An Update on the Yahoo Data Breach Settlement

On July 21, 2020, U.S. District Judge Lucy Koh signed off on the $117.5 million settlement, bringing the massive multidistrict litigation to an end. Under the approved deal, Yahoo will provide the estimated 194 million class members with either credit monitoring or monetary compensation for those who already have it, estimated now to be between $40 and $50 cash per claimant. This is in addition to any out-of-pocket expenses that Yahoo will have to pay class members who suffered fraud losses and can submit documentation.

Yahoo also agreed to direct at least $66 million annually to its information security budget over the next two years, which will quadruple their security spending compared with what Yahoo was spending when the breaches occurred. Yahoo will also increase its full-time data security staff from 48 to 200 employees.

Judge Koh distinguished this settlement from previous, major data breach settlements, noting that Yahoo had an “egregious” history of hiding multiple data breaches over several years. This “hide the ball” behavior deprived class members of credit monitoring when it was needed most. In fact, there was evidence that users’ personal data was sold on the dark web.

Even so, the Judge approved the settlement over the objections of 31 class members who argued that the settlement amount was insufficient and the credit monitoring was meaningless. The objectors were told they were welcome to join the 1,779 class members who opted out of the settlement agreement.

Finally, Judge Koh awarded class counsel $23 million in legal fees and $1.48 million in costs, declining their request for $30 million in attorneys’ fees.

Data Breaches – A Growing Problem

During the first six months of 2019, there were 3,800 publicly disclosed data breaches whereby 4.1 billion records were exposed. That reflected a 54% increase from the number of reported breaches in the first half of 2018.
Even worse, while the first quarter of 2020 saw a decrease in the number of publicly reported breaches (likely due to COVID-19 reporting interruptions), an incredible 8.4 billion records were exposed – that is a 273% increase compared to the first quarter of 2019. In one of the largest data breaches to date, one approximation states that more than 5 billion records were exposed in a breach of the Elasticsearch database, managed by a UK based security firm. These breaches are becoming more frequent and widespread and are affecting more and more people. If you have any kind of electronic record (and that’s nearly everyone), then you are at risk.

What is the Yahoo Data Breach Settlement about?

As noted above, large data breaches are not a new phenomenon. In 2016 Yahoo! Inc. announced two breaches of the Yahoo database had occurred in August 2013 and in late 2014. While it was initially announced that 500 million user accounts were affected it was later announced that all 3 billion of Yahoo’s user accounts were impacted. THREE BILLION. For reference, there are only 7.8 billion humans currently on the planet. The 2013 Yahoo data breach is the largest in U.S. history.

The stolen information included names, email addresses, telephone numbers, answers to security questions, birth dates, and passwords. Hackers also gained access to accounts using manufactured web cookies and fake login credentials.

Despite Yahoo’s knowledge of the 2014 breach shortly after it occurred, it inexplicably did not start a thorough investigation until 2016. More disturbing is the fact that it is unclear that Yahoo had any intention of investigating the breach at all if not for the hackers posting the stolen Yahoo data online along with boasts of the theft. Furthermore, only after an investigation was initiated did they discover that a previous breach had occurred in 2013.

Yahoo claimed that it had evidence that the 2014 breach was conducted by a nation-state. Investigators discovered that the exposed accounts included those of over 150,000 people working for the U.S. government and military, and several more accounts for Canadian, British, Australian, and European Union officials. The FBI has since charged several individuals for the data theft, including members of Russia’s Federal Security Services (FSB).

Subsequently, several class action lawsuits were filed for these breaches and others from 2012 through 2016. In April 2019, Yahoo agree to a $117.5 million USD settlement. The settlement provides the following benefits to class members:

• Data Security Practice Changes and Commitments by Yahoo;
• Credit Monitoring Services;
• Cash Payment as an Alternative to Credit Monitoring Services;
• Fraud Resolution Services;
• Cash Reimbursement for Out-of-Pocket Losses;
• Cash Reimbursement for up to 25% of Paid User Costs; and
• Cash Reimbursement for up to 25% of Small Business User Costs.

If you had or currently have a Yahoo email account, then you may be a class member entitled to these benefits. DDP wants to help you collect. Not only are we going to fight for your data-as-property and data privacy rights, but we are also introducing a tool to help you get compensated for many companies’ failures to protect your valuable data. That is why we recently launched The DDP Class Action Tool found on our website. Companies like Yahoo have consistently failed to safeguard your valuable data, so we created a page to keep you informed of class action settlements that you may qualify for and to help you submit claims.

The deadline to submit a claim is July 20, 2020. Even the simplest, undocumented claim should be able to get: (1) two years of free identity protection services or (2) a payout between $100 and $355, if you already have some form of credit monitoring or identity protection services and promise to keep it on for a year, and (3) up to five hours of undocumented time dealing with the data breach at $25 per hour (capped at $125). Note that depending on how many claims are made and approved, the cash payout could be lower. The full legalese can be found here and here.

Why We Must Enforce Our Data Privacy

The Yahoo data breaches reveal the ugly reality of how susceptible your data is to being stolen. Until fairly recently, there have been no serious consequences and few laws on the books addressing data breaches specifically. However, the recently passed California Consumer Privacy Act has now pegged statutory damages for data breaches at between $100 to $750 per user per violation.

The Data Dividend Project not only seeks to enforce your data rights going forward but also seeks to inform you of past breaches so that you can be compensated. Spread the word and get your friends to join the movement!