In recent years, plaintiffs’ lawyers have filed a number of management liability lawsuits against the executives of companies that have experienced high-profile data breaches. These lawsuits have either been filed as shareholder derivative lawsuits or securities class action lawsuits. By and large, the cases filed as shareholder derivative lawsuits have been unsuccessful. However, in a development that represents a milestone in several different respects, the parties to the Yahoo data breach-related derivative lawsuit have agreed to settle the case for $29 million. As discussed below, this settlement may have important implications for future data breach-related derivative litigation. The Court’s January 4, 2019 order approving the settlement can be found here (see calendar Line 5 in the order).
In July 2016, shortly after it had entered an agreement to be acquired by Verizon, Yahoo announced the existence of a data breach that had taken place in 2014. The data breach impacted as many as 500 million Yahoo users. On December 14, 2016 Yahoo disclosed that it had been subject to an even larger data breach, involving one billion users, in 2013 which involved sensitive user information, including names, telephone numbers, dates of birth, encrypted passwords. (Yahoo subsequently disclosed that the 2013 breach may have affected all three billion of Yahoo’s users.) The two attacks are the largest known security breaches of one company’s computer network. Among other things, after Yahoo announced the data breaches, Verizon and Yahoo’s management negotiated a $350 million reduction in Verizon’s $4.8 billion acquisition of Yahoo’s assets.
A variety of different lawsuits followed these events. Among other things, shareholders filed a securities class action lawsuit against Yahoo and certain of its directors and officers (as discussed further below, the securities lawsuit settled in March 2018 for $80 million). In addition to the securities class action lawsuit, plaintiff shareholders also a number of derivative lawsuits against Yahoo’s board and senior managers. The separate lawsuits later were consolidated. The plaintiffs’ amended consolidated derivative complaint, which though heavily redacted makes for some very interesting reading, can be found here.
The derivative complaint asserts claims against Yahoo’s board for breach of fiduciary duty, insider trading, unjust enrichment, and waste. The plaintiffs also asserted claims against Verizon for aiding and abetting. Among other things, the complaint alleges that Yahoo officials knew about the data breaches long before they were disclosed to the public and that instead of disclosing that the data breaches had taken place the defendants sought to cover up the breaches. The complaint also alleges that several of the individual defendants sold stock from their personal holding of Yahoo stock after becoming aware of the data breaches and before the breaches were made public.
As detailed in the court’s order approving the settlement, the parties agreed to settle the derivative litigation for $29 million, the amount to paid by “the insurance carriers of the individual defendants and Verizon, as separately agreed by them.” The parties’ stipulation of settlement and settlement agreement can be found here. In the settlement, the defendants expressly denied the plaintiffs’ allegations of wrongdoing.
The court separately approved the plaintiff’s counsel’s fee of $8.6 million for the derivative lawsuit, as well as a separate and additional $2 million for the plaintiffs’ counsels’ effort in connection with proxy litigation (relating to Yahoo’s asset sale to Verizon). The remaining roughly $18.4 million will be paid to Altaba, Yahoo’s successor in interest. The negotiated release in the settlement expressly does not include a release of the pending consumer data breach-related class action pending against Yahoo.
As I mentioned at the outset, though there have been a number of high-profile data breach related shareholder derivative lawsuits file over the years, these cases have largely been unsuccessful. During the period 2014-2016, plaintiffs filed shareholder derivative lawsuits against the boards of Wyndham Worldwide, Target, and Home Depot. In each of these cases, the courts granted the defendants’ motion to dismiss, as noted respectively, here, here and here.; in the Home Depot case, while the dismissal was on appeal, the parties agreed to settle the case for defendants’ agreement to pay the plaintiffs’ attorneys’ fees of $1.125 million. In addition, in a separate derivative lawsuit filed against the board of fast food chain Wendy’s, the parties agreed to settle the case while the dismissal motion was pending based on the company’s agreement to adopt a number of remedial measures and the defendants’ agreement to pay the plaintiffs’ attorneys fees of $950,000.
None of these prior cases resulted in significant monetary recoveries – which in and of itself may not be all of that noteworthy, as until quite recently a significant recovery in derivative lawsuits was a relatively unusual event. Just the same, the track record in prior data breach related derivative litigation makes the significant recovery in the Yahoo data breach-related derivative settlement all the more noteworthy.
The Yahoo data breach debacle has led to a number of different milestones in the annals of data breach-related management liability litigation.
As noted here, the parties to the Yahoo data breach-related securities class action lawsuit agreed to settle the case for $80 million.
In addition, in April 2018, Altaba, Yahoo’s successor in interest agreed to pay a penalty of $35 million in resolution of the SEC’s first-ever data breach related enforcement action.
In what is a completion of a trifecta of sorts, the defendants in the Yahoo data-breach related derivative lawsuit have now agreed to settle the case for the payment of $29 million. (In addition, according to news reports, the parties to the separate data breach related consumer class action reportedly have agreed to settle that case for a payment of up to $85 million.)
The Yahoo data breach derivative lawsuit is noteworthy in that it represents the first significant recovery in a data breach-related derivative lawsuit. In that regard, it arguably is particularly noteworthy that the plaintiffs’ lawyers secured a fee of $10.6 million, a recovery that is sufficiently sizeable that it is likely to catch the attention of others and perhaps encourage others to seek to pursue these kinds of cases.
As noted in a January 14, 2019 post on the NACD Board Talk blog (here), the significant cash settlement in the Yahoo data breach-related derivative lawsuit settlement “sets a potentially dangerous precedent for future breach-related derivative actions.” The settlement could, as another commentator noted, “serve as proof of concept to inspire a wave of would-be imitators looking for their own multimillion dollar payday.”
To be sure, there are certain features of the Yahoo situation that may make the circumstances somewhat unique. For starters, it appears to involve the largest ever data breach. There also is the very unfortunate circumstance of the long lag-time between the date of the breach and the time when Yahoo finally got around to disclosing the breach. Moreover, there is the very specific aspect of the case in which Verizon renegotiated the price of its asset acquisition, reducing the value of the deal by $350 million, which represented a very significant and undeniable financial consequence resulting from the data breach. Few other cases are going to involve anything like this combination of circumstances.
Indeed, in light of these factors, it arguably is no surprise that the company and its successor in interest has agree to pay a combination of a total of almost $145 million in settlement of management liability claims and regulatory enforcement actions (and apparently another $85 million in settlement of the consumer liability class action). The magnitude of these settlements directly reflects the egregiousness of the allegations that have been asserted against the company and its executives in the wake of the data breach revelations.
There have of course been other high-profile data breaches that have captured the headlines in the business pages; some of these data breaches have resulted in management liability actions against the executives at the companies involved. Many of these cases – including the lawsuits involving executives at Equifax and Marriott, for example – remain pending. It remains to be seen whether these cases will result in recoveries of any kind, much less of the magnitude of the recoveries secured in connection with the Yahoo data breach.
While the outcome of the pending cases remains to be seen, the fact is that the significant recovery in the Yahoo data breach derivative suit could well encourage other claimants to file similar lawsuits in the future. As one commentator noted, “executives whose companies experience a data breach could find themselves on the hook for a similarly sizeable amount.”