In re: Yahoo Inc Customer Data Security Breach Litigation, U.S. District Court, Northern District of California, No. 16-md-02752.
In a Monday night decision on January 28, the U.S. District Court for the Northern District of California denied plaintiffs’ motion for preliminary approval of a class action settlement with Yahoo (now part of Verizon Communications Inc.) over data breaches that occurred at the company between 2013 and 2016. Presiding Judge Lucy Koh denied the motion on grounds that the she could not conclude that the settlement was “fundamentally fair, adequate and reasonable.”
In 2013, Yahoo was the target of the largest data breach in history – a breach that affected all of its over 3 billion account holders. Further breaches occurred in 2014, and between 2015 and 2016. It was not until September 22, 2016, however, that Yahoo disclosed any of these breaches. In fact, just thirteen days before acknowledging the breaches in public, Yahoo had represented to the SEC that it knew of no incidents of unauthorized access of personal data. As part of its disclosures, Yahoo stated that it had learned of the 2014 data breach during a “recent investigation,” but six months later, in March, 2017, admitted that it had had “contemporaneous knowledge” of the 2014 data breach.
The first federal actions against Yahoo were filed shortly after these disclosures. Plaintiffs subsequently filed a Consolidated Class Action Complaint (“CAC”) in April, 2017. Plaintiffs sued on behalf of Yahoo users in the United States, Israel, Venezuela, Australia, and Spain, but the Court later dismissed the plaintiffs from Australia, Venezuela, and Spain. The plaintiffs alleged that Yahoo did not appropriately guard users’ personal identification information (“PII”), and that members of its security team and legal department knew of the 2014 breach as it was occurring.
Parties agreed to engage in settlement negotiations, and to submit their class action settlement proposal to Judge Koh for approval. The proposal disclosed $50 million for the settlement fund, up to $35 million in attorneys’ fees, and up to $2.5 million in attorneys’ costs and expenses.
Judge Koh rejected the proposal for its lack of transparency, citing six primary flaws.
First, the Court found that the settlement inadequately disclosed the release of claims related to unauthorized access of data prior to 2013. While the proposed settlement notice explains the settlement only in reference to the 2013, 2014, and 2015-2016 data breaches, the settlement would have released all claims over unauthorized access of data in 2012. Judge Koh cautioned that the notice did not meet standards of due process established in the 9th Circuit, writing that “although providing relief is appropriate, it must be done correctly.” Because the settlement would release 2012 claims despite such claims not being part of the litigation, there would be almost no information to allow class members to make an informed decision as to their participation in the settlement and the release of the 2012 claims. Moreover, the proposed notice acknowledged that the settlement class would be broader than previously proposed, but failed to specify how much larger it would be. The Court found that these inadequate disclosures prevented class members and the Court from evaluating the reasonableness of the settlement.
Second, Judge Koh found that the release of the 2012 claims was itself improper, because those claims had not been part of the litigation on which the settlement was based.
Third, the Court criticized the notice’s failure to disclose the total size of the settlement fund, further mystifying the nature of the settlement and making it difficult for class members and the Court to assess its reasonableness.
Fourth, Judge Koh strongly criticized the proposed settlement for its attorneys’ fee allowance, concluding based on two separate methods of calculation that the fee awards were likely unreasonably high. If fully awarded, attorneys’ fees would be as high as 40% of the settlement fund. Judge Koh contrasted the proposed attorneys’ fee amount with that in In re High-Tech, an anti-trust suit that resulted in a $415 million settlement but had a smaller attorney fee allowance. Underscoring its belief that the attorneys’ fee figure was likely too large, the Court asserted that the plaintiffs’ legal theories overlapped with other proceedings, and were “not particularly novel.” Judge Koh’s principal concern was that if attorneys’ fees were unreasonably high, they would revert to the defendant, Yahoo, rather than to class members. This potential reverter would not be in class members’ best interest as part of the settlement package, the Court found.
Fifth, the Court found that the proposed settlement did not adequately disclose the scope of non-monetary relief, such as changes in business practice or security measures that Yahoo would take as part of the settlement. Yahoo made only vague commitments to enhance its security, and did not propose any specific budgetary increases. The Court found that this lack of specificity left the Court without sufficient information to consider benefits offered to class members.
Finally, the Court denied the preliminary settlement proposal for presenting a misleading estimate as to the size of the settlement class. While Yahoo had previously and publicly advertised its large number of users – over 1 billion active users worldwide, and over 650 monthly users – it purported not to be able to estimate the number of active users for purposes of the settlement. Instead, it resorted to an estimate based on the size of the U.S. population, and the percentage of people with Yahoo accounts. Yahoo did provide an estimate of the number of active user accounts in the U.S. for the relevant period, but under seal. Comparing the publicly disclosed number to that under seal, the Court found that the disclosed number was likely inaccurate, and that the Court could thus not adequately assess the strength of the plaintiffs’ case.
Judge Koh roundly chastised Yahoo for its “history of nondisclosure and lack of transparency,” writing that the proposed settlement agreement only continued this pattern of opacity.
Following the Court’s decision, Verizon, Yahoo’s new owner, said: “While preliminary approval of the settlement was not granted, we’re confident that we can achieve a viable path forward.”