Judge Denies Approval of $50M Settlement to Yahoo Data Breach Lawsuit

Published on January 30, 2019
Riviera Beach Pays Nearly $600K to Recover Data after Ransomware Attack

A federal judge has denied the approval of a proposed $50 million settlement to a class action lawsuit over a data breach at Yahoo.

unnamed-9.jpg

On 28 January, Judge Lucy Koh rejected the settlement in a order submitted to the San Jose division of the U.S. District Court in the Northern District of California. The settlement, to which Yahoo agreed back in November, would have required the web services provider to pay $50 million and provide two years of free credit-monitoring services to 200 million people whose email addresses and personal information were exposed in the data security incident. That data breach affected a total of 3 billion Yahoo accounts. In the order, Judge Koh cites six reasons for her dismissal of the proposed settlement:

  1. Notices pertaining to the proposed agreement do not provide reasonable notice that they release claims stemming from unauthorized data access in 2012. They explain that the settlement relates to data breaches that occurred in 2013, 2014 and 2015-2016 only.
  2. The proposed agreement improperly releases those 2012 claims.
  3. The notice does not give an accurate size of the settlement. For instance, it explains that Yahoo might commit $35 million to attorney fees in a payment that's separate from the settlement fund.
  4. Related to the last point, the settlement allows for "unreasonably high" attorney fees that could result in the Defendants receiving some monies back.
  5. The agreement does not adequately reveal the scope of "non-monetary relief," which may or may not include budget increases and the hiring of additional IT personnel to secure Yahoo's systems.
  6. The notice's supplemental findings disclose a misleading estimate of the size of the settlement class.

Judge Koh doesn't mince her words in summarizing her rejection of the settlement agreement:

Yahoo’s history of nondisclosure and lack of transparency related to the data breaches are egregious. Unfortunately, the settlement agreement, proposed notice, motion for preliminary approval, and public and sealed supplemental filings continue this pattern of lack of transparency.

As a result, Yahoo and the Plaintiffs of the class action lawsuit will need to devise, agree to and submit a new proposal that's "fundamentally fair, accurate, and reasonable."

Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!