Yahoo judge lets hack victims seek payback for data breaches
(Bloomberg) -- Yahoo Inc. can’t escape claims that it should pay punitive damages over data breaches that left information on 3 billion customers in hackers’ hands.
After the intrusions already shaved off $350 million off the internet firm’s value in its 2017 acquisition by Verizon Communications Inc., the final tally from the fallout may be hundreds of millions of dollars more.
Customers make a plausible argument that “high-ranking executives and managers at Yahoo’’ engaged in “malicious conduct,’’ the standard for seeking punishment damages on top of ordinary compensation for consumer harm, U.S. District Judge Lucy Koh in San Jose, California, said in a ruling.
“The claims are baseless, and can’t comment beyond that because of pending litigation,” said Bob Varettoni, a Verizon spokesman.
Yahoo reached an $80 million settlement this month with investors over claims that executives concealed the data breaches to artificially inflate the price of the internet firm’s shares. Under the accord, investors are slated to get 12 cents for each share of Yahoo stock they owned.
With the investor claims settled, Yahoo will probably move to resolve the consolidated customer cases, said Rahul Telang, a professor of information systems at Carnegie Mellon University in Pittsburgh. “I foresee a settlement in the hundreds of millions rather than billions,” Telang said.
Anthem Inc. set the record for a data breach settlement when it agreed last year to pay customers $115 million over a 2015 cyber-attack that compromised data on 78.8 million people. That case was also before Koh, who has proven to be tough on companies that allow private customer data to be stolen or sold for commercial marketing.
Pending litigation against Equifax Inc. in Atlanta over claims that its negligence allowed hackers to steal sensitive credit data from almost half the U.S. population is expected to extend the largest amount for a consumer recovery.
Verizon bought Yahoo’s online businesses, which includes its email service, sports and finance new sites for $4.5 billion to combine it with its AOL Inc. operation. Verizon acquired AOL in 2015. The combined companies operate under the name Oath.
The remainder of Yahoo, which include stock in China’s Alibaba Group Holding Inc. and Yahoo Japan worth more than $40 billion, went into New York-based Altaba Inc. Verizon and Altaba agreed to evenly split all costs tied to lawsuit liability over the data breaches as part of the Yahoo acquisition deal.
Koh said in her ruling Friday that customers produced evidence showing that Yahoo’s top computer-security officials knew about the repeated breaches and did nothing to address them. Yahoo’s approach to the breaches was to “sweep it under the rug,” the judge said.
The breaches threatened the Verizon deal, cost millions of dollars legal fees and spurred more than 40 lawsuits, which have been consolidated before Koh for pretrial information exchanges.
Yahoo customers contend that as a result of the company’s lax security, their data has been used to steal money from bank accounts, create credit problems and resulted in fraudulent tax filings.
Last year, the U.S. accused Russia of directing some of the world’s most notorious cybercriminals to break into Yahoo in 2014 in a criminal indictment alleging a widespread conspiracy by two Russian FSB security agents and a pair of hackers.
Koh is slated to decide whether to give preliminary approval to the settlement with investors on May 3, according to court dockets. Lawyers for Yahoo shareholders are requesting $20 million in legal fees under the accord.
“A recovery of 12 cents a share doesn’t sound like a victory for shareholders,” said Erik Gordon, a professor at the University of Michigan’s Ross School of Business. “This sounds like more a victory for their lawyers.”
The customers’ case is In re: Yahoo Inc. Customer Data Security Breach Litigation, No. 16-md-02752, U.S. District Court for the Northern District of California (San Jose). The investors’ case is In Re Yahoo! Inc. Securities Litigation, No. 17-373, U.S. District Court for the Northern District of California (San Jose).