The owners of the social media platform formerly known as Twitter must face a class action lawsuit accusing the company, under its former ownership, of failing to protect users' private information from data hackers.
On Dec. 18, U.S. federal Magistrate Judge Kandis A. Westmore, of the U.S. District Court for the Northern District of California in Oakland, refused to allow the company now known as X Corp. to pull the plug on most of the claims within the legal action.
"On its webstie, Twitter made numerous representations regarding the security and privacy of Plaintiffs' user data, including its representation that it is 'committed to protecting the information you share with us' on its Security and Privacy Webpage; representing that its 'security procedures strictly limit access to and use of users' personal information and require that each of us take measures to protect user data from unauthorized access' in its Code of Business Conduct and Ethics; and representing that 'protecting and defending user privacy is at the heart of our work,'" Westmore pointed out in her ruling.
"Plaintiffs ... signed up for Twitter with the understanding that Twitter would protect their PII (personal identifying information), and they trusted the company to do so."
The lawsuit was first filed in January 2023 by attorney Israel David and others with the firm of Israel David LLC, of New York, and Jeff Westerman, of the Westerman Law Corp, of Encino.
The lawsuit was filed on behalf of named plaintiff Stephen Gerber, identified as a resident of New York. The complaint described Gerber as a user of Twitter, who reportedly signed up for the platform under an assumed name "so that he could express himself and his thoughts on Twitter without fear of retribution, retaliation or embarrassment from employer(s) and his peers."
However, the complaint asserts Gerber's personal identifying information were still allegedly exposed, along with those of potentially millions of other users of Twitters, amid a so-called data "scraping incident that took place" from June 2021 to January 2022.
The breach allegedly allowed "cybercriminals" or "threat actors" to gain access to Twitter users' email addresses and other identifying information.
Twitter was acquired in October 2022 by current owner, billionaire Elon Musk, who has since changed the Twitter platform's name to X, and the name of the company to X Corp.
The alleged data breaches occurred before Musk purchased Twitter.
The lawsuit asserts the data breach was the result of a "defect" in the former Twitter's "application programming interface" (API), a key piece of software which allows different web-based programs to communicate.
According to the complaint, the hackers allegedly exploited the alleged defect to allegedly scrape the data and then sell it on the dark web from 2022-2023.
However, the complaint asserts the former Twitter management fell short of their duties under the law to safeguard that user information against such hacks. They assert Twitter had been on notice concerning its data security shortcomings as early as 2010, but did not sufficiently close up the alleged defects.
The plaintiffs have asserted the data breach was merely "the foreseeable result of the reckless way that Twitter (chose) to operate its business."
The lawsuit seeks damages from the company formerly known as Twitter for counts of breach of contract, breach of implied contract, negligence, unjust enrichment and violations of California's Unfair Competition Law, among others.
In response, X Corp. has sought to dismiss the lawsuit. The company has argued the terms of service contained in its user agreement should shut down the action, saying the breach does not amount to a violation of any contract with users.
The judge, however, disagreed.
In her ruling, Judge Westmore ruled Twitter's terms of service (TOS) were legally "unconscionable," because they fell short of Twitter's responsibilities under the law to safeguard user data and protect their privacy rights.
While conceding the user agreement included no express contract with Twitter users guaranteeing the protection of their PII, the judge said the users held an "implied contract" with Twitter, because of blog posts, ads and other online language purportedly seeking to assure users that their information was safe with Twitter.
In combination with her findings that the TOS were "unconscionable," Westmore said that is enough to allow all but the breach of contract claims to proceed.