The newly disclosed $80 million settlement of the Yahoo data breach-related securities class action lawsuit will not make the list of the Top 100 securities suit settlements, but it is significant in its own way just the same. Because the settlement is the first substantial data breach-related shareholder lawsuit recovery, it represents a milestone development in a number of respects, as discussed below. The parties’ March 2, 2018 Stipulation and Agreement of Settlement can be found here.
As discussed in detail here, Yahoo announced two data breaches during 2016. The first, which Yahoo announced in September 2016, took place or at least began sometime during 2014, and resulted in hackers obtaining data from over 500 million user accounts. A separate data breach, which apparently took place or began during 2013 but that Yahoo first announced in December 2016, affected over 1 billion user accounts. The Yahoo data breaches are believed to be the largest in history.
As I noted in a blog post at the time, in January 2017, shareholders filed the first of several securities class action lawsuits against Yahoo and certain of its directors and officers in the Northern District of California. In their January 24, 2017 press release (here), the plaintiff’s lawyers state that the complaint alleges that Defendants made false or misleading statements or failed to disclose that:
(i) Yahoo failed to encrypt its users’ personal information and/or failed to encrypt its users’ personal data with an up-to-date and secure encryption scheme; (ii) consequently, sensitive personal account information from more than 1 billion users was vulnerable to theft; (iii) a data breach resulting in the theft of personal user data would foreseeably cause a significant drop in user engagement with Yahoo’s websites and services; and (iv) as a result, Yahoo’s public statements were materially false and misleading at all relevant times.
The complaint alleges that following the company’s September 2016 disclosure, the company’s share price declined 3.06%. The complaint alleges that following the company’s December’s 2016 data breach disclosure, the company’s share price declined 6.11%.
The complaint also referenced Yahoo’s July 25, 2017 announcement that it would be selling its core business to Verizon Communications. The complaint alleged that following the company’s December 2016 data breach disclosure, “several news sources reported that Verizon was considering ways to amend the terms of its deal with Yahoo to reflect the impact of the data breach and would likely seek ‘major concessions’ from Yahoo.” In February 2017, Verizon announced that as a result of the data breach news, it was cutting $350 million from the price it would pay for the Yahoo acquisition. Verizon completed the deal in June 2017.
Finally, the complaint also referenced news articles (here) reporting that the SEC had opened an investigation into the timing of Yahoo’s disclosures regarding the data breach.
The court consolidated the various complaints and the defendants filed a motion to dismiss. As detailed in Judge Lucy Koh’s November 22, 2017 order (here), while the dismissal motions were pending, the parties engaged in settlement negotiations. In her order, Judge Koh dismissed the motions as moot and gave the plaintiffs leave to file an amended complaint. The plaintiffs subsequently filed an amended complaint, while the negotiations continued. On March 2, 2018, the parties advised the court that they had reached a settlement.
Interestingly, though the parties had filed their settlement stipulation, Yahoo apparently also filed a motion to dismiss the plaintiffs’ second amended complaint with the court on March 2. Law 360 reports that “lead plaintiff Ben Maher had apparently refused the settlement. Attempts to contact Maher on Monday were not immediately successful.”
The settlement was reached on the defendants’ behalf by Altaba, an investment company holding certain former Yahoo assets as a result of Verizon’s acquisition of Yahoo. The settlement stipulation refers to Altaba as being “formerly known as” Yahoo. In the settlement stipulation, the defendants expressly deny liability.
The stipulation of settlement does not say anything about how the settlement amount is to be funded or whether D&O insurance will pay some or all of the settlement amount. The settlement stipulation says only with respect to the payment of funds that Yahoo will pay the settlement or cause it to be paid. The list of Released Defendant Persons that the plaintiffs agree to release in the settlement expressly includes defendants’ insurers (not an unusual provision). In the provisions of the settlement stipulation describing the way in which the settlement will be funded and the timing, the stipulation states that the settlement consideration will be paid only after, inter alia, the provision of “other information or authorizations that may be required by certain of Altaba’s insurance carriers” – which certainly suggests that D&O insurance is playing a role in funding the settlement.
There have been a number of high profile shareholder lawsuits filed against companies that had experienced data breaches. However, while these cases were filed, they did not turn out to be all that productive from the plaintiffs’ perspective. Indeed, several high profile data breach shareholder derivative lawsuits were dismissed. (As discussed here, one of these cases, involving Home Depot, settled for a relatively modest amount in May 2017 while the dismissal was on appeal).
Despite these early setbacks in the shareholder derivative suits, in 2017, plaintiff shareholders filed a number of new data breach-related securities suits – though the 2017 suits were filed as securities class action lawsuits rather than as derivative suits. The Yahoo data breach-related securities suit was the first of these newer cases to be filed; it was followed by several other data breach related securities suit filings later in the year, including the high profile securities suit filed against Equifax.
Even when the plaintiff shareholders met with the prior disappointment in the derivative lawsuits, it seemed unlikely that the plaintiffs’ attorney would simply abandon the effort to try to pursue data breach related D&O claims. Rather, it seemed as if the plaintiffs’ lawyers had simply not yet found the way that they were going to make money on these kinds of claims.
Now with the Yahoo settlement, it seems like the plaintiffs’ lawyers may have achieved an advance of sorts. At a minimum, it certainly shows that the plaintiffs’ lawyers might actually be able to make money on these kinds of lawsuits. (The plaintiffs lawyers reportedly intend to seek attorneys’ fees of up to $20 million from the court.) The magnitude of the settlement, by contrast to the outcome in all of the prior data breach-related shareholder lawsuits, may hearten other prospective claimants and plaintiffs’ attorneys as well. For that reason, this settlement represents both something of a milestone and something of a breakthrough.
None of which should be interpreted to suggest that we are about to see a flood of these kinds of cases. There were only a very small number of data breach-related securities lawsuits filed in 2017, even with the Yahoo and Equifax cases. In many instances, companies experiencing data breaches may not necessarily be attractive securities suit case because company share prices often do not drop significantly on news of a data breach. In the absence of a significant stock drop, the data breach company will not be an attractive securities suit target.
There are also a number of factors that arguably make the Yahoo situation distinctive, and even perhaps unique. First of all, the data breach was the largest ever. Second of all, the data breach disclosure had a material and readily identifiable financial impact on Yahoo, as it resulted in the $350 reduction of the amount that Verizon was to pay for the Yahoo acquisition. Thirdly, there was the very unusual combination of circumstances in which the massive breaches had taken place years earlier but were not disclosed until years later. It could be argued that merely because the Yahoo case, with all of these distinctive features, resulted in a significant settlement does not necessarily mean that many other companies will be sued or that the plaintiffs’ lawyers are going to be able to secure significant recoveries in a lot of other cases.
Just the same, the Yahoo settlement (assuming it is approved by the court) is the first significant data breach-related shareholder lawsuit settlement. The plaintiffs’ lawyers have now figured at least one way they can make money off of this type of litigation. Interestingly, this settlement coincidentally comes just days after the SEC released new guidance in which the agency underscored the disclosure obligations of reporting companies that have experienced data breaches. It is hard to know for sure, but it could be this milestone settlement together with the SEC’s new disclosure guidelines could mean that data breach-related shareholder litigation could be an area of increased focus for the plaintiffs’ lawyers.