Yahoo! Cyber breach settlement gives shareholders cause for cheer

03 April 2018

A U.S. data breach class action has settled for $80 million, bringing the action, which commenced in early 2017,[1] to a relatively quick and, for the putative class, satisfying end.

The Shareholder Class Action

The action concerned two massive data breaches, the first in 2013 involving over one billion user accounts, while the second in 2014 involved over 500 million accounts. Neither breach was revealed until late 2016. Unlike most cyber-breach related class actions, the class members were not the users whose private information was hacked, but rather they were the shareholders of Yahoo who saw the company's share price tumble following news of the breach. The timing of the belated announcements (Yahoo was in talks to be bought by Verizon) caused a precipitous drop in share price.[2] The lawsuit, brought under the Securities Exchange Act of 1934, was for damages and remedies made available under that Act.[3] The plaintiffs alleged that Yahoo and its co-defendants

made false and/or misleading statements and/or failed to disclose that: (i) Yahoo failed to encrypt its users' personal information and/or failed to encrypt its users' personal data with an up-to-date and secure encryption scheme; (ii) consequently, sensitive personal account information from more than 1 billion users was vulnerable to theft; (iii) a data breach resulting in the theft of personal user data would foreseeably cause a significant drop in user engagement with Yahoo's websites and services; and (iv) as a result, Yahoo's public statements were materially false and misleading at all relevant times.[4]

The action was brought on behalf of "all those who purchased or otherwise acquired Yahoo common shares traded on the NASDAQ during the Class Period[5] and were damaged upon the revelation of the alleged corrective disclosures."[6]

The Settlement

Although some recent data breach settlements have been prescriptive in nature, setting out laundry lists of sensible remedial and proactive measures to be adopted by defendant companies,[7] the Yahoo settlement[8] is silent on such measures, focusing instead on the quantum and mechanics of settlement. It's the $80 million payout that is raising eyebrows; the quantum dwarfs payouts in most recent cyber breach-based class and derivative action settlements (with the Anthem settlement at $115 million being a notable exception). For example, the Home Depot Canada settlement in 2016 for breach of customer's private information attracted a very modest settlement of $520,000 (including counsel fees).[9]

Shareholder Cyber Breach Class Actions

The Yahoo class action is the first significant settlement in a U.S. securities class action where the basis for the claim was a failure to disclose cyber breaches and / or cyber risk.[10] Eight similar suits were commenced in the U.S. against various companies following the launch of the Yahoo action; two of these have been dismissed and the rest are ongoing.[11]

One of the advantages that shareholder claims have over user/customer breach of privacy claims in cyber-breach cases is that, in the former, damages are easier to quantify. As was seen in the Canadian Home Depot settlement, class actions based on breach of privacy may falter where there is little or no evidence of class members suffering an actual loss relating to the breach,[12] and damages for the new "privacy torts" alone are nominal[13] (though this is not a bar to certification[14]). Shareholders, on the other hand, can point to the price of shares prior to the corrective disclosure and then after and posit that the news of the breach has caused some or all of that decline.

More Bad news for Yahoo

This settlement doesn't end Yahoo's troubles in respect of these breaches. One week to the day after the shareholder settlement agreement was signed, a judge rejected a motion by Verizon to dismiss many of the claims advanced in a class action brought against Yahoo by Yahoo users whose personally identifiable information was compromised in the breaches.[15] This action alleges numerous causes of action more typical of data breach cases, such as breach of contract, negligence, and fraud.

Meanwhile, in Canada…

Yahoo was named in three Canadian class actions relating to these same cyber breaches;[16] a Quebec action survived a stay motion and awaits certification,[17] a B.C. action awaits a hearing on both certification and a stay in favour of an Ontario action,[18] and the Ontario action awaits certification. However, none of these actions are securities-based class actions (the Ontario class action, for instance, is based in negligence, privacy torts, breaches of contract and of the Consumer Protection Act, 2002, and restitution[19]). Accordingly, one should not anticipate a settlement similar to that achieved in the Yahoo securities-based claim.

[1] Kevin M. Lacroix, "Shareholder Files Data Breach Securities Class Action Lawsuit Against Yahoo," The D&O Diary, January 25, 2017, online: The Complaint is available here:

[2] The Complaint notes that Yahoo's share price dropped $1.35 or 3.06% following the first announcement in September 2016, and $2.50 or 6.11% following the second announcement in December 2016: at paras. 7 and 10.

[3] Class Action Complaint for Violation of the Federal Securities Laws at para. 1, online:

[4] Class Action Complaint for Violation of the Federal Securities Laws at para. 5, online:

[5] The "Class Period" runs from December 2013, when quarterly filing to make the disclosures set out above, to December 2016, the date of the second breach disclosure. Class Action Complaint for Violation of the Federal Securities Laws at paras. 1, 8 and 24 and, online:

[6] Class Action Complaint for Violation of the Federal Securities Laws at para. 72, online:

[7] See for example the measures agreed to by Home Depot in the proposed settlement of its U.S. class action: Plaintiffs' Unopposed Motion for Preliminary Approval of Shareholder Derivative Settlement and Memorandum of Law in Support, online:, at pp.2 and 7-8.

[9] Lozanski v The Home Depot, Inc., 2016 ONSC 5447 (CanLII).

[10] Roger A. Cooper, Rahul Mukhi & Kal Blassberger, "Yahoo! Enters Proposed Settlement in Data Breach Securities Class Action," Cleary Cybersecurity and Privacy Watch, March 13, 2018, online:

[11] Alexis Kramer, "Yahoo Agrees to Pay $80M to Settle Securities Fraud Suit," Bloomberg Law, March 6, 2018, online:

[12] Lozanski v The Home Depot, Inc., 2016 ONSC 5447 (CanLII), <>.

[13] Jones v. Tsige, 2012 ONCA 32 (CanLII), <> at para. 92.

[14] Condon v. Canada, 2014 FC 250 (CanLII), <>.

[15] Yahoo Inc Customer Data Security Breach Litigation, U.S. District Court, Northern District of California, No. 16-md-02752. The decision is available online:

[16] In Québec, Michel Demers vs. Yahoo! Inc. et Yahoo! Canada Co., Superior Court File No.: 500-06-000842-175, Application for Authorization to Institute a Class Action and to Appoint a Representative Plaintiff available online:; in B.C.,

Jagdeep Gill v. Yahoo! Canada Co. and Yahoo! Inc., Supreme Court of British Columbia Court File No.: S-168873, Notice of Civil Claim available online:; in Ontario, Natalia Karasik v. Yahoo! Inc. and Yahoo! Canada Co., Superior Court of Justice Court File No.: CV-16-566248-00CP, Statement of Claim available online:

[17] Demers c. Yahoo! Inc., 2017 QCCS 4154 (CanLII), <>.

[18] Gill v Yahoo! Canada Co., 2018 BCSC 290 (CanLII), <>.

[19] SO 2002, c 30, Sch A

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.

Related   Tech