We previously wrote about the Yahoo data breaches, subsequent class action pending in California, and the company’s estimate of potential settlement costs. Based on the Plaintiffs’ recent Motion for Preliminary Approval of Class Action Settlement, filed on October 22, 2018, the parties have tentatively agreed to settle the case for $50,000,000 in settlement funds, $35,000,000 in attorneys’ fees, and $2,500,000 in expenses. Additionally, class members will be able to avail themselves of various credit monitoring services, and the class representatives who filed the action will be entitled to between $7,500 and $2,500 each, exclusive of the settlement funds, depending on the nature of their involvement. The settlement would apply to both the pending federal class action—before District Judge Lucy H. Koh—and similar state court litigation. 

In their pending motion for preliminary approval, the Plaintiffs stressed that, based on the above-noted structuring of the settlement, “the full $50-million Settlement Fund will be available to compensate Settlement Class Members for out-of-pocket costs stemming from the Breaches, to reimburse Paid Users and Small Business Users up to 25% of the amounts they paid for Yahoo’s email services, and to fund alternative compensation for Class Members that already have credit monitoring.”  The settlement agreement will apply to a class that is, in essence, composed of “[a]ll U.S. and Israel residents and small businesses with Yahoo accounts at any time during the period of January 1, 2012 through December 31, 2016.”

Plaintiffs further noted that the proposed settlement would “provide, by far, the largest available cash fund for data breach class members in history.” Indeed, all told, Yahoo will contribute upwards of $87,500,000 to the settlement. This is in addition to the securities class action suit, stemming out of the same breaches, which settled for $80,000,000, including $14,400,000 in attorneys’ fees. That settlement was previously approved by Judge Koh in September. Also, Yahoo agreed to pay the Securities and Exchange Commission $35,000,000 in fines for failing to timely disclose the nature of the breaches.

These recent developments serve as a stark reminder of the massive financial consequences that can arise from data breach litigation. In the aggregate, Yahoo will pay at least $202,500,000 for the trio of data breaches that occurred between 2013 and 2016, based on the aforementioned settlements and fines alone. While major global corporations—like Yahoo—may be able to withstand these types of obstacles, many other businesses may not be similarly poised.  Accordingly, businesses may want to remain proactive in attempting to prevent these types of data breaches and ensuring timely compliance with any applicable disclosure laws.