[BreachExchange] U.S. judge rejects Yahoo data breach settlement
Destry Winant
destry at riskbasedsecurity.com
Thu Jan 31 07:18:37 EST 2019
https://www.mercurynews.com/2019/01/30/u-s-judge-rejects-yahoo-data-breach-settlement/
In a Monday night decision, U.S. District Judge Lucy Koh in San Jose,
California, said she could not declare the settlement “fundamentally
fair, adequate and reasonable” because it did not say how much victims
could expect to recover.
Yahoo, now part of New York-based Verizon Communications Inc, was
accused of being too slow to disclose three breaches from 2013 to 2016
that affected an estimated 3 billion accounts.
The settlement called for a $50 million payout, plus two years of free
credit monitoring for about 200 million people in the United States
and Israel with nearly 1 billion accounts.
But the judge said the accord did not disclose the size of the
settlement fund or the costs of the credit monitoring, and the
proposed class may be too big because the number of “active” users
that Yahoo disclosed privately to her was far lower.
Koh also said the maximum $35 million of fees for the plaintiffs’
lawyers may be “unreasonably high,” saying the legal theories of the
case were “not particularly novel.”
A lawyer for the plaintiffs did not immediately respond on Tuesday to
requests for comment.
Verizon said: “While preliminary approval of the settlement was not
granted, we’re confident that we can achieve a viable path forward.”
Yahoo revealed the full scope of the breaches after having agreed in
July 2016 in to sell its internet business to Verizon for $4.83
billion. The revelations prompted a cut in the purchase price to $4.48
billion.
U.S. prosecutors charged two Russian intelligence agents and two
hackers in connection with one of the breaches in 2017. One hacker
later pleaded guilty.
Koh contrasted her decision with her approval last August of health
insurer Anthem Inc’s $115 million settlement over data breaches
affecting about 79 million victims.
The judge said Anthem, unlike Yahoo, timely disclosed the breaches,
offered free credit monitoring even before settling, and committed to
upgrading its data security.
“Yahoo’s history of nondisclosure and lack of transparency related to
the data breaches are egregious,” Koh wrote.
“Unfortunately, the settlement agreement, proposed notice, motion for
preliminary approval, and public and sealed supplemental filings
continue this pattern of lack of transparency,” she added.
The case is In re: Yahoo Inc Customer Data Security Breach Litigation,
U.S. District Court, Northern District of California, No. 16-md-02752.
More information about the BreachExchange
mailing list