1 2 3 4 5 6 IN THE UNITED STATES DISTRICT COURT 7 FOR THE NORTHERN DISTRICT OF CALIFORNIA 8 9 10 STEPHEN ADKINS, an individual and Michigan resident, on behalf of himself and all 11 others similarly situated, No. C 18-05982-WHA 12 Plaintiff, 13 v. ORDER ON MOTION FOR 14 FACEBOOK, INC., CLASS CERTIFICATION AND MOTIONS TO STRIKE 15 Defendant. / 16 17 INTRODUCTION 18 This is a putative class action by plaintiff Stephen Adkins against defendant Facebook, 19 Inc. Plaintiff asserts a claim for negligence based on Facebook’s alleged faulty security 20 practices in collecting and storing plaintiff’s information. These faulty practices allegedly 21 allowed hackers to break into Facebook’s platform and pilfer the personal information of 29 22 million Facebook users worldwide, including more than four million users in the United States. 23 The operative complaint seeks relief in the form of a credit monitoring service for the victims, 24 in addition to compensatory, statutory, and punitive damages. The operative complaint also 25 seeks declaratory relief (Amd. Compl. at 48) (Dkt. No. 193). 26 A prior order walked through the coding vulnerability which allowed the data breach 27 (Dkt. No. 153). In brief, when three features on Facebook’s platform interacted, “access 28 tokens” became visible. Similar to a password, access tokens permitted users to enter their 1 by strangers. In this way, the hackers entered 300,000 accounts in September 2018 (Bream 2 Decl. ¶¶ 11–17; Amd. Compl. ¶¶ 95–97, 100) (Dkt. Nos. 97; 193) 3 The hackers ran two separate search queries from within these 300,000 accounts. The 4 first yielded the names and telephone numbers and/or e-mail addresses of fifteen million users 5 worldwide (2.7 million in the United States). The second yielded more sensitive information on 6 fourteen million users worldwide (1.2 million in the United States). The information taken 7 from this second group included names, telephone numbers, e-mail addresses, gender, date of 8 birth, and, to the extent the fields were populated, workplace, education, relationship status, 9 religious views, hometown, self-reported current city, and website. Within this second group, 10 the hackers also obtained the user’s locale and language, the type of device used by the user to 11 access Facebook, the last ten places the user was “tagged” in or “checked into” on Facebook, 12 the people or pages on Facebook followed by the user, and the user’s fifteen most recent 13 searches using the Facebook search bar. The original 300,000 users who had their accounts 14 entered into also had the same information taken as this second group (Bream Decl. ¶¶ 10–12, 15 18–19). 16 In February 2019, five named plaintiffs filed a consolidated complaint which averred ten 17 claims. An order consolidated eleven putative class action lawsuits filed in this district which 18 arose from this data breach. Following Rule 12 practice, in August 2019, only one named 19 plaintiff, Stephen Adkins, and two claims remained (Dkt. Nos. 76, 78, 96, 108, 113, 115, 153). 20 Plaintiff now seeks to certify a class of all Facebook users whose personal information 21 became part of the September 2018 data breach. Plaintiff seeks certification under Rule 22 23(b)(2), Rule 23(b)(3), and Rule 23(c)(4). More specifically, plaintiff seeks injunctive relief 23 for a worldwide class under Rule 23(b)(2), namely plaintiff seeks certain changes to Facebook’s 24 security practices to ensure no further harm comes to its users. Plaintiff seeks damages on 25 behalf of a nationwide class under Rule 23(b)(3), related to the diminished value of personal 26 information and for Facebook to provide cash for future credit monitoring. Finally, plaintiff 27 seeks certification of a nationwide class under Rule 23(c)(4) for those who seek additional 28 1 individual damages resulting from the time spent devoted to the data breach, and who incurred 2 other individual injuries (Dkt. Nos. 193 at 47, 48; 198 at 1). 3 In opposing the class certification motion, Facebook concentrates most of its fire on the 4 Rule 23(b)(3) damages class. Primarily, Facebook opposes on the ground that individual issues 5 would predominate. Facebook also moved to strike two of plaintiff’s expert declarations (Dkt. 6 Nos. 213–15). This order follows oral argument. 7 ANALYSIS 8 This order first holds that plaintiff Stephen Adkins has sufficiently established Article 9 III standing because of a substantial risk of identity theft and also because he has lost time due 10 to the breach. Next, this order holds that Identity Theft Expert James Van Dyke’s expert 11 opinion must be excluded because his methodology is unreliable. CPA Ian Ratner’s expert 12 opinion, however, will be allowed. Finally, this order will certify an injunctive class under Rule 13 23(b)(2). The details now follow. 14 1. ARTICLE III STANDING. 15 A prior order dated June 21, 2019, held that plaintiff Adkins had sufficiently established 16 standing (Dkt. No. 153 at 12). Then, as now, the only contentious element concerned the 17 injury-in-fact requirement. Then, as now, plaintiff Adkins sufficiently established injury due to 18 a substantial risk of future identity theft and also due to a continuing loss of time, all to follow. 19 A. Substantial Risk of Identity Theft. 20 No social security or credit-card numbers were taken in this hack. The hackers took 21 plaintiff’s name, date of birth, phone number, gender, and hometown, among other information 22 (Dkt. No. 193 ¶ 102). Plaintiff, however, cannot change his date of birth or hometown and 23 would not be expected to change his gender merely on account of a data breach. This 24 information will abide, sensitive, long-term. This sensitivity, combined with the fact that the 25 information was not merely taken, but specifically targeted for theft, continues to confer a basis 26 for standing at this stage. 27 28 1 Facebook complains that plaintiff has so far suffered only three phishing e-mails, all of 2 which went directly to his junk folder. But his identity remains at peril, theft-wise. That is 3 enough. 4 A finding of a substantial risk of identity theft does not depend on concrete examples 5 that the stolen information has already been misused. In Krottner v. Starbucks Corporation, 6 “Starbucks sent a letter to . . . affected employees alerting them to the theft and stating that 7 Starbucks had no indication that the private information ha[d] been misused.” 628 F.3d 1139, 8 1140–41 (9th Cir. 2010) (internal quotation marks and citation omitted). Nevertheless, a 9 credible threat of real and immediate harm had been sufficiently alleged there because the 10 information: (i) had been sensitive and (ii) had been stolen. Id. at 1143. Plaintiff’s risk of 11 identity theft stems from the sensitivity of the information taken combined with its theft. 12 The information taken in Krottner — name, address, social security number — included 13 information sufficiently similar to the information taken here. A social security number, though 14 even worse to lose, is like one’s date of birth, prior history, and gender. They remain with the 15 victim forever, thereby “g[i]v[ing] hackers the means to commit fraud or identity theft.” In re 16 Zappos.com, Inc., 888 F.3d 1020, 1027–29 (9th Cir. 2018), cert. denied sub nom., Zappos.com 17 v. Stevens, 139 S. Ct. 1373 (2019). Information such as this will never go bad, and so, hackers 18 can warehouse this stolen data for years before using it. The substantial risk remains. 19 It is true that in Zappos, our court of appeals mentioned there were concrete examples of 20 identity theft and specific instances of hacked accounts in that data breach, whereas in this case 21 there are none. 888 F.3d at 1027–28.
Free access — add to your briefcase to read the full text and ask questions with AI
1 2 3 4 5 6 IN THE UNITED STATES DISTRICT COURT 7 FOR THE NORTHERN DISTRICT OF CALIFORNIA 8 9 10 STEPHEN ADKINS, an individual and Michigan resident, on behalf of himself and all 11 others similarly situated, No. C 18-05982-WHA 12 Plaintiff, 13 v. ORDER ON MOTION FOR 14 FACEBOOK, INC., CLASS CERTIFICATION AND MOTIONS TO STRIKE 15 Defendant. / 16 17 INTRODUCTION 18 This is a putative class action by plaintiff Stephen Adkins against defendant Facebook, 19 Inc. Plaintiff asserts a claim for negligence based on Facebook’s alleged faulty security 20 practices in collecting and storing plaintiff’s information. These faulty practices allegedly 21 allowed hackers to break into Facebook’s platform and pilfer the personal information of 29 22 million Facebook users worldwide, including more than four million users in the United States. 23 The operative complaint seeks relief in the form of a credit monitoring service for the victims, 24 in addition to compensatory, statutory, and punitive damages. The operative complaint also 25 seeks declaratory relief (Amd. Compl. at 48) (Dkt. No. 193). 26 A prior order walked through the coding vulnerability which allowed the data breach 27 (Dkt. No. 153). In brief, when three features on Facebook’s platform interacted, “access 28 tokens” became visible. Similar to a password, access tokens permitted users to enter their 1 by strangers. In this way, the hackers entered 300,000 accounts in September 2018 (Bream 2 Decl. ¶¶ 11–17; Amd. Compl. ¶¶ 95–97, 100) (Dkt. Nos. 97; 193) 3 The hackers ran two separate search queries from within these 300,000 accounts. The 4 first yielded the names and telephone numbers and/or e-mail addresses of fifteen million users 5 worldwide (2.7 million in the United States). The second yielded more sensitive information on 6 fourteen million users worldwide (1.2 million in the United States). The information taken 7 from this second group included names, telephone numbers, e-mail addresses, gender, date of 8 birth, and, to the extent the fields were populated, workplace, education, relationship status, 9 religious views, hometown, self-reported current city, and website. Within this second group, 10 the hackers also obtained the user’s locale and language, the type of device used by the user to 11 access Facebook, the last ten places the user was “tagged” in or “checked into” on Facebook, 12 the people or pages on Facebook followed by the user, and the user’s fifteen most recent 13 searches using the Facebook search bar. The original 300,000 users who had their accounts 14 entered into also had the same information taken as this second group (Bream Decl. ¶¶ 10–12, 15 18–19). 16 In February 2019, five named plaintiffs filed a consolidated complaint which averred ten 17 claims. An order consolidated eleven putative class action lawsuits filed in this district which 18 arose from this data breach. Following Rule 12 practice, in August 2019, only one named 19 plaintiff, Stephen Adkins, and two claims remained (Dkt. Nos. 76, 78, 96, 108, 113, 115, 153). 20 Plaintiff now seeks to certify a class of all Facebook users whose personal information 21 became part of the September 2018 data breach. Plaintiff seeks certification under Rule 22 23(b)(2), Rule 23(b)(3), and Rule 23(c)(4). More specifically, plaintiff seeks injunctive relief 23 for a worldwide class under Rule 23(b)(2), namely plaintiff seeks certain changes to Facebook’s 24 security practices to ensure no further harm comes to its users. Plaintiff seeks damages on 25 behalf of a nationwide class under Rule 23(b)(3), related to the diminished value of personal 26 information and for Facebook to provide cash for future credit monitoring. Finally, plaintiff 27 seeks certification of a nationwide class under Rule 23(c)(4) for those who seek additional 28 1 individual damages resulting from the time spent devoted to the data breach, and who incurred 2 other individual injuries (Dkt. Nos. 193 at 47, 48; 198 at 1). 3 In opposing the class certification motion, Facebook concentrates most of its fire on the 4 Rule 23(b)(3) damages class. Primarily, Facebook opposes on the ground that individual issues 5 would predominate. Facebook also moved to strike two of plaintiff’s expert declarations (Dkt. 6 Nos. 213–15). This order follows oral argument. 7 ANALYSIS 8 This order first holds that plaintiff Stephen Adkins has sufficiently established Article 9 III standing because of a substantial risk of identity theft and also because he has lost time due 10 to the breach. Next, this order holds that Identity Theft Expert James Van Dyke’s expert 11 opinion must be excluded because his methodology is unreliable. CPA Ian Ratner’s expert 12 opinion, however, will be allowed. Finally, this order will certify an injunctive class under Rule 13 23(b)(2). The details now follow. 14 1. ARTICLE III STANDING. 15 A prior order dated June 21, 2019, held that plaintiff Adkins had sufficiently established 16 standing (Dkt. No. 153 at 12). Then, as now, the only contentious element concerned the 17 injury-in-fact requirement. Then, as now, plaintiff Adkins sufficiently established injury due to 18 a substantial risk of future identity theft and also due to a continuing loss of time, all to follow. 19 A. Substantial Risk of Identity Theft. 20 No social security or credit-card numbers were taken in this hack. The hackers took 21 plaintiff’s name, date of birth, phone number, gender, and hometown, among other information 22 (Dkt. No. 193 ¶ 102). Plaintiff, however, cannot change his date of birth or hometown and 23 would not be expected to change his gender merely on account of a data breach. This 24 information will abide, sensitive, long-term. This sensitivity, combined with the fact that the 25 information was not merely taken, but specifically targeted for theft, continues to confer a basis 26 for standing at this stage. 27 28 1 Facebook complains that plaintiff has so far suffered only three phishing e-mails, all of 2 which went directly to his junk folder. But his identity remains at peril, theft-wise. That is 3 enough. 4 A finding of a substantial risk of identity theft does not depend on concrete examples 5 that the stolen information has already been misused. In Krottner v. Starbucks Corporation, 6 “Starbucks sent a letter to . . . affected employees alerting them to the theft and stating that 7 Starbucks had no indication that the private information ha[d] been misused.” 628 F.3d 1139, 8 1140–41 (9th Cir. 2010) (internal quotation marks and citation omitted). Nevertheless, a 9 credible threat of real and immediate harm had been sufficiently alleged there because the 10 information: (i) had been sensitive and (ii) had been stolen. Id. at 1143. Plaintiff’s risk of 11 identity theft stems from the sensitivity of the information taken combined with its theft. 12 The information taken in Krottner — name, address, social security number — included 13 information sufficiently similar to the information taken here. A social security number, though 14 even worse to lose, is like one’s date of birth, prior history, and gender. They remain with the 15 victim forever, thereby “g[i]v[ing] hackers the means to commit fraud or identity theft.” In re 16 Zappos.com, Inc., 888 F.3d 1020, 1027–29 (9th Cir. 2018), cert. denied sub nom., Zappos.com 17 v. Stevens, 139 S. Ct. 1373 (2019). Information such as this will never go bad, and so, hackers 18 can warehouse this stolen data for years before using it. The substantial risk remains. 19 It is true that in Zappos, our court of appeals mentioned there were concrete examples of 20 identity theft and specific instances of hacked accounts in that data breach, whereas in this case 21 there are none. 888 F.3d at 1027–28. But Zappos also recognized that “[a] person whose 22 [personal information] has been obtained and compromised may not see the full extent of 23 identity theft or identity fraud for years. And it may take some time for the victim to become 24 aware of the theft.” Id. at 1028–29 (internal quotations omitted). Nothing in Zappos suggests 25 that the absence of evidence of misuse kills standing. At this stage, information loss can be 26 deemed sensitive without the victim being yet drained of identity. 27 According to Facebook, a social security number on its own can cause identity theft, 28 whereas the information taken in this data breach does not have that power. Yet, one of 1 Facebook’s employees noted during the breach that “a lot of [the breached] info is used for 2 identification on ‘Forgot Password’ flows” and having this information “leak is almost as bad as 3 leaking the passwords themselves” (Dkt. No. 234-11 at 2). Even Facebook’s own expert 4 recognized outside this litigation that “investigators find that a cellphone number is often even 5 more useful than a [s]ocial [s]ecurity number because it is tied to so many databases and is 6 connected to a device you almost always have with you” (Dkt. No. 231-2 at 2). The risk of 7 identity theft is imminent, without a multi-link chain of inferences, even though no social 8 security number was taken. 9 The injury-in-fact requirement “helps to ensure that the plaintiff has a personal stake in 10 the outcome of the controversy.” Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014) 11 (internal quotation marks and citation omitted). The information taken in this breach 12 persuasively assures that plaintiff has such a stake. Plaintiff has established harm for Article III 13 standing. 14 B. Loss of Time. 15 In the alternative, the prior order dated June 21, 2019, found that plaintiff Adkins had 16 established Article III standing due to the harm of his loss of time. Plaintiff’s expert now 17 calculates that plaintiff spent 1.8 hours responding to this breach (Ratner Decl. ¶ 36; Sch. 21) 18 (Dkt. No. 197-31). Specifically, plaintiff Adkins testified he spent roughly sixty minutes 19 researching the data breach, three minutes changing his password, and 45 minutes monitoring 20 his accounts (ibid., citing Adkins Dep. at 204, 243, 244, 422–424). Plaintiff’s expert calculates 21 the total opportunity-cost of these damages as between $32.50 and $36.30 (Ratner Decl. ¶ 36; 22 Sch. 1). 23 At first blush, this amount of time might appear too small. A small injury, however, can 24 still establish standing. As noted in the context of administrative standing by the United States 25 Supreme Court in United States v. Students Challenging Regulatory Agency Procedures 26 (SCRAP), 412 U.S. 669, 689 n.14 (1973) (citing, Kenneth C. Davis, Standing: Taxpayers and 27 Others, 35 U. Chi. L. Rev. 601, 613 (1968)): 28 “Injury in fact” reflects the statutory requirement that a person be “adversely affected” or “aggrieved,” and it serves 1 to distinguish a person with a direct stake in the outcome of a litigation — even though small — from a person with a 2 mere interest in the problem. We have allowed important interests to be vindicated by plaintiffs with no more at stake 3 in the outcome of an action than a fraction of a vote, see Baker v. Carr, 369 U.S. 186; a $5 fine and costs, see 4 McGowan v. Maryland, 366 U.S. 420; and a $1.50 poll tax, Harper v. Virginia Bd. of Elections, 383 U.S. 663. . . . As 5 Professor Davis has put it: “The basic idea that comes out in numerous cases is that an identifiable trifle is enough for 6 standing to fight out a question of principle; the trifle is the basis for standing and the principle supplies the 7 motivation.” 8 Three United States courts of appeals have relied on this decision to hold that a mere trifle also 9 suffices under Article III. LaFleur v. Whitman, 300 F.3d 256, 270 (2d Cir. 2002); Sierra Club, 10 Lone Star Chapter v. Cedar Point Oil Co., Inc., 73 F.3d 546, 557 (5th Cir. 1996); Doe v. County 11 of Montgomery, Ill., 41 F.3d 1156, 1159–60 (7th Cir. 1994). The time lost by plaintiff 12 establishes a harm for standing purposes. 13 2. FACEBOOK’S MOTIONS TO STRIKE EXPERT TESTIMONY. 14 This order now turns to Facebook’s two Daubert motions to strike expert testimony. 15 Facebook moves to strike all of the various submissions of two of plaintiff’s experts. These 16 experts are: (i) Identity Theft Expert James Van Dyke and (ii) CPA Ian Ratner. 17 A. Identity Theft Expert James Van Dyke. 18 This order finds that Expert Van Dyke did not base his testimony in sufficient facts or 19 data. Nor is his testimony the product of reliable principles and methods. And even accepting 20 the principles and methods he used, Van Dyke did not reliably apply these methods to the facts 21 of this case. 22 Expert Van Dyke’s 29-page opinion testimony boils down to two conclusions. First, 23 every data breach, no matter the information taken, enhances the risk of identity theft in some 24 way. Second, every class member should receive uniform credit monitoring, notwithstanding 25 the specific information taken in the breach (Van Dyke Decl. ¶¶ 3, 6) (Dkt. No. 197-32). 26 Van Dyke cherry-picked his own prior expert opinions. He recycled a conclusion from 27 a different case. He removed references to a critical premise that does not apply here. More 28 specifically, in Van Dyke’s report from the Anthem data breach case, Van Dyke highlighted the 1 importance of social security numbers to identity theft: 2 More damaging forms of misuse often result from criminals amassing more elements of any one consumer’s data — 3 akin to assembling all pieces of a puzzle, with the social security number being a key foundational element. As an 4 example . . . . 5 In re Anthem, Inc. Data Breach Litig., No. 15-MD-02617-LHK, 2017 WL 3730912 (N.D. Cal. 6 Mar. 21, 2017) (Dkt. No. 744-24 ¶ 19) (emphasis added). 7 In the report here, Van Dyke cut and pasted the same exact language except he omitted 8 any reference to Social Security numbers being “key” to the risk of identity theft described 9 (Van Dyke Decl. ¶ 3.n.): 10 More damaging forms of misuse often result from criminals amassing more elements of any one consumer’s data — akin 11 to assembling all pieces of a puzzle. As an example . . . . 12 Plaintiff argues Van Dyke simply took care to omit a fact that did not apply to this case, 13 namely the part about social security numbers. This misses the point. The point is that the 14 social security numbers ranked as “key” — until this case, where they weren’t stolen, so the 15 “key” element got removed. This inconsistency means Van Dyke says whatever is convenient 16 to the case at hand. 17 In addition, Van Dyke’s opinions and declarations were riddled with error. His report 18 referred to the theft of maiden names. Maiden names were not taken in the instant breach. He 19 later admitted this inclusion “was a mistake.” He also posited that internet protocol addresses 20 were stolen in the attack and spun a hypothetical that depended on a person knowing “the 21 names of family members.” He further spent much of his report homing in on the theft of 22 mailing addresses. Yet, to repeat, none of this information was taken in the breach. Moreover, 23 in a separate paragraph in his declaration, he referred to how “victims now suffer reduced value 24 of personal information.” This, too, he later walked back, conceding that this paragraph should 25 never have been included. Van Dyke also wrote that he was “retained by [p]laintiffs’ counsel in 26 March of 2018” in this case. But this data breach occurred in September 2018. That sequence 27 seems impossible (Van Dyke Decl. ¶¶ 2.a., 3.o, 4.b., 5.d., 5.h., 5.l., 6.p., 6.q., 7.f., 8.a.; Reply 28 Decl. ¶¶ 2.b.ii., 2.g., 2.i.) (Dkt. Nos. 197-32; 231-4). 1 In a reply declaration, Van Dyke cited to a “beta” “proprietary algorithm” that he 2 claimed generated a “risk level” of 6 out of 10 for the Facebook breach (Reply Decl. ¶ 2.h.). 3 Facebook deposed him. Inexplicably, it then came to light that he also generated this rating by 4 including information that had not been compromised in the breach (users’ home addresses, 5 internet protocol addresses, account login credentials, and account numbers for the phone lines 6 compromised by the breach). When the correct information was input instead, the risk level fell 7 to a 1.2 for Group 1 users and a 1.8 for Group 2 users (Blunschi Decl. ¶¶ 10–11; Exh. 25; Van 8 Dyke II Dep. at 465:18–467:9). According to Van Dyke’s own website, less than a two out of 9 ten risk level describes a breach that does not warrant consumer action of any kind (Dkt. No. 10 248-6). This result squarely conflicts with his expert opinion. 11 In response to all this, counsel primarily argue that Van Dyke’s testimony rested on “his 12 knowledge and experience in the field [of consumer identity fraud]” (Opp. Br. at 9) (Dkt. No. 13 233). This order presumes Van Dyke is an expert. Yet his report is too flawed. Even a good 14 expert can do a bad job. 15 The vast majority of the testimony submitted by Van Dyke was boilerplate from other 16 cases. It could have been written about any data breach, and lacked sufficient analysis. It 17 contained too many errors to be relied upon. For the foregoing reasons, Facebook’s motion to 18 strike Van Dyke’s Report is GRANTED. 19 B. CPA Ian Ratner. 20 Facebook also challenges the admissibility of CPA Ratner’s expert testimony as to his 21 damages analysis. First, Facebook argues that he ignores foundational problems in calculating 22 the diminished value of personal information. Second, Facebook argues that his time and risk 23 based damages are hypothetical and unreliable. This order disagrees. 24 “Shaky but admissible evidence is to be attacked by cross examination, contrary 25 evidence, and attention to the burden of proof, not exclusion.” Primiano v. Cook, 598 F.3d 558, 26 564 (9th Cir. 2010). As to Facebook’s first argument, CPA Ratner attempted to show, through 27 economic models, that access to personal information in-and-of-itself has market value, and that 28 the hackers taking the personal information freely from Facebook is a value lost to the class 1 members (Ratner Decl. ¶¶ 45, 46). He also showed that companies are willing to pay money 2 (such as through targeted advertising) for access to someone’s personal information. In 3 addition, he pointed out that Facebook’s role in the data breach deprived plaintiff and the class 4 members from being able to control access to their personal information and monetize it if they 5 so chose. This calculation is admissible. 6 Turning to Facebook’s second argument, CPA Ratner attempted to calculate class-wide 7 damages for class members’ risk and stress from the breach, time spent dealing with the 8 consequences of it, and the risk of identity theft. Facebook argues that these are mere averages 9 and don’t address the characteristics of each class member. “Normally, failure to include 10 variables will affect the analysis’ probativeness, not its admissibility.” Hemmings v. Tidyman’s 11 Inc., 285 F.3d 1174, 1188 (9th Cir. 2002) (quotations omitted). This too must be attacked by 12 cross examination. The motion to strike CPA Ratner’s expert opinion is DENIED. 13 3. PLAINTIFF’S MOTION FOR CLASS CERTIFICATION. 14 Plaintiff moves to certify a damages class under Rule 23(b)(3), an “issues” class under 15 Rule 23(c)(4), and an injunctive-only class under Rule 23(b)(2). Facebook trains most of its 16 fire on the Rule 23(b)(3) class. This order therefore begins there. 17 A. Rule 23(b)(3). 18 Before certification, the district court “must conduct a ‘rigorous analysis’ to determine 19 whether the party seeking certification has met the prerequisites of Rule 23.” Zinser v. Accufix 20 Research Inst., Inc., 253 F.3d 1180, 1186 (9th Cir. 2001) (quoting Valentino v. Carter-Wallace, 21 Inc., 97 F.3d 1227, 1233 (9th Cir. 1996)). As part of this inquiry, the district court has an 22 obligation to ensure “that a class representative must be part of the class and possess the same 23 interest and suffer the same injury as the class members.” Gen. Tel. Co. of Sw. v. Falcon, 457 24 U.S. 147, 156 (1982) (internal quotation marks and citations omitted). This sometimes involves 25 delving into the merits to resolve factual disputes to the extent necessary to determine whether 26 the Rule 23 elements have been met. See Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338, 350–52 27 (2011). 28 1 Plaintiff Stephen Adkins seeks to represent a nationwide class of Facebook users who 2 had information taken in the data breach. The Terms of Service provide that California law 3 governs both the terms “and any claim, without regard to conflict of law provisions” (Dkt. No. 4 98-1 § 4.4). Thus, California law applies even as to tort claims, and a nationwide class will not 5 become bogged down in the differences among state laws of negligence. In that connection, 6 plaintiff Adkins, on behalf of the class, seeks to recover on two theories of damages under 7 California law: (i) the cost of a credit monitoring service and (ii) the diminished value of the 8 personal information taken in the breach. This order holds that neither harm presents a 9 cognizable injury, and so the damages class cannot be certified. 10 i. Credit Monitoring. 11 Under his first theory of liability, plaintiff Adkins seeks the cost of credit monitoring on 12 behalf of the class. Plaintiff’s expert CPA opines that credit monitoring will be appropriate to 13 redress the class’s “increased risk, stress, nuisance, inconvenience, and annoyance of identity 14 theft” (Ratner Decl. ¶ 32). Significantly, plaintiff Adkins has never paid any money as a result 15 of this data breach. Had he paid for credit monitoring, for example, he could prevail on this 16 claim. But he has never purchased any credit monitoring service. Plaintiff Adkins’s theory of 17 liability instead relies on the aforementioned injuries, like his present stress and the increased 18 risk of identity theft. 19 While plaintiff Adkins has standing to sue based on his increased risk of future identity 20 theft, in California, this risk alone does not rise to the level of appreciable harm to assert a 21 negligence claim. California has long held that “[i]t is fundamental that a negligent act is not 22 actionable unless it results in injury to another.” Fields v. Napa Milling Co., 164 Cal. App. 2d 23 442, 447 (1958). California also holds that “[n]ominal damages, to vindicate a technical right, 24 cannot be recovered in a negligence action, where no actual loss has occurred.” Id. at 448. In 25 addition, in a different context, the California Supreme Court has indicated that the mere threat 26 of future harm is insufficient. See Jordache Enters., Inc. v. Brobeck, Phleger & Harrison, 18 27 Cal. 4th 739, 743 (1998). 28 1 No binding decision has ever decided whether or not future harms from a data breach 2 can anchor a claim for negligence. In California, such an exception would follow from an 3 already recognized exception to the present harm requirement, namely the cost of future 4 medical monitoring due to an exposure to toxic chemicals. Potter v. Firestone Tire & Rubber 5 Co., 6 Cal. 4th 965, 1009 (1993). The weight of persuasive decisions militates against 6 extending this exception to cases like ours. 7 In a non-precedential decision, our court of appeals applied Arizona law to reject 8 extending medical monitoring to credit monitoring in a data breach when the plaintiff did not 9 present any actual evidence of identity theft. Stollenwerk v. Tri–West Health Care All., 254 F. 10 App’x 664, 665–67 (9th Cir. 2007). In Ruiz v. Gap, Inc., Judge Samuel Conti relied on 11 Stollenwerk to reject that the medical monitoring exception would apply to credit monitoring 12 under California law. Judge Conti opined that medical monitoring was a personal injury 13 permitted to protect public health, but “[t]here is no such public health interest at stake in lost- 14 data cases.” 622 F. Supp. 2d 908, 914–15 (N.D. Cal. 2009), aff’d, 380 F. App’x 689 (9th Cir. 15 2010). Judge Conti’s decision was upheld on appeal on other grounds. 16 Since these decisions, Judge Gary Klausner and Judge Richard Seeborg have extended 17 the medical monitoring exception to credit monitoring. Corona v. Sony Pictures Entm't, Inc., 18 No. 14-CV-09600 RGK (Ex), 2015 WL 3916744, at *5 (C.D. Cal. June 15, 2015) (Judge Gary 19 Klausner); Castillo v. Seagate Tech., LLC, No. 16-cv-01958-RS, 2016 WL 9280242, at *4 20 (N.D. Cal. Sept. 14, 2016) (Judge Richard Seeborg). The undersigned judge would be inclined 21 to follow these decisions and hold credit monitoring available to data breach victims. 22 Yet, even these decisions cannot help plaintiff Adkins here. Specifically, Judge 23 Klausner permitted “costs already incurred, including costs associated with credit monitoring,” 24 and specifically dismissed the negligence theory of an increased risk of future harm. Corona, 25 2015 WL 3916744, at *4–5 (emphasis added). Judge Richard Seeborg also held that “[t]hose 26 who have incurred such out-of-pocket expenses have pleaded cognizable injuries, whereas those 27 who claim only that they may incur expenses in the future have not.” Castillo, 2016 WL 28 9280242, at *4. 1 This dividing line is further supported by another non-precedential decision by our court 2 of appeals. In Krottner v. Starbucks, Corporation, our court of appeals applied Washington law 3 to dismiss a data breach claim for negligence because there was only the risk of future identity 4 theft. 406 F. App’x 129, 131 (9th Cir. 2010). Because the claim for negligence could not 5 proceed merely on such risk, our court of appeals expressly did not reach the issue of whether 6 credit monitoring would be appropriate. Id. at 131–32. One district judge relied on this 7 decision to dismiss a California negligence claim in the context of a data breach. See In re Sony 8 Gaming Networks & Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942, 963 n.17 (S.D. 9 Cal. 2012) (Judge Anthony Battaglia) (California and Washington law not “materially 10 different”). 11 So too here. Plaintiff Adkins has incurred zero out-of-pocket expenses as a result of this 12 breach. The time he spent reacting to this data breach may be recoverable as damages in its 13 own right, but has no relationship to the remedy of future credit monitoring. To the contrary, he 14 already has a slim version of free credit monitoring through his credit card company, and, since 15 the data breach, he has rejected an offer from Equifax for more credit monitoring services 16 (Adkins II Dep. at 549:8–551:14, 618:3–17, 620:24–625:18, 239:17–22) (Dkt. No. 220-8). 17 On the evidence presented, therefore, no decision supports that plaintiff Adkins can 18 allege a viable negligence claim under a credit monitoring theory. If some members of the class 19 bought credit monitoring because of this data breach, perhaps they can assert such a claim. 20 Plaintiff Adkins, however, is not a member of the class he seeks to represent. He therefore 21 cannot represent the class on this theory. 22 ii. Diminished Value of Personal Information. 23 Two prior orders deemed the harm of diminished value of personal information 24 insufficient to satisfy injury for purposes of Section 17200 and the CLRA (Dkt. Nos. 153, 185). 25 Plaintiff Adkins now asserts an entirely new theory on how to calculate this harm for the 26 negligence claim (Ratner Decl. ¶¶ 45, 46) (emphasis added): 27 [Personal information], such as that maintained by Facebook, derives value from remaining private. The 28 value of this privacy should be exclusively enjoyed by Facebook’s users. However, as a result of the [d]ata 1 [b]reach, Facebook essentially granted access to [personal information] for free and conveyed value to unauthorized 2 third parties without compensation to the rightful owners of that information — its users. When the users provided 3 their [personal information] to Facebook, they received the value of Facebook’s social media services in return. When 4 Facebook allowed third parties to access the users’ [personal information], no value was conveyed to the users. 5 The value that Facebook’s users lost as a result of that conveyance can be measured through the [m]arket 6 [m]ethod (a standard valuation method) by analyzing what third parties pay to access comparable information. 7 In other words, plaintiff’s injury stemmed from loss of privacy and loss of royalties. Again, 8 however, this calculus is too speculative to assert a claim for negligence. Plaintiff never asserts 9 that he would have paid anyone to access comparable information. Although it’s true that each 10 user’s information is worth a certain amount of money to Facebook and the companies 11 Facebook gave it to, it does not follow that the same information has independent economic 12 value to an individual user. That Adkins could have received royalties is not a cognizable 13 injury. 14 For these reasons, the Rule 23(b)(3) class is DENIED. 15 B. Rule 23(c)(4). 16 “When appropriate,” Rule 23(c)(4) allows a court discretion to certify an action “as a 17 class action with respect to particular issues.” The text does not explain when such a class 18 would be appropriate. Here, plaintiff seeks certification of damages claims for lost time. Duty 19 and breach would be tried on a common basis. Causation and damages would be tried 20 individually. This order agrees with Facebook that “issue certification is not appropriate where 21 the determination of liability itself requires an individualized inquiry” (Dkt. No. 215 at 25 22 quoting 1 McLaughlin on Class Actions § 4:43 (15th ed. 2018)). That is, bifurcating elements 23 of liability “does not materially advance the overall disposition of the case because” the court 24 must still consider “plaintiff-specific matters such as fact of injury, causation . . . and extent of 25 damage” (ibid. quoting McLaughlin, supra). Plaintiff’s request to certify an issues-only class 26 under Rule 23(c)(4) is DENIED. 27 28 1 C. Rule 23(b)(2). 2 Class certification is appropriate when a plaintiff can show that all of the prerequisites of 3 Rule 23(a) and one of the requirements of Rule 23(b) has been met. Briseno v. ConAgra Foods, 4 Inc., 844 F.3d 1121, 1124 (9th Cir. 2017). Rule 23(a) considers whether “(1) the class is so 5 numerous that joinder of all members is impracticable; (2) there are questions of law or fact 6 common to the class; (3) the claims or defenses of the representative parties are typical of the 7 claims or defenses of the class; and (4) the representative parties will fairly and adequately 8 protect the interests of the class.” None of these elements are contested, and this order finds 9 they have been satisfied. Plaintiff stands shoulder to shoulder with other class members when it 10 comes to forward-looking relief. He is typical and adequate. 11 Rule 23(b)(2) provides that “[a] class action may be maintained if Rule 23(a) is satisfied 12 and if . . . the party opposing the class has acted or refused to act on grounds that apply 13 generally to the class, so that final injunctive relief or corresponding declaratory relief is 14 appropriate respecting the class as a whole.” Here, plaintiff seeks injunctive relief to impose a 15 set of changes on Facebook’s conduct to ensure no further harm comes to him and the class. 16 What plaintiff seeks, on behalf of the class is, as follows. First, a declaration that 17 Facebook’s existing security measures do not comply with its duties of care to provide adequate 18 security. Second, to comply with its duties of care, Facebook must implement and maintain 19 reasonable security measures, including that Facebook engage third-party security 20 auditors/penetration testers as well as internal security personnel to conduct testing, including 21 simulated attacks, penetration tests, and audits on Facebook’s systems on a periodic basis, and 22 ordering Facebook to promptly correct any problems or issues detected by such third-party 23 security auditors (Dkt. No. 193 ¶ 221). 24 In addition, plaintiff seeks an order that Facebook engage third-party security auditors 25 and internal personnel to run automated security monitoring. Any final order may also embed a 26 monitor into Facebook’s headquarters. Other requested relief includes: ordering that Facebook 27 audit, test, and train its security personnel regarding any new or modified procedures; ordering 28 that Facebook user applications be segmented by, among other things, creating firewalls and 1 access controls so that if one area is compromised, hackers cannot gain access to other portions 2 of Facebook’s systems; ordering that Facebook conduct regular database scanning and securing 3 checks; ordering that Facebook routinely and continually conduct internal training and 4 education to inform internal security personnel how to identify and contain a breach when it 5 occurs and what to do in response to a breach; and ordering Facebook to meaningfully educate 6 its users about the threats they face as a result of the loss of their financial and private 7 information to third parties, as well as the steps Facebook users must take to protect themselves 8 (ibid.). 9 Facebook argues that plaintiff does not have standing to allege prospective injunctive 10 relief because Facebook has fixed the bug that caused the data breach. This order holds that 11 Facebook’s repetitive losses of users’ privacy supplies a long-term need for supervision, at least 12 at the Rule 23 stage. At this stage, there is a likelihood of future harm to warrant potential 13 relief. Plaintiff has standing. 14 Nor must plaintiffs specify the precise injunctive relief they will ultimately seek at the 15 class certification stage.” B.K. by next friend Tinsley v. Snyder, 922 F.3d 957, 972 (9th Cir. 16 2019). Rule 23(b)(2) “[o]rdinarily will be satisfied when plaintiffs have described the general 17 contours of an injunction that would provide relief to the whole class, that is more specific than 18 a bare injunction to follow the law, and that can be given greater substance and specificity at an 19 appropriate stage in the litigation through fact-finding, negotiations, and expert testimony.” 20 Parsons v. Ryan, 754 F.3d 657, 689 n.35 (9th Cir. 2014). 21 Here, under these circumstances, the requested relief of an order compelling Facebook 22 to promptly correct any problems or issues detected by such third-party security auditors 23 outlines the “general contours” of the requested injunction at this stage. A more specific 24 remedy can be fashioned later in this litigation. Facebook ultimately has not sufficiently shown 25 otherwise that “crafting uniform injunctive relief will be impossible.” B.K., 922 F.3d at 973. 26 Rule 23(b)(2) is satisfied. Plaintiff’s motion to certify a Rule 23(b)(2) class is GRANTED. 27 28 1 CONCLUSION 2 For the foregoing reasons, Facebook’s motion to strike Identity Theft Expert James Van 3 Dyke’s expert opinion is GRANTED. Facebook’s motion to strike CPA Ian Ratner’s expert 4 opinion is DENIED. Plaintiff’s motion for class certification of a damages class under Rule 5 23(b)(3) and under Rule 23(c)(4) is DENIED. Plaintiff’s motion for class certification of an 6 injunctive class under Rule 23(b)(2) is GRANTED. 7 The following class is CERTIFIED for injunctive purposes only: All current Facebook 8 users whose personal information was compromised in the data breach announced by Facebook 9 on September 28, 2018. 10 This class definition shall apply for all purposes, including settlement. Plaintiff Stephen 11 Adkins is hereby APPOINTED as class representative. Plaintiff’s counsel Andrew Friedman of 12 Cohen Milstein Sellers & Toll PLLC, John Yanchunis of Morgan & Morgan Complex 13 Litigation Group, and Ariana Tadler of Tadler Law LLP are hereby APPOINTED as class 14 counsel. By DECEMBER 19 AT NOON, the parties shall jointly submit a proposal for class 15 notification with a plan to distribute notice, including by first-class mail and via Facebook. 16 This order shall remain redacted for seven calendar days to allow any party an 17 opportunity to seek relief from the court of appeals on the accompanying order on the motions 18 to seal (Dkt. No. 259). 19 20 IT IS SO ORDERED. 21 22 Dated: November 26, 2019. WILLIAM ALSUP 23 UNITED STATES DISTRICT JUDGE 24 25 26 27 28