A federal judge said up to 29 million Facebook Inc (FB.O) users whose personal information was stolen in a September 2018 data breach cannot sue as a group for damages, but can seek better security at the social media company after a series of privacy lapses.
In a decision late Tuesday night, U.S. District Judge William Alsup in San Francisco said neither credit monitoring costs nor the reduced value of stolen personal information was a “cognizable injury” that supported a class action for damages.
Alsup also said damages for time users spent to mitigate harm required individualized determinations rather than a single classwide assessment.
Users were allowed to sue as a group to require Facebook to employ automated security monitoring, improve employee training, and educate people better about hacking threats.
Alsup rejected Facebook’s claim that these were unnecessary because it had fixed the bug that caused the breach.
“Facebook’s repetitive losses of users’ privacy supplies a long-term need for supervision,” at least at this stage of the litigation, Alsup wrote.
Allowing a damages class action could have exposed Facebook to a higher total payout.
Lawyers for the Facebook users did not immediately respond to requests for comment. Facebook did not immediately respond to similar requests.
On Sept. 28, 2018, Facebook said that hackers had exploited software flaws to access 50 million users’ accounts, at the time considered the largest breach in the California-based company’s 14-year history.
It scaled back the size two weeks later, saying 30 million users had their access tokens stolen, while 29 million had personal information such as gender, religion, email addresses, phone numbers and search histories taken.
Facebook has faced many lawsuits over privacy, including for allowing British political consulting firm Cambridge Analytica access data for an estimated 87 million users.
In September, U.S. District Judge Vince Chhabria in San Francisco said Facebook must face most of a damages lawsuit over access by third parties such as Cambridge, calling Facebook’s views about users’ privacy expectations “so wrong.”