A federal judge denied primary approval on Monday for a proposed settlement in a class action breach lawsuit against Yahoo, citing a continued lack of transparency.
Yahoo was subject to three data breaches between 2013 and 2016. These breaches occurred due to Yahoo’s failure to use “appropriate safeguards to protect users’ personal identification information,” and Yahoo “made a conscious and deliberate decision not to alert any of Yahoo’s customers that their [personal information] had been stolen.” Yahoo’s entire user database was available for purchase on the dark web in 2016, and Yahoo purchased it using bitcoin.
The judge was critical of several issues in the settlement. In addition to inadequate disclosures, the proposed notice does not share the total size of the settlement fund. Without this information class members are unable to assess whether the settlement is reasonable. The judge also found that given the the settlement range (between $69.6–175 million), the attorneys’ fees “substantially exceed[] the 19.4% mean and 19.9% median.”
Additionally, the court found issue with the non-monetary relief, which does little to address security safeguards. This continues to be an issue in data breach cases. Here, the “lack of specific increases in budget or number of employees and the vague commitments as to changed business practices” leaves a significant question regarding the benefit of the settlement.
With this ruling, the parties in this case will need to produce a new settlement agreement. Yahoo has successfully settled other claims against it, including claims of federal securities.