In the largest data breach in U.S. History, with millions of people’s accounts compromised, Yahoo’s proposed settlement has been rejected by a District Judge. Yahoo has proposed to pay $50 million dollars, plus two years of free credit monitoring for the affected 200 million users, reported by Reuters on Tuesday “source: https://www.reuters.com/article/us-verizon-yahoo/u-s-judge-rejects-yahoo-data-breach-settlement-idUSKCN1PN20F “.
U.S. District Judge, Lucy Koh has cited multiple issues with the proposed settlement. The plaintiffs’ attorneys have requested a maximum of $35 million dollars in fees, which Judge Koh has determined is far too high. Koh asserted that the legal theories in this case were ‘not particularly novel’, which do not warrant fees at this level.
Secondly, Judge Koh has taken issue with Yahoo’s reluctance to report multiple breaches between 2013 and 2016 in a timely manner. Judge Koh presided over the Anthem Inc. settlement last year, $115 million paid to 79 million victims, which she compared to the actions of Yahoo in this case. Anthem responded quickly with credit monitoring for the victims of their data breach along with timely disclosure of the incident. Furthermore, in the Anthem case, the company committed itself to upgrading its internal security. Yahoo has demonstrated a lack of transparency with multiple incidents and is responding to the need for credit monitoring for its users too late.
Technically, Judge Koh took issue with the unclear terms of the settlement. The proposed settlement did not outline the costs of credit monitoring, or the actual size of the fund to be paid to the victims. There is also a discrepancy between large proposed class and the number of ‘active’ users privately relayed to the Judge.
This data breach has been attributed to two Russian intelligence officers and two hackers, who U.S. prosecutors charged in 2017. The data breaches covered in this proposed settlement have negatively impacted the price of Yahoo when Verizon acquired the internet business portion of the company in July 2016. The final price from the sell was $4.48 billion, dropping from the initial price of $4.83 billion, after the disclosure of the extent of the breaches.
Yahoo remains confident that an adequate settlement can be decided upon in the near future.