Yahoo! Settles Cyber-Breach Securities Class Action


Yahoo! Inc. has announced that it has accepted a proposed settlement of $80 million to settle a securities class action in the United States. This settlement represents the first substantial cyber-breach related shareholder lawsuit recovery.

Background

The In Re Yahoo! Inc. Securities Litigation[1] (“Re Yahoo”) class action and settlement centres on the two largest data breaches in United States history which occurred in 2013 and 2014.

In August of 2013, hackers breached the email system of Yahoo and stole records of more than one billion users, including names, birth dates, phone numbers and passwords. A second breach occurred in late 2014, and at least 500 million user accounts were again compromised as the result of a widespread breach of similar data by hackers. Yahoo was aware of the breach when it occurred, and Yahoo’s chief information security officer reported the data breach to the company’s management and legal teams shortly after it had occurred.

Nevertheless, Yahoo did not disclose the breach to its users whose personal information had been compromised. It was not until 2016 that Yahoo made a series of corrective disclosures and publicly acknowledged that sensitive personal account information associated with at least 500 million user accounts had been stolen by the company’s networks.

Following the announcement of the data breach, Yahoo’s market capitalization quickly fell by almost $1.3 billion. At this time, Yahoo had been in negotiations to sell its operating businesses to Verizon Communications Inc. (now Altaba). Yahoo was forced to renegotiate the stock purchase agreement and accept a $350 million discount on what had been a $4.83 billion deal to sell its main assets to Verizon.

The Securities Class Action

Several shareholders of Yahoo filed a suit against Yahoo as well as against certain directors and officers of the company  in January of 2017. The action was brought on behalf of all those who purchased or acquired Yahoo securities on the open market between April 30, 2013 and December 14, 2016. The class members of this action were therefore not the Yahoo users whose information had been compromised, but rather Yahoo shareholders who maintained that they had suffered damages as a result of the data security incidents.

The lawsuit against Yahoo was brought pursuant to the Securities Exchange Act on the basis of claims relating to cyber risk and/or a failure to disclose cyber breaches.

In particular, it was alleged that Yahoo had made materially false and/or misleading statements and neglected to disclose, among other things, that:

  1. Yahoo had failed to encrypt its users’ personal information and/or failed to encrypt its users’ personal data with an up-to-date and secure encryption scheme;
  2. Sensitive personal account information from more than 1 billion users was vulnerable to theft;
  3. A data breach resulting in the theft of personal user data would foreseeably cause a significant drop in user engagement with Yahoo’s websites and services

The Yahoo shareholders alleged that the defendants knew and had failed to disclose that Yahoo was using grossly outdated and substandard information security technologies and practices, and instead reassured the public that adequate safeguards existed and that the company would publicly disclose all security vulnerabilities. The complaint also explicitly referenced Yahoo’s diminished share price following the disclosure of breaches.

An issue faced by plaintiffs who experience data breaches or cyber-attacks is the ability to demonstrate material harm and to accurately quantify the damage experienced.

Difficulty is encountered in providing evidence of users and/or customers suffering a material loss relating to the breach, and the damages arising from such a breach may be even more difficult to accurately quantify. This has previously resulted in (relatively) more modest recoveries by plaintiffs in these types of cases.

For example, Toronto-based dating site Ashley Madison agreed to pay $11.2 million to settle data breach lawsuits arising from its July 2015 data breach of more than 36 million accounts. Similarly, Target paid an $18.5 million settlement for losing records for 41 million customers.

In this instance, the plaintiff’s ability to demonstrate material damage was readily identifiable given that it was securities lawsuit whereby the Yahoo shareholders would have been able to reference the decreased value of their shares and the reduction in the Yahoo acquisition.

Further Liability by Yahoo

The proposed settlement is far from the end of Yahoo’s concerns as a result of its misconduct, as the company is currently subject to other class actions and investigations.

For example, Yahoo is currently facing a pending class action by the Yahoo users whose personally identifiable information was compromised as a result of the breach.[2] Proposed class proceedings have also been commenced against Yahoo in Ontario, Quebec and British Columbia arising from the data breaches of 2013 and 2014.[3] These proposed class proceedings have yet to be certified. However, given that these actions are not securities-based, a similar quantum of recovery should not be expected.

Conclusion

The $80 million proposed settlement marks the first major securities class action recovery to arise from a cybersecurity incident. However, the implications of  the Yahoo securities action with respect to settlement quantum should not be overstated. The factual circumstances of the Yahoo securities action are unique given the scale of the impugned data breaches, the fact that there was a material and readily identifiable financial impact, and the fact that the data breaches had occurred some years previous and were not disclosed until years later. As a result, the Yahoo settlement does not mean that other securities-based actions will necessarily result in similarly sized recoveries.

The Yahoo action does however illustrate the necessity for public companies to implement a thorough response plan to data breach incidents, as well as to assess cybersecurity risk factors.

Although public disclosure of every data breach should not be required, companies should ensure that they have mechanisms in place to assess the materiality of data breach incidents and to determine whether disclosure is required.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.


[1]  No. 17-cv-00373 (N.D. Cal.)

[2]   In Re: Yahoo Inc. Customer Data Security Breach Litigation, No. 16-md-02752 (N.D. Cal)

[3]   See: Demers c. Yahoo! Inc., 2017 QCCS 4154; Gill v Yahoo! Canada Co., 2018 BCSC 290; Karasik Yahoo! Inc. (December 16, 2016) Doc. CV-16-566248-00CP (Ont SCJ)