This Friday, Judge William Alsup issued a decision, Bass v. Facebook, Inc., No. C 18-05982 WHA (JSC), 2019 U.S. Dist. LEXIS 104488 (N.D. Cal. June 21, 2019) which granted in part and denied in part Facebook's motion to dismiss. The plaintiff's suit arose from a data breach in September 2018 which was caused by problems with access tokens. Access tokens are automatic passwords which allow accounts to be accessed without entering a user name and password on each login. The compromise of a Facebook access token may allow a malicious actor to access to data used in other applications. Facebook, contrary to standard industry practice, does not set access tokens to automatically expire.
Judge Alsup rejected Facebook's contention that there was no injury in fact because the compromised information (names, email addresses, phone numbers, photos, etc.) were publicly available. The decision points out that an injury is caused because the breach facilitates identity theft. "The information taken, however, need not be sensitive to weaponize hackers in their quest to commit further fraud or identity theft. . . That each strand of information can be painstakingly collected through a mishmash of other sources is irrelevant. Facebook is a centralized location which stores personal information for billions of users. Constructing this information from random sources bit by bit, would be hard." Id. at *19-21.
The court also found that the loss time caused by the data breach constituted a form of injury, even where a plaintiff could only show that he had spent an hour or so sorting through suspicious emails. "As consequences of this data breach continue to unfold, so too, will plaintiff's invested time. More phishing emails will pile up. At this stage, the time loss alleged suffices." Id. at *22. However a claim by one plaintiff that alleged he was a victim of the data breach merely because he was automatically logged out of Facebook, received suspicious phone calls, and got fake friend requests and spam, was dismissed.