Franklin D. Azar & Associates has filed one of more-than-a-half-dozen consumer protection lawsuits Facebook is now facing as a result of a data breach that may have exposed the personal information of nearly 30 million of the site’s users.
In the lawsuit filed Oct. 11 in the U.S. District Court for the Northern District of California, the plaintiffs in the FDAzar suit say Facebook treated their personal information with “continuing and absolute disregard” in violation of consumer protection statutes across several states.
While the firm is representing all affected Facebook users, the lawsuit includes a Colorado sub-class. In addition to negligence, breach of implied contract and California unfair business practice statutory violations, it alleges the social media giant violated Colorado’s state consumer protection and data breach notification statutes.
On Sept. 28, Facebook announced that hackers exploited a security flaw in its “View As” feature that allowed them to access users’ accounts, and that the flaw might have left nearly 50 million accounts vulnerable. The company has since downgraded its estimate to 30 million exposed accounts but said about 14 million of them had detailed data stolen, which included users’ location and search history. Hackers were not able to acquire users’ passwords or credit card information, according to the company’s Oct. 12 blog post.
View As is a Facebook feature that allowed users to see what their profile looked like to another person browsing the site. The “View As” vulnerability, which was introduced into Facebook’s code in July 2017, enabled hackers to steal users’ access tokens and use them to take control of their accounts. Access tokens serve as “digital keys” that allow users to stay logged into Facebook without reentering their passwords each time. Facebook has since disabled the View As feature.
The FDAzar class action, led by named plaintiff and California resident Rebecca King, claimed Facebook “failed, and continues to fail, to provide adequate protection of its Users’ personal and confidential information and has egregiously failed to provide sufficient and timely notice or warning of potential and actual cybersecurity breaches to its Users.”
The plaintiffs say their names, birthdates, hometowns, addresses, email addresses and shared media constituted the personally identifiable information exposed in the security flaw. “While this information was supposed to be protected, Facebook — without authorization — exposed that information to third parties through lax and non-existent data safety and security policies and protocols,” according to the complaint.
The lawsuit claims that the plaintiffs would have avoided creating Facebook profiles, or at least limited what information they posted on them, had they known that Facebook wouldn’t adequately protect their personal data. The users could suffer harm through the work of identity thieves using the stolen PII to commit fraud, blackmail or harassment, the lawsuit alleges.
“Facebook Users have suffered an ascertainable loss in that they must undertake additional security measures, some at their own expense, to minimize the risk of future data breaches including, without limitation, canceling credit cards associated with their Facebook accounts and changing passwords to Facebook, Instagram, and other linked accounts,” according to the complaint.
In addition to King, the suit’s named plaintiffs include Dominique Martin of New Jersey and Coloradans Rubin Johnson and Martin Newborn. All of the named plaintiffs have had a Facebook account for at least seven years and received Facebook’s notices that their PII may have been breached.
The Colorado subclass is claiming violations of the Colorado Consumer Protection Act and the newly expanded Colorado Security Breach Notification Act. Facebook violated the latter, the plaintiffs say, by failing to notify affected Coloradans in “the most expedient time possible” and “without unreasonable delay.” The statute requires that breached companies make these notices no later than 30 days after discovering the incident, however Facebook said it only discovered its 14-month-old security issue three days prior to making the Sept. 28 announcement.
Ivy Ngo, FDAzar’s lead attorney on the class action, declined an interview citing the litigation still being in the early stages.
Facebook is referring media questions to its public statements and announcements regarding the breach.
FDAzar has made a push toward filing high-profile class actions this year including suits against Edward Jones and Wells Fargo.
Last week the firm sought class action status in Colorado federal court for its lawsuit against CenturyLink, which claimed the company mismanaged its employees’ retirement funds.
Azar’s isn’t the first class action filed in response to the Facebook incident. Sacramento, California-based Arnold Law Firm and Tawmpa, Florida-based Morgan & Morgan filed a class action within the same day as the breach announcement, also in the Northern District of California. In that lawsuit, Echavarria v. Facebook Inc., the named plaintiffs are residents of California and Virginia, and the complaint raises factual background and claims that the FDAzar complaint largely echoes, except the latter alleges more state statutory violations.
Facebook faces at least eight class actions over the breach, including one filed in Canada.
As the private lawsuits pile up, state attorneys general might seek enforcement action against Facebook over the data breach. The day the company announced the breach, North Carolina Attorney General Josh Stein tweeted that he would “get to the bottom of what happened at Facebook.” NBC News reported the New York Attorney General was also looking into the matter.
The Colorado Attorney General has not announced any activity in response to the latest Facebook breach and has not responded to a request for comment.
— Doug Chartier