In 2013, 2014 and 2016, Yahoo suffered a series of data breaches. Yahoo reports that the largest one, in August 2013, affected all three billion user accounts then in existence worldwide.
The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, passwords encrypted with the MD5 cryptographic hashing algorithm, and, in some cases, encrypted or clear text security questions and answers.
Unsurprisingly, plaintiffs representing affected users brought dozens of class action lawsuits against Yahoo. Five of the cases were combined into a single lawsuit in the U.S. District Court for the Northern District of California. After Verizon Communications completed its acquisition of Yahoo in June 2017 (for $350 million less than what was agreed before news of the breaches broke), Verizon tried unsuccessfully to get the case dismissed.
After failing to get the case dismissed in August 2017, Verizon and plaintiffs’ counsel in this case and in a separate consolidated case brought in California state courts worked to reach agreement on a settlement. In November 2018, the parties proposed a settlement to the judge overseeing the federal court case.
The proposed settlement included:
- $50 million to cover out-of-pocket costs, alternative compensation, paid user costs and small business user costs without specifying the costs of credit monitoring services or costs for class notice and settlement administration and without identifying the total size of the settlement fund,
- Up to $35 million for attorneys’ fees, with any unused amounts reverting to Yahoo/Verizon
- Up to $2.5 million for costs and expenses
- Up to $7,500 each for service awards to each settlement class representative
In January 2019, Judge Lucy H. Koh rejected the proposed settlement and sent the parties back to the negotiating table to try again. Judge Koh raised six objections to the proposed settlement:
- It inadequately discloses the release of claims related to any unauthorized access of data in 2012 (prior to the Yahoo-acknowledged breach in 2013).
- The proposed release of the 2012 claims is improper.
- The proposed notice inadequately discloses the size of the settlement fund because it fails to provide enough detail and because unclaimed attorney’s fees (which revert to Yahoo/Verizon) would reduce the total settlement amount. This lack of clarify doesn’t give class members enough information to assess whether the settlement is fair.
- The settlement appears likely to result in an improper reverter of (unclaimed) attorneys’ fees to Yahoo/Verizon. The judge also objected to the size of the estimated attorneys’ fees, noting that $35 million in attorneys’ fees represented an unreasonably-high 40% of the settlement amount.
- The settlement inadequately discloses the scope of non-monetary relief (staffing and security budget to improve information security).
- The settlement inadequately discloses the size of the settlement class, which means that the recovery per class member cannot be assessed.
The parties have now submitted a new proposed settlement for Judge Koh’s review which includes:
- All US and Israeli residents and small businesses with Yahoo accounts at any time between 2012 and 2016
- $117.5 million settlement fund, with specific amounts identified for credit monitoring or alternative compensation for individuals who already have credit monitoring ($24 million), notice and administration costs (up to $6 million), attorneys fees (up to $30 million) and costs (up to $2.5 million), service awards ($2,500-$7,500) to each settlement class representative and out-of-pocket expenses for identity theft, lost time, paid user costs and small business user costs
- A commitment to maintain an information security budget of at least $66 million per year with a headcount of at least 200 full-time employees through 2022
- A commitment to ongoing third-party security maturing assessments against NIST standards for four years
If the claims against the settlement fund are less than $117.5 million, then the excess will be used to extend the period of credit monitoring and to increase the alternative compensation for class members who already paid for credit monitoring (up to $358.80 per person). Now it’s up to Judge Koh to determine whether this settlement will pass muster.
For more reading:
Ars Technica: Yahoo tries to settle 3-billion-account data breach with $118 million payout
Reuters: Yahoo Strikes $117.5 Million Data Breach Settlement After Earlier Accord Rejected