Federal Judge’s Rejection of Yahoo! Data Breach Settlement Reminds Counsel to Focus on Class Interests

February 28, 2019 Published Article

When Yahoo! disclosed that it had suffered a series of data breaches that exposed information from all of its approximately three billion user accounts, it was essentially a foregone conclusion that the company would face class action litigation on behalf of affected consumers.  That litigation is now underway, and will continue after California federal judge Lucy Koh recently rejected a settlement that had been agreed on by the parties.

Unlike typical litigation, in which the parties can settle at will and on any terms on which they can agree, class action settlements require the approval of the judge presiding over the case in order to safeguard the interests of the class members not directly participating in the suit.  Yahoo!, now owned by Verizon, and counsel for the plaintiff class had agreed on a settlement in which $50 million would go to remediating the damage to users from the breach, $35 million would be set aside for payment of attorneys’ fees incurred in the litigation, with a further $2.5 million set aside for costs and fees.  In addition, the settlement would have, among other things, provided a minimum of two years of credit monitoring and identity theft protection services to affected users.

$50 million is no token amount, and the services to be provided under the settlement are commonly seen in other data breach settlements.  Judge Koh, however, took issue with the lack of detail in the agreement, which did not specify the total amount of the settlement fund, how much would be spent on providing services to class members, or how much would be spent on administrating the settlement.  Judge Koh also expressed concerned that the settlement would have covered unspecified breaches going back to 2012, when the earliest disclosed breach occurred in 2013, leaving class members unclear as to what exactly they were getting and giving up.

In addition, Judge Koh also criticized the amount of attorneys’ fees included in the settlement.  At $35 million, the pool set aside for attorneys’ fees would have comprised 40 percent of the total disclosed settlement amount.  According to Judge Koh’s order, the case involved no novel legal issues, limited discovery, and relatively simple legal filings – in short, nothing to justify the high legal bill.  Despite the suit’s simplicity for its size, thirty-two law firms reportedly worked on it on behalf of the plaintiff class, in contrast to the mere five Judge Koh had authorized.  The order compared the case to previous data breach settlements for cases which were more complex, but yielded millions less in legal fees.

All of these issues added up to create the appearance of a settlement that was crafted more to suit the interests of the defendant (through the lack of transparency) and class counsel (through the high fee award) than the actual members of the plaintiff class.  In sending the parties back to the drawing board, Judge Koh sent a message not only to Yahoo! and plaintiff class counsel, but also to litigants in future class actions – that courts will not simply rubber-stamp this type of self-serving settlement.  

Judge Koh’s order was the latest in a growing line of such decisions that have attempted to make this message clear, especially in the context of data breach litigation.  Damages in such cases can be particularly difficult to calculate with specificity, as it is generally not easy to determine if and how particular users’ data has been misused, and what their financial costs have been as a result.  Decisions like Judge Koh’s are drawing a line, stating that litigants and attorneys cannot hide behind these difficulties in attempts to obtain approval for settlements that do not serve the interests of the plaintiff class, or meet the standards required by law.

Class action litigants and counsel in future cases would do well to remember the lessons contained in these types of decisions – that proposed settlements must be transparent about how much money is involved and where it is going, that legal fees must be reasonable in light of the complexity of the case and the work actually performed, and that data breach cases are not immune to these concerns despite the uncertainty frequently involved.