Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

Yahoo's Proposed Data Breach Lawsuit Settlement: Rejected

Judge Slams Attorneys' Fees, Security Shortcomings in $50 Million Proposal
Yahoo's Proposed Data Breach Lawsuit Settlement: Rejected
Photo: Yahoo (Flickr/CC)

Court order: Yahoo's proposed settlement for a data breach class action lawsuit filed against it must return to the drawing board.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

On Monday in a federal court in San Jose, California, District Judge Lucy H. Koh seemingly spared no criticism for the proposed settlement, citing six reasons why it is inadequate. Disproportionate attorneys' fees and an improper release of claims for 2012-era data intrusions that Koh says Yahoo has yet to acknowledge are on her list.

District Judge Lucy H. Koh

"Yahoo's history of nondisclosure and lack of transparency related to the data breaches are egregious," Koh writes in her order. "Unfortunately, the settlement agreement, proposed notice, motion for preliminary approval, and public and sealed supplemental filings continue this pattern of lack of transparency."

Koh has ordered both sides to indicate how they wish to proceed by filing a status report to her by Feb. 7.

Despite the lengthy settlement negotiations, the case may still go to trial. If the parties opt for that approach, Koh ordered them to inform her by Feb. 14 via a joint case management statement.

The parties, however, are more likely to come back with a revised proposed settlement that addresses the issues raised by Koh, says Patricia M. Carreiro, a cybersecurity and commercial litigation attorney with the law firm of Axinn, Veltrop & Harkrider LLP.

"To me, the court was not saying 'No, never' [to an agreement]," Carreiro says. "The court was saying 'You need to tell me more'."

Tortured Breach History

Yahoo's data breaches have led to a seemingly endless spate of legal problems for the long-struggling search giant. That's in part because the company didn't initially disclose the 2014 data breach during its acquisition negotiations with Verizon. Yahoo also failed to notify investors and the U.S. Securities and Exchange Commission about the full extent of the breach in a timely manner.

When Yahoo described its purchase agreement with Verizon to the SEC on Sept. 9, 2016, it claimed it had no knowledge of breaches of personal data. But less than two weeks later, it disclosed the December 2014 breach. Then in November 2016, Yahoo disclosed to the SEC a separate breach that occurred between 2015-2016.

Koh's order rejecting the proposed settlement

The next month, Yahoo revealed a 2013 breach that compromised 1 billion accounts. In October 2017, Yahoo said that breach actually compromised its entire user base of about 3 billion accounts. Four men, including two alleged Russian intelligence officers, have been indicted by a federal grand jury in connection with that attack (see: Russian Spies, Two Others, Indicted in Yahoo Hack).

In April 2018, the SEC fined Yahoo $35 million for failing to promptly notify investors of its 2014 breach. The breach also caused delays in its negotiations with Verizon. The acquisition price was subsequently lowered by $350 million, to $4.48 billion, and the deal finally closed in June 2016 (see: SEC Fines Yahoo $35 Million Over 2014 Breach).

Yahoo has also faced further legal actions as a result of its data breaches, as well as security practices.

In September 2018, a federal court approved an $80 million settlement of a federal securities class action lawsuit that filed over Yahoo's failure to disclose the three data breaches. In yet another case, California's Superior Court in Santa Clara gave final approval earlier this month to a $29 million settlement for shareholder class action lawsuits.

Koh Cites Sparse Settlement Details

The settlement agreement rejected by Koh on Monday would have seen Yahoo, which is now called Altaba and is part of Verizon's Oath division, put $50 million into a fund for breach victims.

Most of that money was intended for credit monitoring, but up to $100 cash was available in some circumstances. The settlement would also have allowed for $35 million in attorneys' fees. But Koh writes that the proposed settlement doesn't disclose the costs of credit monitoring and also doesn't describe the total size of the settlement.

"In the settlement agreement, Yahoo has only committed to the $50 million settlement fund and hides the total settlement fund amount," Koh writes.

Koh's order lists her six reasons for rejecting the proposed settlement.

The proposed agreement would also release Yahoo from any claims over security issues from 2012 or earlier. Koh writes that an expert for the plaintiffs, Mary Franz, submitted a 92-page report to the court indicating that Yahoo had knowledge of security breaches stretching back to 2008.

"The report shows repeated failures to follow industry-standard security practices, extensive knowledge of ongoing security breaches beginning in 2008 with failure to adequately respond, failure to provide adequate staffing and training, and failure to comply with industry standard regulations," Koh writes.

Carreiro says it appears Koh picked up on a contradiction: that Yahoo sought a release from future possible breach claims that date back to 2012 and before but hasn't acknowledged to the court there were incidents.

The court is saying that "you can't skirt the entire issue and have it both ways," Carreiro says.

Exorbitant Attorney Fees

The amount allotted for attorneys' fees also appears to be too much, Koh writes. She noted that 32 law firms are included in the fee calculation, when only five were actually authorized by the court.

"Based on these numbers, attorneys' fees would be 40 percent of the settlement fund," Kohn writes. "Taking account of the additional funds the parties disclosed under seal in their supplemental filing, the court finds that the attorneys' fees request remains much greater than the 25 percent benchmark standard used in this circuit."

Koh also took Yahoo to task for not outlining how it plans to improve its information security practices.

"Yahoo has not committed to any specific increases in budget for data security and has made only vague commitments as to specific business practices to improve data security," she writes.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.