contours for a Rule 23(b)(2) injunction |
Key Cases Cited
- Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (stolen sensitive data can create substantial risk of identity theft supporting standing)
- In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018) (data breaches may cause long‑latent identity theft risk; loss of personal data is enduring)
- Susan B. Anthony List v. Driehaus, 573 U.S. 149 (2014) (injury‑in‑fact ensures personal stake in litigation)
- United States v. Students Challenging Regulatory Agency Procedures (SCRAP), 412 U.S. 669 (1973) (small or trifling injuries can suffice for standing)
- Potter v. Firestone Tire & Rubber Co., 6 Cal.4th 965 (Cal. 1993) (medical‑monitoring damages recognized as exception to present‑harm requirement under California law)
- Wal‑Mart Stores, Inc. v. Dukes, 564 U.S. 338 (2011) (rigorous Rule 23 analysis may require scrutiny of merits and commonality)
- Gen. Tel. Co. of Sw. v. Falcon, 457 U.S. 147 (1982) (class representative must share class interests and injuries)
- Zinser v. Accufix Research Inst., Inc., 253 F.3d 1180 (9th Cir. 2001) (district court must conduct rigorous Rule 23 inquiry)
- Primiano v. Cook, 598 F.3d 558 (9th Cir. 2010) (weak but admissible expert evidence should be tested by cross‑examination)
- Hemmings v. Tidyman’s Inc., 285 F.3d 1174 (9th Cir. 2002) (methodological gaps typically affect probativeness, not admissibility)