SAN FRANCISCO (CN) – Four million Facebook users who had personal data exposed in a September 2018 data breach can team up in a fight to make the social media giant submit to independent audits of its data security measures, a federal judge ruled Tuesday night.

U.S. District Judge William Alsup granted a hacking victim’s motion for class certification to seek an injunction that would force the company to reform its data security system. One potential remedy could involve placing an independent monitor in Facebook’s headquarters to scrutinize the company’s data security protocols.

However, the judge refused to allow the class to seek monetary damages from Facebook for credit monitoring services and loss of control over private information.

Last year, hackers managed to infiltrate millions of Facebook accounts by exploiting a vulnerability in a “View As” feature for user profiles. Facebook initially said the breach affected 50 million users but has since downgraded the estimate to 29 million users, including 4 million in the United States.

Hackers swiped the names and contact information – such as phone numbers or email addresses – of 2.7 million U.S. users, and infiltrated the profiles of an additional 1.2 million U.S. users, gaining access to usernames, birthdates, workplaces, hometowns, schools attended and other personal information, including places where they recently “checked in” or were “tagged.”

Lead plaintiff Stephen Adkins sued Facebook on Sept. 28, 2018, mere hours after the data breach was made public in a Facebook blog post.

Adkins’ attorneys sought class certification for damages related to an increased risk of identity theft, lost time users spent responding to the data breach, loss of privacy, and diminished value of private information.

Because Akins never paid for credit monitoring services, Alsup found he could not represent a class seeking compensation for those services. The judge also refused to certify a class seeking monetary damages for the “diminished value of personal information.”

Plaintiffs’ lawyers argued the data breach reduced the value of users’ personal information, which they could potentially sell to third parties as Facebook does for targeted advertising.

Judge Alsup rejected that theory, finding it farfetched that personal data is as valuable to users as it is to Facebook. The social media giant made more than $55 billion in 2018, largely from targeted advertising revenue directly linked to users’ personal data.

“Although it’s true that each user’s information is worth a certain amount of money to Facebook and the companies Facebook gave it to, it does not follow that the same information has independent economic value to an individual user,” Alsup wrote in his 16-page ruling.

However, the judge found class certification was appropriate for 4 million users seeking an injunction to make Facebook adopt specific data security reforms. Adkins wants an independent auditor and internal security teams to conduct simulated hacking attacks, run automated security monitoring and periodically review the company’s security protocols.

“Any final order may also embed a monitor into Facebook’s headquarters,” Alsup wrote.

Adkins also seeks a court order that would require training and testing for security personnel on new procedures; segmenting Facebook applications and creating firewalls to block hackers from accessing other areas during an attack; conducting regular database scans and security checks; routine and continual training and education for internal security teams; and meaningful education for users about threats posed by data breaches and steps they can take to protect themselves.

During a motion to dismiss hearing in May, Facebook argued the terms of service users agree to when they sign up for or continue using Facebook exempts it from liability for data breaches. Plaintiff lawyers countered the limitation-of-liability clause should be deemed “unconscionable” and “unenforceable” because it directly contradicts pledges Facebook has made about protecting user privacy.

In June, Alsup found the clause exempts Facebook from liability for breach of contract but it does not “unequivocally preclude liability for negligence.”

Facebook and its lawyers did not immediately respond to email requests for comment Wednesday, but the company said in a 2018 blog post about the hack that “people’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened.”

Facebook is represented by Elizabeth Deeley of Latham & Watkins in San Francisco.

Plaintiffs’ class attorney Andrew Friedman, of Cohen Milstein Sellers & Toll in New York, also did not respond to an email request for comment Wednesday.