Facebook Security Breach Lawsuit's Colorado Connections

A new class action lawsuit against Facebook over a security breach last month has major Colorado connections.

The firm behind the complaint is Franklin D. Azar & Associates, P.C., whose namesake is well known to Colorado television viewers from his starring role in commercials that label him "The Strong Arm." In addition, two of the four named plaintiffs, Rubin K. Johnson and Robert E. Newborn, are Colorado residents. The suit says both had Facebook accounts for at least seven years prior to recently being notified that their private information was at risk.

Ivy Ngo, head of class actions for Azar & Associates, declined Westword's interview request regarding the suit because it's at such an early stage. But knowledgeable sources tell us that the filing is intended to hold Facebook and its CEO, Mark Zuckerberg, who's referenced in the suit, accountable for their shortcomings through a class action, a legal remedy not readily available in many other countries, with a goal of compelling the company to better protect users' personal information.

The source also notes that any resident of Colorado who has received a notification from Facebook that their personal information was compromised is already being represented by aforementioned plaintiffs Johnson and Newborn. As a result, such folks don't need to opt in or sign up for the case — but they can track its progress by way of a link at the bottom of this post.

There are plenty of potential plaintiffs beyond Colorado in addition to the two others mentioned in the complaint, California's Rebecca A. King and New Jersey's Dominique Martin, as described in the document's summary. Note that the acronym "PII" stands for "Personally identifiable information."

"This case involves a data breach Facebook announced on September 28, 2018, wherein the PII of 50 million of its Users was exposed due to a flaw in Facebook’s code that allowed hackers and other nefarious users to take over User accounts and siphon off personal information for unsavory and illegal purposes," the complaint states. The vulnerability is said to have involved Facebook's "View As" feature, introduced in July 2017, which "lets people see what their own profile looks like to someone else."

At the time of this revelation, the narrative adds, Facebook "learned of the breach as early as September 16," but users were not "directly informed or notified...that their PII may be compromised as a result of the breach." Instead, Facebook began logging out users on the evening of September 27 without explanation.

"As a result of Defendant’s failure to maintain adequate security measures and timely security breach notifications," the text goes on, "Facebook Users’ personal and private information has been compromised and remains vulnerable. In fact, according to Facebook, they 'have yet to determine whether those accounts were misused or any information accessed.' Further, Facebook Users have suffered an ascertainable loss in that they must undertake additional security measures, some at their own expense, to minimize the risk of future data breaches including, without limitation, canceling credit cards associated with their Facebook accounts and changing passwords to Facebook, Instagram, and other linked accounts. However, due to Facebook’s ongoing and incomplete investigation, Facebook Users have no guarantee that the above security measures will in fact adequately protect their personal information. As such, Plaintiffs and other Class Members have an ongoing interest in ensuring that their personal information is protected from past and future cybersecurity threats."

The suit accuses Facebook of several general offenses, including "unlawful business practice," "unfair business practice," "fraudulent/deceptive business practice," "deceit by concealment," "negligence" and "breach of implied contract."

However, there are also two specific assertions unique to Colorado, including alleged violations of the Colorado Consumer Protection Act and the Colorado Security Breach Notification Act, which Governor John Hickenlooper signed into law this past May. The latter measure's page on the Colorado legislature's website summarizes the applicable section like so: "Entities that maintain, own or license personal information, including those that use a non-affiliated third party as a service provider, shall implement and maintain reasonable security procedures for the personal information. The notification laws governing disclosure of unauthorized acquisitions of unencrypted and encrypted computerized data are expanded to specify who must be notified following such unauthorized acquisition and what must be included in such notification."

That didn't happen for Johnson, Newborn and millions of others, the suit contends. An excerpt: "This case involves the continuing and absolute disregard with which Defendant has chosen to treat the PII of account holders. While this information was supposed to be protected, Facebook — without authorization — exposed that information to third parties through lax and non-existent data safety and security policies and protocols."

Click to read Rebecca A. King, et al., v. Facebook Inc. and follow the progress of the case at Azar & Associates' Facebook data breach class action page.