- $50 million to cover out-of-pocket costs, alternative compensation, paid user costs and small business user costs without specifying the costs of credit monitoring services or costs for class notice and settlement administration and without identifying the total size of the settlement fund,
- Up to $35 million for attorneys' fees, with any unused amounts reverting to Yahoo/Verizon
- Up to $2.5 million for costs and expenses
- Up to $7,500 each for service awards to each settlement class representative
- It inadequately discloses the release of claims related to any unauthorized access of data in 2012 (prior to the Yahoo-acknowledged breach in 2013).
- The proposed release of the 2012 claims is improper.
- The proposed notice inadequately discloses the size of the settlement fund because it fails to provide enough detail and because unclaimed attorney’s fees (which revert to Yahoo/Verizon) would reduce the total settlement amount. This lack of clarify doesn’t give class members enough information to assess whether the settlement is fair.
- The settlement appears likely to result in an improper reverter of (unclaimed) attorneys’ fees to Yahoo/Verizon. The judge also objected to the size of the estimated attorneys’ fees, noting that $35 million in attorneys’ fees represented an unreasonably-high 40% of the settlement amount.
- The settlement inadequately discloses the scope of non-monetary relief (staffing and security budget to improve information security).
- The settlement inadequately discloses the size of the settlement class, which means that the recovery per class member cannot be assessed.
- All US and Israeli residents and small businesses with Yahoo accounts at any time between 2012 and 2016
- $117.5 million settlement fund, with specific amounts identified for credit monitoring or alternative compensation for individuals who already have credit monitoring ($24 million), notice and administration costs (up to $6 million), attorneys fees (up to $30 million) and costs (up to $2.5 million), service awards ($2,500-$7,500) to each settlement class representative and out-of-pocket expenses for identity theft, lost time, paid user costs and small business user costs
- A commitment to maintain an information security budget of at least $66 million per year with a headcount of at least 200 full-time employees through 2022
- A commitment to ongoing third-party security maturing assessments against NIST standards for four years
For more reading: Ars Technica: Yahoo tries to settle 3-billion-account data breach with $118 million payout Reuters: Yahoo Strikes $117.5 Million Data Breach Settlement After Earlier Accord Rejected