SAN FRANCISCO (CN) – A federal judge on Thursday refused to approve a settlement over a 2018 data breach that would force Facebook to submit to independent audits of data security measures for the next five years.
U.S. District Judge William Alsup accused lawyers for Facebook and a class of 4 million social network members of using “smoke and mirrors” to obscure what if anything in the agreement is new.
“This is very vague to me as to what real benefit anybody is getting out of this case,” Alsup said. “You’ve done smoke and mirrors to me so that you’ve camouflaged it. I have no way of knowing.”
In 2018, hackers infiltrated millions of Facebook accounts by exploiting a vulnerability in a “View As” feature for user profiles. Facebook initially said the breach affected 50 million users but later downgraded the estimate to 29 million users, including 4 million in the United States.
Hackers swiped names and contact information – such as phone numbers or email addresses – for 2.7 million U.S. users, and infiltrated the profiles of an additional 1.2 million U.S. users, gaining access to usernames, birthdates, workplaces, hometowns, schools attended and other personal information, including places where they recently “checked in” or were “tagged.”
Lead plaintiff Stephen Adkins sued Facebook on Sept. 28, 2018, mere hours after the data breach was made public in a Facebook blog post.
Last year, Alsup found a certified class of 4 million users could only seek injunctive relief to make Facebook improve its data security methods. He denied their request to seek monetary damages for credit monitoring services because lead plaintiff Adkins never paid for such services. The judge also denied the plaintiffs’ request to seek compensation for the loss of control over private information, finding their personal data not as valuable to users as it is to Facebook.
Facebook and lawyers for the plaintiff class reached a settlement last month which will require the company to adopt a series of data security enhancements, including increased suspicious activity monitoring. The company must also submit to annual data security audits by a third-party monitor for the next five years.
Alsup told the lawyers in court Thursday that he will not approve the deal until Facebook submits a sworn statement detailing precisely what commitments in the settlement are not already required under existing legal obligations.
Without that information, the judge said he cannot adequately assess whether plaintiffs’ lawyers should be allowed to seek up to $17.7 million in attorneys’ fees and costs.
“I’ve seen this game before,” Alsup said. “People agree to do something they’ve already agreed to do, and the plaintiff wants a lot of money for that. That’s a trick. We don’t allow tricks.”
Representing Facebook, attorney Andrew Clubok of Latham & Watkins told the judge he is not aware of any overlap between these settlement terms and Facebook’s existing legal obligations. However, he said Facebook had already put many of these data security upgrades in place since the lawsuit was filed.
Picking up on that point, Alsup said he would not rule out that plaintiffs’ lawyers may deserve some praise for influencing Facebook to adopt those security measures.
“Plaintiffs get some of the credit perhaps in my view for maybe provoking you to do that,” Alsup said.
The judge also demanded that both sides make it easier for class members to object to the settlement. The proposed objection process requires Facebook users to include the “legal and factual basis” for their objections, identify if they have objected to a class action settlement in the last three years, list attorney names and contact information, and indicate if they plan to attend a settlement approval hearing.
“You’ve got a process for objections that is so onerous that you’re effectively precluding the public from objecting,” Alsup said.
The judge also demanded that settlement notifications be sent by direct mail in addition to email and advertisements.
“I want to make it as easy as possible for the public to have their say,” Alsup said.
Facebook and the class have 21 days to amend the class notice and objection procedures and submit a sworn statement explaining if each commitment in the proposed settlement is unique.
John Yanchunis of Morgan & Morgan in Tampa, Florida, argued on behalf of the plaintiff class.