We previously noted that in late 2016, Yahoo disclosed that it had experienced multiple data breaches relating to what turned out to be roughly three billion of its accounts. At that time, the initial breach, which was reported in September of 2016, had already resulted in several proposed class action complaints. Now, United States District Judge Lucy H. Koh, of the Northern District of California, must decide whether to grant the plaintiffs’ motion for class certification.
Since 2016, the Court has issued a decision granting in part and denying in part Yahoo’s first motion to dismiss the complaint and granting leave to amend on many counts—finding that the plaintiffs had Article III standing and allowing claims for breach of contract, breach of the implied covenant of good faith and fair dealing, and violation of the California Unfair Competition Law to survive. Then, earlier this year, Judge Koh again granted in part and denied in part Yahoo’s renewed motion to dismiss the plaintiffs’ amended complaint, allowing some of plaintiffs’ claims to advance.
On July 13, 2018, the underlying plaintiffs filed a 50-page motion for class certification—seeking to certify subclasses for those users with: 1) free accounts; 2) paid accounts; and 3) businesses accounts. Plaintiffs further sought to have those subclasses organized into geographic subclasses or subclasses based on the type of injury. In turn, on September 1, 2018, Yahoo, and co-defendant Aabaco Small Business, LLC, filed a 35-page opposition to the plaintiffs’ motion.
In their opposition, the defendants objected to all of the plaintiffs’ proposed classes or subclasses, and repeatedly noted that individualized inquiries, rather than questions that predominate the proposed-classes, will drive the resolution of the underlying claims. Indeed, defendants further stressed that the resolution of whether Personally Identifiable Information (PII) had actually been disclosed, and whether, as plaintiffs’ claim, their PII experienced a lost value, will require an account-by-account and user-by-user inquiry, which undermines class certification. Time and again—as one may expect—the defendants harped on the unwieldy size of even the proposed subclasses—at one point noting that plaintiffs’ proposal for awarding individual relief would take “a claims administrator . . . work[ing] ten hours a day, 365 days a year […] more than 40 years just to get through” ten percent of users and up to four hundred and five years to complete, if all users submitted a claim.
The Court’s determination on such a sizeable class could have meaningful impact in future data breach litigation. Indeed, this litigation presents an interesting case study in how courts may attempt to deal with proposed classes of plaintiffs that could reach well into the hundreds of millions. The unique challenges presented by data breaches of this size will continue to present new issues for courts to address in the coming years.