Brent J. Arnold
Associé
Article
13
A U.S. data breach class action has settled for $80 million, bringing the action, which commenced in early 2017,[1] to a relatively quick and, for the putative class, satisfying end.
The action concerned two massive data breaches, the first in 2013 involving over one billion user accounts, while the second in 2014 involved over 500 million accounts. Neither breach was revealed until late 2016. Unlike most cyber-breach related class actions, the class members were not the users whose private information was hacked, but rather they were the shareholders of Yahoo who saw the company’s share price tumble following news of the breach. The timing of the belated announcements (Yahoo was in talks to be bought by Verizon) caused a precipitous drop in share price.[2] The lawsuit, brought under the Securities Exchange Act of 1934, was for damages and remedies made available under that Act.[3] The plaintiffs alleged that Yahoo and its co-defendants
made false and/or misleading statements and/or failed to disclose that: (i) Yahoo failed to encrypt its users’ personal information and/or failed to encrypt its users’ personal data with an up-to-date and secure encryption scheme; (ii) consequently, sensitive personal account information from more than 1 billion users was vulnerable to theft; (iii) a data breach resulting in the theft of personal user data would foreseeably cause a significant drop in user engagement with Yahoo’s websites and services; and (iv) as a result, Yahoo’s public statements were materially false and misleading at all relevant times.[4]
The action was brought on behalf of “all those who purchased or otherwise acquired Yahoo common shares traded on the NASDAQ during the Class Period[5] and were damaged upon the revelation of the alleged corrective disclosures.”[6]
Although some recent data breach settlements have been prescriptive in nature, setting out laundry lists of sensible remedial and proactive measures to be adopted by defendant companies,[7] the Yahoo settlement[8] is silent on such measures, focusing instead on the quantum and mechanics of settlement. It’s the $80 million payout that is raising eyebrows; the quantum dwarfs payouts in most recent cyber breach-based class and derivative action settlements (with the Anthem settlement at $115 million being a notable exception). For example, the Home Depot Canada settlement in 2016 for breach of customer’s private information attracted a very modest settlement of $520,000 (including counsel fees).[9]
The Yahoo class action is the first significant settlement in a U.S. securities class action where the basis for the claim was a failure to disclose cyber breaches and / or cyber risk.[10] Eight similar suits were commenced in the U.S. against various companies following the launch of the Yahoo action; two of these have been dismissed and the rest are ongoing.[11]
One of the advantages that shareholder claims have over user/customer breach of privacy claims in cyber-breach cases is that, in the former, damages are easier to quantify. As was seen in the Canadian Home Depot settlement, class actions based on breach of privacy may falter where there is little or no evidence of class members suffering an actual loss relating to the breach,[12] and damages for the new “privacy torts” alone are nominal[13] (though this is not a bar to certification[14]). Shareholders, on the other hand, can point to the price of shares prior to the corrective disclosure and then after and posit that the news of the breach has caused some or all of that decline.
This settlement doesn’t end Yahoo’s troubles in respect of these breaches. One week to the day after the shareholder settlement agreement was signed, a judge rejected a motion by Verizon to dismiss many of the claims advanced in a class action brought against Yahoo by Yahoo users whose personally identifiable information was compromised in the breaches.[15] This action alleges numerous causes of action more typical of data breach cases, such as breach of contract, negligence, and fraud.
Yahoo was named in three Canadian class actions relating to these same cyber breaches;[16] a Quebec action survived a stay motion and awaits certification,[17] a B.C. action awaits a hearing on both certification and a stay in favour of an Ontario action,[18] and the Ontario action awaits certification. However, none of these actions are securities-based class actions (the Ontario class action, for instance, is based in negligence, privacy torts, breaches of contract and of the Consumer Protection Act, 2002, and restitution[19]). Accordingly, one should not anticipate a settlement similar to that achieved in the Yahoo securities-based claim.
[1] Kevin M. Lacroix, “Shareholder Files Data Breach Securities Class Action Lawsuit Against Yahoo,” The D&O Diary, January 25, 2017, online: https://www.dandodiary.com/2017/01/articles/cyber-liability/shareholder-files-data-breach-securities-class-action-lawsuit-yahoo/. The Complaint is available here: https://dandodiary.lexblogplatformthree.com/wp-content/uploads/sites/265/2017/01/Yahoo-Complaint.pdf.
[2] The Complaint notes that Yahoo’s share price dropped $1.35 or 3.06% following the first announcement in September 2016, and $2.50 or 6.11% following the second announcement in December 2016: https://dandodiary.lexblogplatformthree.com/wp-content/uploads/sites/265/2017/01/Yahoo-Complaint.pdf at paras. 7 and 10.
[3] Class Action Complaint for Violation of the Federal Securities Laws at para. 1, online: https://dandodiary.lexblogplatformthree.com/wp-content/uploads/sites/265/2017/01/Yahoo-Complaint.pdf.
[4] Class Action Complaint for Violation of the Federal Securities Laws at para. 5, online: https://dandodiary.lexblogplatformthree.com/wp-content/uploads/sites/265/2017/01/Yahoo-Complaint.pdf.
[5] The “Class Period” runs from December 2013, when quarterly filing to make the disclosures set out above, to December 2016, the date of the second breach disclosure. Class Action Complaint for Violation of the Federal Securities Laws at paras. 1, 8 and 24 and, online: https://dandodiary.lexblogplatformthree.com/wp-content/uploads/sites/265/2017/01/Yahoo-Complaint.pdf.
[6] Class Action Complaint for Violation of the Federal Securities Laws at para. 72, online: https://dandodiary.lexblogplatformthree.com/wp-content/uploads/sites/265/2017/01/Yahoo-Complaint.pdf.
[7] See for example the measures agreed to by Home Depot in the proposed settlement of its U.S. class action: Plaintiffs’ Unopposed Motion for Preliminary Approval of Shareholder Derivative Settlement and Memorandum of Law in Support, online: http://www.dandodiary.com/wp-content/uploads/sites/265/2017/05/home-depot-settlement.pdf, at pp.2 and 7-8.
[8] Available online here: https://www.dandodiary.com/wp-content/uploads/sites/265/2018/03/yahoo-settlement.pdf.
[9] Lozanski v The Home Depot, Inc., 2016 ONSC 5447 (CanLII), <http://canlii.ca/t/gt65j>.
[10] Roger A. Cooper, Rahul Mukhi & Kal Blassberger, “Yahoo! Enters Proposed Settlement in Data Breach Securities Class Action,” Cleary Cybersecurity and Privacy Watch, March 13, 2018, online: https://www.clearycyberwatch.com/2018/03/yahoo-enters-proposed-settlement-data-breach-securities-class-action/.
[11] Alexis Kramer, “Yahoo Agrees to Pay $80M to Settle Securities Fraud Suit,” Bloomberg Law, March 6, 2018, online: https://biglawbusiness.com/yahoo-agrees-to-pay-80m-to-settle-securities-fraud-suit/.
[12] Lozanski v The Home Depot, Inc., 2016 ONSC 5447 (CanLII), <http://canlii.ca/t/gt65j>.
[13] Jones v. Tsige, 2012 ONCA 32 (CanLII), <http://canlii.ca/t/fpnld> at para. 92.
[14] Condon v. Canada, 2014 FC 250 (CanLII), <http://canlii.ca/t/g69g7>.
[15] Yahoo Inc Customer Data Security Breach Litigation, U.S. District Court, Northern District of California, No. 16-md-02752. The decision is available online: https://assets.documentcloud.org/documents/4407140/Yahoo-Class-Action-Lawsuit.pdf.
[16] In Québec, Michel Demers vs. Yahoo! Inc. et Yahoo! Canada Co., Superior Court File No.: 500-06-000842-175, Application for Authorization to Institute a Class Action and to Appoint a Representative Plaintiff available online: http://cbaapp.org/ClassAction/PDF.aspx?id=8486; in B.C.,
Jagdeep Gill v. Yahoo! Canada Co. and Yahoo! Inc., Supreme Court of British Columbia Court File No.: S-168873, Notice of Civil Claim available online: http://cbaapp.org/ClassAction/PDF.aspx?id=8037; in Ontario, Natalia Karasik v. Yahoo! Inc. and Yahoo! Canada Co., Superior Court of Justice Court File No.: CV-16-566248-00CP, Statement of Claim available online: http://cbaapp.org/ClassAction/PDF.aspx?id=8444.
[17] Demers c. Yahoo! Inc., 2017 QCCS 4154 (CanLII), <http://canlii.ca/t/h67hf>.
[18] Gill v Yahoo! Canada Co., 2018 BCSC 290 (CanLII), <http://canlii.ca/t/hqpmx>.
[19] SO 2002, c 30, Sch A
CECI NE CONSTITUE PAS UN AVIS JURIDIQUE. L'information qui est présentée dans le site Web sous quelque forme que ce soit est fournie à titre informatif uniquement. Elle ne constitue pas un avis juridique et ne devrait pas être interprétée comme tel. Aucun utilisateur ne devrait prendre ou négliger de prendre des décisions en se fiant uniquement à ces renseignements, ni ignorer les conseils juridiques d'un professionnel ou tarder à consulter un professionnel sur la base de ce qu'il a lu dans ce site Web. Les professionnels de Gowling WLG seront heureux de discuter avec l'utilisateur des différentes options possibles concernant certaines questions juridiques précises.