Yahoo to pay $85M to settle consumer data breach class actions
The settlement includes a $50 million fund from which consumers can file claims to be reimbursed.
Yahoo Inc. has agreed to pay up to $85 million to settle consumer class actions brought over its recent data breaches.
The settlement, filed in court on Monday, includes a $50 million fund from which consumers can file claims to be reimbursed. In addition, Yahoo has agreed to provide credit monitoring and pay up to $35 million in attorney fees.
One of largest data breach settlements in U.S. history
The deal is one of the largest data breach settlements in U.S. history, resolving legal claims for more than 200 people with about 1 billion Yahoo accounts from 2012 to 2016.
“We are pleased that we were able to reach a settlement with Yahoo, which would provide relief to impacted users and ensure that Yahoo improves its security practices going forward,” wrote lead plaintiffs attorney John Yanchunis of Morgan & Morgan in Tampa, Florida.
Representatives from Altaba Inc., the new name for Yahoo since it was sold to Verizon, and Oath Holdings Inc., which owns Yahoo’s operating company, declined to comment. Ann Mortimer of Hunton Andrews Kurth in Los Angeles represented the defendant in the case.
Yahoo previously filed a notice of the settlement but provided few details at that time other than a filing with the U.S. Securities and Exchange Commission that said it had set aside $47 million in additional expenses to help pay for class actions related to the breach.
U.S. District Judge Lucy Koh of the Northern District of California, who granted final approval to a separate $80 million settlement that resolved securities class actions relating to Yahoo’s data breaches, is slated to hear arguments on whether to approve the motion for preliminary approval of the settlement at a Nov. 29 hearing in San Jose, California.
2014 hack of 500 million accounts
Yahoo announced in 2016 that 500 million accounts had been hacked in 2014, compromising names, email addresses, phone numbers, birth dates and passwords. Months later, Yahoo disclosed another breach in 2013 that affected 1 billion people, a figure that Verizon increased to 3 billion last year. The settlement also involves a third breach in 2015 and 2016.
In March, Koh refused to dismiss a consolidated complaint in the case, allowing punitive damages to go forward. Yahoo also paid $35 million to resolve SEC claims that it failed to notify investors for two years about its 2014 breach.
The settlement comes after plaintiffs lawyers filed a class certification motion, which Yahoo opposed on Sept. 1. It also follows the depositions of several former Yahoo executives, including former chief information security officer Alex Stamos and former chief information officer Jay Rossiter. Other depositions were planned for Yahoo’s former general counsel, Ron Bell, and former CEO Marissa Mayer.
Mediation sessions led to settlement
Both sides reached a settlement after two all-day mediation sessions in San Francisco on Aug. 14 and Sept. 7 before former San Francisco Superior Court Judge Daniel Weinstein, now at JAMS, according to court documents. The settlement also includes data breach cases brought in California state court, coordinated in Orange County Superior Court, and class actions brought in Israel.
Under the deal, Yahoo will provide at least two years of credit monitoring and identity theft protection insurance to class members, and implement enhancements to its security programs. It also will pay up to $35 million in fees and $2.5 million in costs and expenses to plaintiffs’ lawyers, who plan to file a motion “supported with detailed lodestar information and an accounting of expenses.”
Reimbursements
As part of the fund, claimants can seek cash reimbursements for out-of-pocket costs, such as fraud charges and professional fees, associated with the breaches. Small businesses and others who paid for Yahoo accounts can submit claims for up to 25% reimbursement, and class members who already have credit monitoring also can submit claims for at least $100 in alternative compensation.
Related:
Playing it safe: cybersecurity for small- to medium-sized businesses