By Stephanie K. Mann, J.D.
A proposed class action settlement between consumers and Yahoo, arising out of data breaches from 2013-2016, failed to gain preliminary approval after the district court determined that the terms of the settlement were inadequate to ascertain its fairness and reasonableness.
A proposed class action settlement between consumers and a web services provider resulting from data breaches in 2013-2016 failed to establish that the settlement was "fundamentally fair, adequate, and reasonable," causing the district court in San Jose to deny the preliminary approval of class action settlement. The settlement was valued at approximately $87.5 million, including fees and costs. According to the court, the settlement did not adequately disclose the release of claims related to any unauthorized access of data in 2012. Further, the court found that the release of 2012 claims is improper; the proposed notice does not adequately disclose the size of the settlement fund; the settlement appears to result in an improper reverter of attorney fees; and the settlement does not adequately disclose the size of the settlement class (In re Yahoo! Inc. Customer Data Security Breach Litigation, January 28, 2019, Koh, L.).
Background. A class of consumers alleged in their complaint that Yahoo failed to use appropriate safeguards to protect users’ personal identification information (PII) and that three data breaches, which occurred from 2013 to 2016, exposed the consumers’ information to hackers that infiltrated Yahoo’s systems. Additionally, the consumers allege that Yahoo "made a conscious and deliberate decision not to alert any of Yahoo’s customers that their PII had been stolen."
The consumers also submitted an expert report, detailing Yahoo’s data security which demonstrates repeated failures to follow industry-standard security practices, extensive knowledge of ongoing security breaches beginning in 2008 with failure to adequately respond, failure to provide adequate staffing and training, and failure to comply with industry standard regulations.
A parallel case was filed in California, in which both complaints alleged violations of California’s Consumers Legal Remedies Act, Unfair Competition Law, Customer Records Act, and common law claims for negligence and breach of contract; the parallel case also alleged invasion of privacy claims. Both cases jointly engaged in settlement discussions and reached a settlement in principle and sought court approval. The judge in the parallel case approved the proposed settlement on September 19, 2018.
Inadequate proposed settlement. Despite the consumers’ expert report that details security breaches as early 2008, the proposed settlement agreement only addresses the breaches from 2013-2016. According to the court, the notice of the proposed settlement fails to state that all claims related to data breaches occurring in 2012 are being released even though the settlement does not address these claims. According to the court, the parties to the settlement must provide sufficient information for class members to make an informed decision in relation to the 2012 breach of data. In addition, the court found that the settlement releases claims on behalf of all users in 2012, but the complaint does not assert any claims prior to 2013; therefore, the release of all 2012 claims is improper.
Additionally, the proposed settlement fails to disclose the total size of the settlement fund, which prevents the court and class members from assessing the reasonableness of the settlement. The only numbers to which the parties commit in the settlement agreement, motion for preliminary approval, and proposed notice are $50 million for the settlement fund, up to $35 million in attorneys’ fees, and up to $2.5 million in attorneys’ costs and expenses, for a total of $87.5 million.
Because the exact amount of the proposed settlement is unknown, the court believes that it may allow for unreasonably high attorney fees. In addition to the potential for high attorney fees, the proposed settlement also directs that the fees will not come from the settlement fund, so any fees not awarded by the court could revert to Yahoo rather than "to the benefit of the class."
The court also found fault with the lack of disclosures regarding non-monetary relief. Specifically, the court remains concerned that the proposed settlement does not commit to any specific increases in budget or number of employees to improve information security and only vague commitments as to changed business practices.
Finally, the court found that it was unable to adequate assess whether the proposed settlement is fair, reasonable, and adequate because the parties disclosed a misleading estimate of the size of the settlement class. The court’s review of the all public and sealed filings demonstrates that the number of active user account in the U.S. during the relevant period was much lower than Yahoo’s public calculation of 200 million affected class members. Ultimately, the court concluded that the proposed settlement is not "fundamentally fair, adequate, and reasonable" and denied the motion for preliminary approval of class action settlement.
The case is No. 5:16-md-02752-LHK.
Attorneys: Joel H. Bernstein (Labaton Sucharow LLP) for Ronald Schwartz. Ann Marie Mortimer (Hunton Andrews Kurth LLP) and Theodore J. Boutrous, Jr. (Gibson, Dunn & Crutcher LLP) for Yahoo! Inc. and Aabaco Small Business, LLC.
Companies: Yahoo! Inc.; Aabaco Small Business, LLC
MainStory: TopStory CaliforniaNews IdentityTheft Privacy
Interested in submitting an article?
Submit your information to us today!Learn More
Banking and Finance Law Daily: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on banking and finance legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.