Facebook must face a lawsuit stemming from a security lapse that enabled hackers to steal 30 million users' information, a federal judge has ruled.
The ruling, issued Friday by U.S. District Court Judge William Alsup in the Northern District of California, allows Michigan resident Stephen Adkins to proceed with a class-action complaint alleging that Facebook was negligent in its handling of users' data.
The legal battle centers on a security glitch uncovered last September, when Facebook reported that hackers had obtained personal data for millions of users worldwide by exploiting a coding vulnerability.
The hackers obtained wide-ranging information -- including names, phone numbers, email addresses, birthdates, relationship status, religious views and hometowns -- for around 14 million users, including 1.2 million in the U.S.
Hackers also obtained a narrower set of data -- including names, phone numbers and email addresses -- for around 15 million users, including 2.7 million in the U.S.
Adkins and other Facebook users sued the company over the incident, alleging that Facebook acted negligently because it failed to use adequate security to protect users' data, among other claims. (Most of the other users dropped their claims in March.)
Facebook urged Aslup to dismiss the case, arguing that the data breach didn't result in any concrete injury to users.
“While the complaint speculates (baselessly) about various potential harms that might arise from the attack, ranging from identity theft to lost value of information, plaintiffs do not allege that they actually suffered any of those injuries,” Facebook wrote in court papers filed in March.
The company added that the data breach didn't pose a plausible risk of financial injury to users, because the hackers didn't obtain financial account numbers.
“It goes without saying that information like a person’s religious views, hometown, or relationship status cannot be used to open a bank account, and is not comparable to sensitive financial information such as credit card or social security numbers, which can provide an identity thief with the direct ability to access an individual’s funds or impersonate the individual to financial institutions,” Facebook wrote.
Alsup rejected that argument. "Facebook has gone to great lengths to show that all the information taken was otherwise publicly available information and not sensitive,” he wrote. “The information taken, however, need not be sensitive to weaponize hackers in their quest to commit further fraud or identity theft.”
The judge also noted that a federal appellate court recently ruled that Zappos had to face a class-action lawsuit over a data breach.
In that matter, a three-judge panel of the 9th Circuit Court of Appeals ruled the key question wasn't whether hackers obtained financial account information, but whether they obtained the kind of information that could enable fraud or identity theft.
While Alsup allowed Adkins to proceed with a negligence claim, the judge dismissed several other claims, including allegations that Facebook broke its contract with users, and that it violated a California consumer protection law.
Those dismissals were without prejudice -- meaning that class counsel can reformulate the allegations in an amended complaint.