On March 5, Yahoo, Inc. (“Yahoo”) announced a proposed settlement in In re Yahoo Inc. Securities Litigation, which was filed in U.S. District Court in San Francisco. The $80 million proposed settlement relates to a securities class litigation stemming from Yahoo’s 2013 and 2014 data breaches. While many elements of the Yahoo securities class action may be factually unique, the settlement is a milestone because it is the first significant securities fraud settlement from a cybersecurity breach.
In January 2017, the first of several securities class action lawsuits was filed against Yahoo and certain of its directors and officers in the Northern District of California. Plaintiff shareholders alleged that defendants failed to disclose the two largest data breaches in U.S. history, in which hackers stole the records of 3 billion users in 2013, and compromised the accounts of 500 million users in 2014. They further alleged that defendants failed to disclose two additional massive data breaches in 2015 and 2016, which affected approximately 32 million Yahoo users and caused financial harm to investors.
It is also alleged that, throughout the class period, defendants continued to reassure the public that Yahoo had “physical, electronic, and procedural safeguards that comply with federal regulations to protect personal information about [its users],” that it would publicly disclose all security vulnerabilities within 90 days of discovery, and that its data security employed “best practices,” among other misrepresentations. Plaintiff shareholders alleged that defendants knew but failed to disclose that Yahoo was employing grossly outdated and substandard information security methods and technologies, which had resulted in two of the largest data security breaches in history.
The stipulation of settlement does not say how the settlement will be funded. It states only that Yahoo will “pay the settlement or cause it to be paid.” The stipulation of settlement expressly includes defendants’ insurers which is not unusual. A description of how the settlement is to be funded mentions providing the insurers with information, which strongly suggests that the D&O insurers are funding at least some portion of the settlement.
In the past, public companies have defeated plaintiffs’ efforts to seek recovery through securities class actions relating to cybersecurity risks and events. However, recent events suggest that may change. Yahoo’s proposed settlement comes on the heels of updated guidance on cybersecurity disclosure issued by the Securities and Exchange Commission (SEC) on February 21. The SEC guidance calls on public companies to be more forthcoming when disclosing cybersecurity risks. Together, the Yahoo proposed settlement and the new SEC guidelines may provide the groundwork that enables plaintiffs’ law firms to bring securities actions to pursue these claims.