Reuters tech/biz writer, Jonathon Stempel, recently reported in “Yahoo strikes $117.5 million data breach settlement after earlier accord rejected,” that the settlement is the largest common fund class action settlement in data breach history. The implications of this settlement (revised from an early attempted settlement in hopes of being more palatable to federal district Judge Lucy Koh) are staggering.
As most know, Yahoo was a pioneer web services provider that sprouted from the Silicon Valley. In 1995, Yahoo’s genius founders Jerry Yang and David Filo launched Yahoo closely on the heels of Hotmail, and more than two years before the launch Google – the most common service today – Gmail didn’t arrive until years later.
Despite Yahoo’s deep internet savvy and gravitas, between 2013 and 2016 it suffered three horrendous data breaches that collectively impacted three billion user accounts worldwide. Among these accounts were hundreds of millions of American, European, and Israeli users containing Personal Data from everything Yahoo collects, everything a user (and one in three people were users) ever entered onto their account profiles, whether shared or kept private; from age, address, and personal details, to bank information and passwords. The hackers grabbed it all, and it is all still out there, as hacked data can live on for eternity on the dark web, or until it becomes valueless (see this Post Hack Checklist describing what hackers typically do with data).
On closer scrutiny, the $117.5 million settlement can be characterized as a $417.5 million settlement. While $55 million is designated for user settlement payments, $24 million is earmarked for two years of compromised credit monitoring, up to $30 million for plaintiff class attorney’s fees, and $8.5 million reserved for miscellaneous expense adds up to $117.5, Yahoo and Verizon have also agreed to expend $306 million on beefed-up cybersecurity over the 3-year period between 2019 and 2022. Verizon was caught in the web because it purchased Yahoo (largely for its data) in 2016 for $4.83 billion and was initially unaware of the breaches (on disclosure, the purchase price was reduced to $4.48 billion).
So… let’s do a recap: Settlement: $117.5, check. Beefed up cybersecurity, $306 million, check. Yahoo’s own attorneys, $30 million (assuming their fees are roughly the same as the fees of plaintiffs’ counsel), check. Lost sales value, $350 million, check. If our math is correct, the Yahoo data breaches on these numbers alone cost Yahoo, associated companies, and investors a minimum of $803.5 million. And of course, that doesn’t count any of the following: the $35 million SEC fine imposed for unreasonable delay in disclosing the breach, and the $80 settlement approved last fall to settle the investor lawsuits. Add another estimated $100 million in attorneys’ fees for all the fallout (that may be conservative) …and before you know it, you’re arriving at a billion dollars.
Sobering, to say the least. Of course, not everyone can absorb such a financial blow. So, the question is, what can you afford?