In a decision released late Tuesday night, a federal judge ruled that up to 29 million Facebook users whose personal info was stolen in a September 2018 data breach are not entitled to sue Facebook as a group for damages — but the users may be entitled to demand better personal data security at Facebook.
The case is Adkins v Facebook Inc, U.S. District Court, Northern District of California, No. 18-05982.
In San Francisco on Thursday night, U.S. District Judge William Alsup said neither credit monitoring costs nor the reduced value of stolen personal information was a "cognizable injury" that supported a class action for damages.
Alsup also said damages for time users spent to mitigate harm required individualized determinations rather than a single classwide assessment. Users were allowed to sue as a group to require Facebook to employ automated security monitoring, improve employee training, and educate people better about hacking threats.
Alsup rejected Facebook's claim that these were unnecessary because it had fixed the bug that caused the breach.
"Facebook's repetitive losses of users' privacy supplies a long-term need for supervision," at least at this stage of the litigation, Alsup wrote.
Allowing a damages class action could have exposed Facebook to a higher total payout.