A U.S. data breach class action has settled for $80 million, bringing the action, which commenced in early 2017,[1] to a relatively quick and, for the putative class, satisfying end.
The Shareholder Class Action
The action concerned two massive data breaches, the first in 2013 involving over one billion user accounts, while the second in 2014 involved over 500 million accounts. Neither breach was revealed until late 2016. Unlike most cyber-breach related class actions, the class members were not the users whose private information was hacked, but rather they were the shareholders of Yahoo who saw the company's share price tumble following news of the breach. The timing of the belated announcements (Yahoo was in talks to be bought by Verizon) caused a precipitous drop in share price.[2] The lawsuit, brought under the Securities Exchange Act of 1934, was for damages and remedies made available under that Act.[3] The plaintiffs alleged that Yahoo and its co-defendants
made false and/or misleading statements and/or failed to disclose that: (i) Yahoo failed to encrypt its users' personal information and/or failed to encrypt its users' personal data with an up-to-date and secure encryption scheme; (ii) consequently, sensitive personal account information from more than 1 billion users was vulnerable to theft; (iii) a data breach resulting in the theft of personal user data would foreseeably cause a significant drop in user engagement with Yahoo's websites and services; and (iv) as a result, Yahoo's public statements were materially false and misleading at all relevant times.[4]
The action was brought on behalf of "all those who purchased or otherwise acquired Yahoo common shares traded on the NASDAQ during the Class Period[5] and were damaged upon the revelation of the alleged corrective disclosures."[6]
The Settlement
Although some recent data breach settlements have been prescriptive in nature, setting out laundry lists of sensible remedial and proactive measures to be adopted by defendant companies,[7] the Yahoo settlement[8] is silent on such measures, focusing instead on the quantum and mechanics of settlement. It's the $80 million payout that is raising eyebrows; the quantum dwarfs payouts in most recent cyber breach-based class and derivative action settlements (with the Anthem settlement at $115 million being a notable exception). For example, the Home Depot Canada settlement in 2016 for breach of customer's private information attracted a very modest settlement of $520,000 (including counsel fees).[9]
Shareholder Cyber Breach Class Actions
The Yahoo class action is the first significant settlement in a U.S. securities class action where the basis for the claim was a failure to disclose cyber breaches and / or cyber risk.[10] Eight similar suits were commenced in the U.S. against various companies following the launch of the Yahoo action; two of these have been dismissed and the rest are ongoing.[11]
One of the advantages that shareholder claims have over user/customer breach of privacy claims in cyber-breach cases is that, in the former, damages are easier to quantify. As was seen in the Canadian Home Depot settlement, class actions based on breach of privacy may falter where there is little or no evidence of class members suffering an actual loss relating to the breach,[12] and damages for the new "privacy torts" alone are nominal[13] (though this is not a bar to certification[14]). Shareholders, on the other hand, can point to the price of shares prior to the corrective disclosure and then after and posit that the news of the breach has caused some or all of that decline.
More Bad news for Yahoo
This settlement doesn't end Yahoo's troubles in respect of these breaches. One week to the day after the shareholder settlement agreement was signed, a judge rejected a motion by Verizon to dismiss many of the claims advanced in a class action brought against Yahoo by Yahoo users whose personally identifiable information was compromised in the breaches.[15] This action alleges numerous causes of action more typical of data breach cases, such as breach of contract, negligence, and fraud.
Meanwhile, in Canada…
Yahoo was named in three Canadian class actions relating to these same cyber breaches;[16] a Quebec action survived a stay motion and awaits certification,[17] a B.C. action awaits a hearing on both certification and a stay in favour of an Ontario action,[18] and the Ontario action awaits certification. However, none of these actions are securities-based class actions (the Ontario class action, for instance, is based in negligence, privacy torts, breaches of contract and of the Consumer Protection Act, 2002, and restitution[19]). Accordingly, one should not anticipate a settlement similar to that achieved in the Yahoo securities-based claim.
[19] SO 2002, c 30, Sch A