throbber
Case 3:18-cv-05982-WHA Document 314 Filed 11/15/20 Page 1 of 6
`
`
`
`
`
`
`
`
`
`
`
`UNITED STATES DISTRICT COURT
`
`
`NORTHERN DISTRICT OF CALIFORNIA
`
`STEPHEN ADKINS, on behalf of himself
`and those similarly situated,
`
`Plaintiffs,
`
`v.
`
`FACEBOOK, INC.,
`
`Defendant.
`
`
`
`
`
`
`No. C 18-05982 WHA
`
`
`
`ORDER GRANTING
`PRELIMINARY
`SETTLEMENT APPROVAL
`
`INTRODUCTION
`
`In this data-breach class action, plaintiffs move for preliminary approval of a class
`
`settlement agreement. The proposal appearing non-collusive and within the realm of
`
`approvable, the motion is GRANTED.
`
`STATEMENT
`
`This case arises from the September 2018 hack of Facebook. A prior order detailed the
`
`facts (Dkt. No. 153). In brief, certain access tokens permitted access to Facebook users’
`
`accounts, but a previously unknown vulnerability made these tokens sometimes visible to
`
`strangers. Hackers exploited this flaw in September 2018 to access 300,000 accounts. Once
`
`inside, the hackers ran two search queries. The first yielded the names and telephone numbers
`
`and/or e-mail addresses of fifteen million users worldwide (2.7 million in the United States).
`
`
`
`
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`

`

`Case 3:18-cv-05982-WHA Document 314 Filed 11/15/20 Page 2 of 6
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`The second yielded more sensitive information on fourteen million users worldwide (1.2 million
`
`in the United States), including the original 300,000.
`
`In February 2019, five named plaintiffs filed a consolidated complaint asserting several
`
`claims. Following consolidation and motion practice, in August 2019, only one named plaintiff,
`
`Stephen Adkins, and two claims remained. Six months later, plaintiff Adkins sought to certify a
`
`class of affected Facebook users. The motion outlined three classes under Rule 23(b)(2), Rule
`
`23(b)(3), and Rule 23(c)(4). A November 2019 order certified a worldwide class for injunctive
`
`purposes only (Dkt. No. 260). One month later, on the parties’ motion, a December 19 order
`
`limited the injunctive class to users within the United States and removed the requirement of
`
`class notice via first-class mail (Dkt. No. 271). The certified class for injunctive purposes only
`
`became:
`
`
`All current Facebook users residing in the United States whose
`personal information was compromised in the data breach
`announced by Facebook on September 28, 2018.
`
`On January 8, under the supervision of Chief Magistrate Judge Joseph Spero, the parties
`
`reached a settlement in principle (Dkt. No. 281). During the settlement conference, the parties
`
`discussed potential security commitments Facebook could make as part of a settlement.
`
`Following those discussions, with the assistance of plaintiff’s expert, the parties reached a final
`
`set of security commitments and came to a proposed settlement agreement. Plaintiff now
`
`moves for preliminary approval of the settlement agreement and to direct notice of the
`
`settlement. This order follows briefing and oral argument.
`
`ANALYSIS
`
`Our court of appeals maintains a “strong judicial policy” in favor of settlement of
`
`“complex class action litigation.” Class Plaintiffs v. City of Seattle, 955 F.2d 1268, 1276 (9th
`
`Cir. 1992). But a class settlement must offer fair, reasonable, and adequate relief. Lane v.
`
`Facebook, Inc., 696 F.3d 811, 818 (9th Cir. 2012). Preliminary approval is appropriate if “the
`
`proposed settlement appears to be the product of serious, informed, non-collusive negotiations,
`
`has no obvious deficiencies, does not improperly grant preferential treatment to class
`
`representatives or segments of the class, and falls within the range of possible approval.” In re
`
`2
`
`Northern District of California
`
`United States District Court
`
`

`

`Case 3:18-cv-05982-WHA Document 314 Filed 11/15/20 Page 3 of 6
`
`Tableware Antitrust Litig., 484 F. Supp. 2d 1078, 1079 (N.D. Cal. 2007) (Chief Judge Vaughn
`
`Walker).
`
`The proposed settlement imposes a battery of security commitments to prevent future
`
`similar attacks. Facebook will certify that the vulnerability exploited in the breach has been
`
`eliminated, that it is no longer possible to generate access tokens in the manner that was done in
`
`the breach, and that all access tokens generated through the vulnerability have been invalidated.
`
`Then, for the next five years, Facebook will adopt the following security commitments to
`
`prevent future attacks:
`
`(1) Increase the frequency of integrity checks on session updates
`to detect account compromises.
`
`(2) Implement new tools to detect suspicious patterns in the
`generation and use of access tokens across Facebook.
`
`(3) Implement new tools to help Facebook promptly contain a
`security incident involving the improper issuance of access tokens.
`
`(4) Implement automatic alerts for specified types of suspicious
`activity to ensure prompt response.
`
`(5) Undergo annual SOC2 Type II security assessments.
`
`(6) Limit the capabilities of applications that rely on access
`tokens.
`
`(7) Eliminate “NoConfidence authentication proofs” and require
`cryptographic proofs of valid logins before generating credentials.
`
`(8) Employ at least one senior security executive with direct
`reporting authority and obligations to Facebook’s Board of
`Directors.
`
`(9) Expand the logging of access token generation and use
`metadate to facilitate the detection, investigation, and identification
`of the compromise of user access tokens.
`
`Compliance with these commitments will be assessed annually by an “unbiased, independent
`
`third-party vendor selected by Facebook,” though with class counsel’s approval. Other than
`
`sharing the results with the Court and an expert retained to verify compliance, class counsel will
`
`keep the results confidential. For the present purposes, the proposed settlement is adequate.
`
`First, this proposal provides the primary injunctive goal of this suit: elimination of the
`
`vulnerability and Facebook’s commitment to security measures to protect not just class
`
`3
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`

`

`Case 3:18-cv-05982-WHA Document 314 Filed 11/15/20 Page 4 of 6
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`members but all Facebook users’ personal information. Seven of the nine commitments reflect
`
`voluntary measures implemented in response to the breach intended to detect, investigate,
`
`contain, and prevent access-token theft or abuse. The remaining two (numbers 5 and 8) reflect
`
`previously existing practices that Facebook has committed to continuing as part of the proposal.
`
`Following the hearing, Facebook submitted a sworn declaration verifying that none of the
`
`security measures have been undertaken as a result of any other court order or regulatory
`
`directive.
`
`Second, the proposal ensures Facebook’s commitment to these measures for the next five
`
`years under external assessment. Given Facebook has already voluntarily implemented the
`
`security measures, this external oversight becomes the real value for the class. Facebook will
`
`provide the results of the security assessment to class counsel, a third-party expert, and the
`
`Court. Moreover, the ongoing review ensures the continued efficacy of the agreement. Should
`
`legal or technological developments render any provision of the proposal obsolete, the parties
`
`will work to update the settlement agreement.
`
`Third, the proposal appears to be the product of serious, non-collusive negotiations. Class
`
`counsel’s fees and costs, and Mr. Adkins’s service award are appropriately reserved for the
`
`Court’s discretion at final approval. Facebook may oppose counsel’s fee request and, given the
`
`relief here is injunctive, class counsel’s fee will not detract from plaintiffs’ recovery. The
`
`proposed scope of waiver is adequately narrow. Plaintiffs agree to waive all injunctive or
`
`declaratory relief claims made in this case, but retain all claims for damages, with the exception
`
`of plaintiff Adkins, who releases all claims in exchange for his service award. And, as it
`
`provides for uniform injunctive relief, the proposal treats class members equitably relative to
`
`each other.
`
`Fourth, notice to the class is “reasonably calculated, under all the circumstances, to
`
`apprise interested parties of the pendency of the action and afford them an opportunity to
`
`present their objections.” Mullane v. Central Hanover Bank & Tr. Co., 339 U.S. 306, 314
`
`(1950). A prior order approved the notice program (Dkt. No. 271). Class notice will be
`
`distributed via the email addresses linked to the class members’ Facebook accounts, via reverse
`
`4
`
`Northern District of California
`
`United States District Court
`
`

`

`Case 3:18-cv-05982-WHA Document 314 Filed 11/15/20 Page 5 of 6
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`phone look-up to identify the few Facebook users who did not input their email address, a
`
`dedicated website, social media campaigns, internet banner ads, and a traditional media
`
`campaign. Counsel have selected Angeion Group, whom the undersigned has recently
`
`approved as administrator in another case, as the class administrator here. See In re Glumetza
`
`Antitrust Litigation¸ No. C 19-05822 WHA, Dkt. No. 389 (N.D. Cal. Oct. 15, 2020).
`
`Following the hearing, the parties have appropriately simplified the process for plaintiffs
`
`to object to the proposed settlement. However, the proposed notice requires three more minor
`
`changes. Counsel shall please clarify that a class member need only mail an objection letter to
`
`one of the several addresses for the class administrator and class counsel. Then, given the
`
`impact of COVID-19, the proposed notice shall please indicate both that the final approval
`
`hearing may take place telephonically and that the Clerk’s office hours have also been
`
`impacted. If in the coming months it appears that an in-person fairness hearing will be out of
`
`the question due to public health, the Court will appreciate counsel’s assistance in providing a
`
`certain number of class members the opportunity to speak at the hearing by phone, should they
`
`wish.
`
`*
`
`
`
`*
`
`
`
`*
`
`The parties seek to seal several documents submitted in support of the proposed settlement
`
`(Dkt. Nos. 280, 296, 299). Public policy heartily favors openness in our court system as the
`
`public is entitled to know to whom we are providing relief (or not). See Kamakana v. City &
`
`Cty. of Honolulu, 447 F.3d 1172, 1179–80 (9th Cir. 2006). Generally, “a court may seal records
`
`only when it finds a compelling reason and articulates the factual basis for its ruling, without
`
`relying on hypothesis or conjecture.” Ctr. for Auto Safety v. Chrysler Grp., 809 F.3d 1092,
`
`1096–97 (9th Cir. 2016) (quotations and citations omitted).
`
`Facebook asserts that malicious actors with public access to this information could
`
`leverage it to evade Facebook’s security systems and circumvent detection, endangering user
`
`information. The redactions are limited to specific testing parameters and triggering events that,
`
`although important, are not so determinative of the relief afforded that a meaningful evaluation
`
`of the proposal cannot be made without them. Against the risk of endangering the user
`
`5
`
`Northern District of California
`
`United States District Court
`
`

`

`Case 3:18-cv-05982-WHA Document 314 Filed 11/15/20 Page 6 of 6
`
`
`
`information this relief is designed to protect, narrow redactions are warranted. To the following
`
`extent, the motions are GRANTED and the following redactions approved:
`
`(1) Facebook’s proposed and limited redaction to “Exhibit 1 —
`Facebook’s Security Commitments” (Dkt. Nos. 280-3, 285-1).
`
`(2) The proposed redactions to sub-exhibit A-1, of exhibit 6, to
`plaintiffs’ supplemental brief (Dkt. No. 296-3).
`
`(3) Facebook’s proposed redactions to the Bream declaration (Dkt.
`No. 299).
`
`CONCLUSION
`
`The proposed settlement falling within the realm of adequate, preliminary approval is
`
`GRANTED. The settlement administrator and notice plan are APPROVED. Class notice shall be
`
`disseminated by DECEMBER 30. Counsel shall move for final approval, fees, costs, and for Mr.
`
`Adkins’s service award by FEBRUARY 8, 2021. Class member objections are due MARCH 8.
`
`Counsel shall promptly arrange to pick-up any objections mailed to the Court and shall reply to
`
`the objections by MARCH 26. In the meantime, the affidavit attesting to the dissemination of
`
`class notice is due MARCH 24. The final approval hearing is set for APRIL 8 AT 11:00 A.M.
`
`IT IS SO ORDERED.
`
`
`
`Dated: November 15, 2020.
`
`
`
`
`
`
`
`WILLIAM ALSUP
`UNITED STATES DISTRICT JUDGE
`
`6
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket