Facebook must face lawsuit over 29 million-user data breach

A federal appeals court rejected Facebook's request to block the lawsuit, saying claims against the social media giant can proceed for failing to secure users’ data.

The cyberattack exposed the user names and contact information of nearly 30 million Facebook users. (Photo: Gabby Jones/Bloomberg)

Facebook Inc. failed to fend off a lawsuit over a data breach that affected nearly 30 million users, one of several privacy snafus that have put the company under siege.

The company’s disclosure in September that hackers exploited several software bugs to obtain login access to accounts was tagged as Facebook’s worst security breach ever. An initial estimate that as many as 50 million accounts were affected was scaled back weeks later.

A federal appeals court in San Francisco on June 21 rejected the company’s request to block the lawsuit, saying claims against Facebook can proceed for negligence and for failing to secure users’ data as promised. Discovery should move “with alacrity” for a trial, U.S. District Judge William Alsup said in his ruling. He dismissed breach-of-contract and breach-of-confidence claims due to liability limitations. Plaintiffs can seek to amend their cases by July 18.

“From a policy standpoint, to hold that Facebook has no duty of care here ‘would create perverse incentives for businesses who profit off the use of consumers’ personal data to turn a blind eye and ignore known security risks,” Judge Alsup said, citing a decision a separate case.

The world’s largest social network portrayed itself as the victim of a sophisticated cyberattack and argued that it isn’t liable for thieves gaining access to user names and contact information. The company said attackers failed to get more sensitive information, including credit card numbers and passwords, saving users from any real harm.

Attorneys for users called that argument “cynical,” saying in a court filing that Facebook has ”abdicated all accountability” while ”seeking to avoid all liability” for the data breach despite Chief Executive Officer Mark Zuckerberg’s promise that the company would learn from its lapses. The case was filed in San Francisco federal court as a class action.

Facebook didn’t immediately respond to a request for comment.

The Menlo Park, California-based company faces a slew of lawsuits and regulatory probes of its privacy practices after revelations in early 2018 that it allowed the personal data of tens of millions of users to be shared with political consultancy Cambridge Analytica. As lawmakers have focused greater scrutiny on the company, Zuckerberg in March called for new global regulations governing the internet, including rules for privacy safeguards.

Related: 

Copyright 2024 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.