Facebook failed to fend off a lawsuit over a data breach that affected nearly 30 million users, one of several privacy snafus that have put the company under siege.
The company’s disclosure in September that hackers exploited several software bugs to obtain login access to accounts was tagged as Facebook’s worst security breach ever.
An initial estimate that as many as 50 million accounts were affected was scaled back weeks later.
A federal appeals court in San Francisco on June 21 rejected the company’s request to block the lawsuit, saying claims against Facebook can proceed for negligence and for failing to secure users’ data as promised. Discovery should continue for a trial, U.S. District Judge William Alsup said in his ruling.
He dismissed breach-of-contract and breach-of-confidence claims due to liability limitations. Plaintiffs can seek to amend their cases by July 18.
“From a policy standpoint, to hold that Facebook has no duty of care here ‘would create perverse incentives for businesses who profit off the use of consumers’ personal data to turn a blind eye and ignore known security risks,”’ Alsup said, citing a decision in a separate case.
The world’s largest social network portrayed itself as the victim of a sophisticated cyberattack and argued that it isn’t liable for thieves gaining access to user names and contact information. The company said attackers failed to get more sensitive information, including credit card numbers and passwords, saving users from any real harm.
Attorneys for users called that argument “cynical,” saying in a court filing that Facebook has “abdicated all accountability” while “seeking to avoid all liability” for the data breach despite Chief Executive Officer Mark Zuckerberg’s promise that the company would learn from its lapses. The case was filed in San Francisco federal court as a class action.
Facebook didn’t immediately respond to a request for comment.