Yahoo!’s data breach class action is finally being put to rest. Last month, the Northern District of California approved the proposed $117.5M settlement to resolve the claims of approximately 194 million class members in In re Yahoo! Inc. Customer Data Sec. Breach Litig., No. 16-MD-02752-LHK, 2020 U.S. Dist. LEXIS 129939 (N.D. Cal. July 22, 2020). This approval did not come easily. During several rounds before the Court to obtain settlement approval, the Court pointed out that while “other data breach cases focus on one data breach, the instant case involves multiple data breaches over a period of five years, each of which Yahoo failed to timely disclose.”
In reaching its decision, the Court compared Yahoo!’s proposed settlement to a few other class action settlements, including in particular, In re Anthem, Inc. Data Breach Litigation, 327 F.R.D. 299, 318 (N.D. Cal. 2018), where the Court approved a $115 million settlement to a class of roughly 79 million members. The Court noted numerous differences between the Yahoo! settlement and that in Anthem, and ultimately deemed the Yahoo! settlement to be “fair, adequate, and reasonable.” In an 88-page opinion, the Court discussed its detailed criterion in granting the final approval, some of which included:
Criteria Favorable to Approval
Data at Issue:
The Court acknowledged, and took into consideration “that the Personal Information impacted by the data breaches” with Yahoo!, varied significantly. Beyond email addresses, passwords, telephone numbers, birth dates, and security questions and answers, the more sensitive personal information, such as social security numbers, financial and bank records, and medical records, largely depended on the types of accounts the user’s had with Yahoo!. Thus, every class member was not equally impacted by the data breach, as is often the case in standard data breach cases.
Out-of-Pocket Costs:
Yahoo!’s settlement class members’ out-of-pocket costs are capped at $25,000, whereas out-of-pocket costs for settlement class members in Anthem were capped at $10,000 figure. In both Yahoo! and Anthem, recovery for out-of-pocket costs included time spent responding to data breaches. Overall, what this came down to was that Yahoo!’s settlement class members who spent time responding to the data breaches are entitled to reimbursement at a minimum rate of $25 per hour, while Anthem’s settlement class members rate were entitled to $15 per hour.
Extent of Discovery Completed:
Prior to the proposal of the settlement, both parties engaged in extensive discovery, which to the Court signaled that both parties had developed a perspective on the strengths and weaknesses of their respective cases in order to “make an informed decision about settlement.” For the Court, the extent of discovery was indicative of a lack of collusion, as the parties had litigated the case in an adversarial manner.
Number of Class Members Objecting to Proposed Settlement:
Out of approximately 194 million settlement class members, only 31 settlement class members submitted objections. Although the Court analyzed and responded to each objection submitted, the Court was very comfortable in concluding that none of the objections warranted rejection of the Settlement.
Criteria Unfavorable to Approval
Delayed Notification of Breach:
Yahoo!’s data was breached in 2012, 2013, 2014, 2015, and 2016, but Yahoo! denied any knowledge of unauthorized access of personal data in its 2016 filings with the U.S. Securities and Exchange Commission, and delayed notification to users even when Yahoo! had contemporaneous knowledge of the breaches. By comparison, Anthem’s data breach occurred between December 2014 and January 2015 and Anthem disclosed the data breach to affected users in February and March 2015 (i.e. within weeks of the breach.) Anthem also, soon after disclosing the breach, provided two years of free credit monitoring to each affected user, prior to any settlement of litigation. On the other hand, although part of the final approved class action settlement, Yahoo!’s affected users did not receive free credit monitoring until nearly eight years after the data breach. The Court also identified Yahoo!’s delayed disclosure, and its denial of the breach despite having “contemporaneous knowledge,” as facts making Yahoo!’s breach much greater than Anthem’s.
Size of Class:
Yahoo!’s total class size was far larger than any other data breach case this Court had previously handled. “Indeed, the 79 million class in Anthem was roughly 40% the size of the 194 million.” The large size of the settlement class is significant because it meant that the settlement fund yields a lower per-capita recovery for settlement class members than in cases involving similar funds for smaller classes. The Court was, in fact, recognizing the difference between $1.46, what each class member was awarded in Anthem, and $0.60, what each class member received in Yahoo!.
Severity of Data Breach:
The Court stated that “Yahoo’s history of nondisclosure and lack of transparency related to the data breaches [is] egregious.” As a result of Yahoo!’s lack of disclosure, settlement class members were unaware of the need to take any steps to protect themselves for several months. Whereas with Anthem, not only were users notified within weeks of the data breach, they were also provided with free credit monitoring immediately following the breach.
All in all, despite the number of data breaches at issue, the large settlement class size, Yahoo!’s delayed disclosure to impacted individuals and the public, and the sale of the breached Yahoo! data on the web, after taking into consideration the overall relief offered by the proposed settlement, and the distinguishing factors of the data breaches, the Court deemed the $117.5 million settlement as fair, adequate, and reasonable.
Notably, approximately 1,779 of the settlement class members opted out of the approved settlement for a release of any claims against Yahoo!. Thus, with those class members’ claims still lingering, this may not be the last we hear of Yahoo!’s extensive litigation related to the data breaches.