Yahoo's Data Breach Settlement Rejected by Judge
District Judge Lucy Koh, rather dissatisfied with both sides of the Yahoo Privacy Data Breach lawsuit, has denied approval of the class action settlement proposed back in November. According to Koh, Yahoo's refusal to disclose the total payout number, coupled with the ridiculously high legal fees plaintiffs are seeking, rendered the settlement insufficient. She has told both sides to go back to the drawing board, and try again.
Settlement Terms Unsettling
The settlement created by both sides allowed for a $50 million payout plus two years of free credit monitoring for the roughly 200 million Yahoo account users hacked in two separate data breaches, one in 2013 and the other in 2014. Though many more accounts were hacked, in order to be part of the class action settlement, a user had to have been injured by the breach. One of the issues that irked the judge, consumers, and even Yahoo's eventual buyer, Verizon, was that Yahoo didn't didn't disclose the breach until 2016, long after any damage could have been done, or at least started, by those in possession of the stolen data. Another issue bothering the judge: plaintiff attorneys were looking to take $22 million in fees.
Judge Koh Takes Issue With Both Side's Terms
Back at the settlement hearing in November, Judge Koh was already showing her displeasure over the agreement terms. Primarily, she thought plaintiffs lawyers were more concerned about getting paid than resolving class action members' injuries. "I'm disappointed that there doesn't seem to be any motivation to get to the bottom of this," Koh said in November. "It appears there's a willful blindness or an attitude of 'Let's settle this and get out.' The motivation of this lawsuit should be to find out the full extent of the potential damage and alert users so they can take precautions like shutting down bank accounts or getting new credit cards."
Koh went further, in essence stating that plaintiff's lawyers didn't do enough work to earn the $22 million they sought. First, she claimed there were too many firms asking for payment: only five firms were authorized to work on the case, but 33 firms were asking for payment. Also, the case was rather cut and dry, with no new legal theories put forth. Finally, Koh also felt that the theories put forth were rather simple, as opposed to other complex cases where similar attorneys' fees were awarded.
In stating her displeasure towards defendants, Koh stated the settlement terms didn't disclose the costs associated with the credit monitoring, class notice, or settlement administration, nor does it disclose the total size of the settlement fund. According to Koh, "Without knowing the total size of the settlement fund, class members cannot assess the reasonableness of the settlement." Koh also felt that Yahoo hadn't made enough improvements in their data security to prevent another data breach, as is the norm in other cases. Rather, she felt Yahoo just wanted to run away.
As a result, both parties will have to negotiate new settlement terms, and start the court approval process all over again.
Related Resources:
- Can You Sue Facebook for User Data Breach? (FindLaw Law and Daily Life)
- Marriott Hacked, 500 Million Customers' Data Exposed (FindLaw Technologist)
- Your Credit Report Was Hacked, Now What? (FindLaw Common Law)