Yahoo! Derivative Data Breach Suit Yields Unprecedented $29 Million Settlement

January 17, 2019 Published Article

On January 9, the parties to a derivative suit against several former directors and officers of Yahoo! Inc., which was based on a series of data breaches in which an estimated three billion user accounts were compromised, reached a $29 million settlement.  The settlement, which included approximately $11 million in attorney’s fees with the remaining $18 million going to the company, is reportedly the first of its kind – previous derivative suits had resulted in settlements that only required changes in corporate governance and relatively small fee awards.  If this settlement signals the beginning of a new trend, executives whose companies experience a data breach could find themselves on the hook for a similarly sizable amount.

What is a Derivative Lawsuit?

For those unfamiliar with the term, a derivative suit is a lawsuit filed by the shareholders of a company against its directors and/or officers based on the assertion that their management of the company has been so poor that it has negatively impacted the value of the company, and therefore their shares.  These suits are filed on behalf of the company, and in this case, $18 million will now be paid to Yahoo (now officially referred to Altaba, Inc. after its purchase by Verizon).  Some amount may be awarded to individual shareholders involved in bringing the case, but it is generally just to compensate them for their time – the amounts paid to individual shareholders in the Yahoo suit totaled in the thousands rather than the millions.  

What Makes this Settlement Different?

Lawsuits are not uncommon following a major data breach, but they are more commonly filed as a class action on behalf of a company’s customers whose information was compromised.  In response, companies do things like provide or pay for credit monitoring services and create compensatory funds.  But in this suit, the company itself was effectively the plaintiff, and its executives and directors were personally liable for their actions that allegedly contributed to the massive series of data breaches.  In theory, both a consumer class action suit and a shareholder derivative suit could be filed over the same data breach.  Moreover, previous similar cases yielded comparatively little in terms of financial results, whereas this settlement resulted in a hefty payday for both Yahoo and its counsel.  This case could serve as proof of concept to inspire a wave of would-be imitators looking for their own multimillion dollar payday.  

Actions to Protect against Similar Suits

Many corporate officers may be feeling understandably nervous in the wake of this settlement, especially in light of the large number of high profile data breaches that have come to light in recent months.  There are three main steps that companies would be wise to take in order to avoid the most drastic potential consequences of a derivative breach suit:

  1. Keep your company’s data security up to date:  The best way to escape the consequences of a major data breach is to simply not have one.  To that end, make sure your company is devoting sufficient resources to its cybersecurity efforts, and that its security measures are kept strong and updated frequently.  Malicious actors are constantly developing new tools to access private data, and frequently only the most recent countermeasures will be effective in keeping them out.  This includes both technical measures such as firewalls and penetration tests, as well as training of employees to recognize social engineering attacks like phishing emails.  
  2. Make sure you have appropriate breach coverage in your D&O policy:  The only thing worse than getting a multimillion dollar settlement or judgment against you is having to pay it out of your own pocket, instead of having it covered by your insurance.  Recent data breaches at companies like Facebook, Google, and Marriott have shown that even with ample resources and the best talent, sometimes data breaches are inevitable.  The insurance industry has been around a lot longer than the technology that’s made this type of data breach possible, and many of their policies haven’t kept up with the times.  Fortunately for Yahoo’s former executives, their settlement payment was covered by their insurer.  Those concerned about facing similar litigation should take a look at their policy (or better yet, have an attorney do so) to make sure that their coverage is also up to snuff.  Updates can be made to existing D&O policies, or companies may wish to purchase entirely new cybersecurity policies that can be customized to their needs.
  3. Keep everyone on the same page: Part of the purpose of organizing a corporation instead of running a business by yourself is to bring on specialists who can handle their areas of expertise and take concerns off your plate.  Taken too far, however, this can result in those at the top not knowing enough about what’s going on elsewhere in the company.  Executives, directors, IT specialists, and counsel should work together to make sure that the leadership is aware of and involved in companies’ cybersecurity efforts.  While it may be tempting for executives without specialized technical experience to leave this to the experts and focus on other areas of the business, a lack of involvement and awareness won’t earn sympathy from judges and juries in derivative breach lawsuits, and an extra set of eyes looking from a different perspective might be able to catch problems before they arise.  

It’s difficult to say just how big of an effect the Yahoo settlement will have on future derivative breach litigation, but some basic precautions can put corporate officers in the best position to face it if and when it’s directed at them.