eDiscovery Daily Blog

Judge Suggests That “Bone-Crushing” Discovery is Needed to Explore Extent of Facebook Breach: Cybersecurity Trends

Remember the latest Facebook breach – the one from September of last year that exposed 50 million accounts?  I say “latest” because you have to differentiate these days.  Well, naturally, that breach spawned several lawsuits.  And, the judge presiding over those suits indicated that he will allow Facebook users “bone-crushing” discovery in those lawsuits, saying he’s sympathetic to users’ concerns and that’s worth “real money” — not just “some cosmetic injunctive relief.”

According to LAW360 (Alsup Wants ‘Bone-Crushing’ Discovery Into Facebook Breach, by Dorothy Atkins, subscription required), U.S. District Judge William Alsup said Facebook users don’t know how badly they’ve been harmed yet and he sees the “real anxiety and harm” to individuals who are going to be worried for the rest of their lives that their personal information and pictures were stolen off of the social media platform.

“That is a real problem that is worth money, not just a security package from Equifax,” he said, adding that the amount at stake is a “serious proposition” for Facebook if found liable.

While Facebook’s attorney indicated that it appears that the hackers only took users’ names and email addresses, Judge Alsup appeared skeptical, saying repeatedly that he’s going to allow their attorneys to take “bone-crushing discovery” to find out if that is true.

“I’ve seen too many defendants that say that and … another good lawyer gets in there, with bone-crushing discovery, and we find out it’s not true,” he said.

Judge Alsup added that many Facebook users post highly personal information on the site, and it doesn’t make sense that hackers would only steal a users’ name and email address when they could also take photos and other more sensitive information.

Facebook announced last September that hackers accessed approximately 50 million accounts from July 2017 through September 2018 by exploiting a vulnerability in Facebook’s code through its “View As” feature, which enabled the hackers to steal access tokens — digital keys that allow users to stay logged into Facebook without having to repeatedly re-enter passwords — that the attackers could then use to take over accounts, according to the company.

Judge Alsup also expressed his own frustrations with serving as a federal judge in a digital age, noting that U.S. marshals are currently trying to figure out how to protect the home addresses of federal judges. He also said a hacker recently stole his identity and posed as him online, posting a blog about the now settled, high-profile Waymo v. Uber trade secrets dispute, which Judge Alsup presided over.

“I think most people realized it wasn’t really me,” the judge said.

Whether that’s true or not, it’s clear Judge Alsup is going to have high expectations regarding discovery related to the breach.

So, what do you think?  Will Facebook face “real money” payouts or “some cosmetic injunctive relief”?  And, what about European interests and GDPR possibly yet to come?  Please let me know your thoughts or if you have a topic that you’d like to suggest.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.