Yahoo and the plaintiffs, in the event of a breach of data on three billion user accounts, have agreed to a settlement that will require Yahoo to pay $ 1[ads1]17.5 million.
Previously agreed on a $ 50 million settlement plus attorney fees and other expenses, but it was rejected by US District Judge Lucy Koh in January.
Yahoo and the plaintiffs filed their new proposed settlement yesterday in the US District Court for the Northern District of California. This will also meet a judge's assessment.
"After the Court's refusal of [the first proposed settlement]the parties immediately appointed to address the issues identified by the Court, recast the resolution of this case," said the new proposal. "The Amended Settlement Agreement not only provides the largest common fund achieved in a data breach case ($ 117,500,000), it significantly moves the references on: The individual claim cap ($ 25,000), the amount of lost time that can be refunded (15 hours), the minimum rate that this time is compensated for ($ 25.00 / hour) and alternative compensation for those who already have credit monitoring ($ 100, up to full sales value of $ 358.80). $ 117.5 million would pay for the following:
- At least two years of credit surveillance, open to all class members without any cap on the number of potential claimants, at a cost of $ 24 million
- Solution and administrative costs of no more $ 6 Million
- Lawyer's Law No More Than $ 30 Million and Costs and Expenses of No More than $ 2.5 Million
- Service Rates Between $ 7,500 and $ 2,500 Per Resident Class Representative
- Alternative Compensation of $ 100 for those individuals who already have payroll monitoring
- Pocket picker expenses related to identity theft, lost time, paid user costs, and small user user costs
The proposed settlement class will include all US and Israeli residents and small businesses with Yahoo accounts at any time between 2012 and 2016. It includes a maximum of 896 million accounts and 194 million people.
This in 2013 affected all three billion Yahoo user accounts worldwide, including about one billion accounts in the US and Israel. An attempt to include plaintiffs from Australia, Venezuela and Spain in the case was previously dismissed by the court. The lawsuit also covers two other data breaches, one in 2014 and another in 2016.
"According to the plaintiffs, the defendant has not used appropriate safeguards to protect the user's personal identification information (" PII "), and thus the plaintiff's PII was exposed to hackers who infiltrated sued systems, "Koh noted in the January decision. "The plaintiffs also claim that Yahoo" has made a conscious and conscious decision not to alert any of Yahoo's customers that their PII was stolen. ""
In October 2017, Yahoo revealed that the 2013 breach hit three billion accounts, each existing at that time. Before that, Yahoo had said that one billion accounts were compromised. As previously reported, information taken in the elevator may have included usernames, email addresses, phone numbers, date of birth, passwords encrypted using the weak MD5 cryptographic hashing algorithm, and in some cases encrypted or unencrypted security questions and responses. Yahoo says "an unauthorized party stole data" and that "all accounts that existed in August 2013 were likely to be affected."
Yahoo was acquired by Verizon in June 2017.
Why the first settlement was rejected
Koh's January decision said the proposal had not adequately revealed the size of the settlement system, the scope of non-monetary reliefs and the size of the settlement class.
The original settlement contained "$ 50 million to cover-pocket costs, alternative compensation, paid user costs, and small-user user charges," says Koh & # 39; s decision. But "
The settlement fund's total size would have been greater than $ 50 million because the settlement would separately have provided for "lawyers" fees of up to $ 35 million, expenses and expenses of up to $ 2.5 million, and service rates of up to $ 7,500 each for the settlement class representatives. "
But it was not clear that all $ 35 million was needed for lawyers & # 39; fees, so much of the $ 35 million could have returned to Yahoo, "reducing [ing] the total amount that Yahoo had to pay as a result of the settlement" and preventing the court and class members from assessing the reasonableness of settlement, Koh wrote on it. time.
"The only figures the parties commit to in the settlement agreement, pre-approval proposals, and draft proposals are $ 50 million for the settlement system, up to $ 35 million in attorney's fees, and up to $ 2.5 million in legal fees and Expenses totaling $ 87.5 million, said Koh & # 39; s January decision. "Based on these figures, lawyer fees will be 40 percent of the settlement fund. In view of the additional funds disclosed by the parties under seal in their additional application, the Court finds that the lawyer's request remains much larger than the 25 percent benchmark standard used in this circuit. "
Koh has also called Yahoo not to commit to certain increases in the security budget.
Unassigned attorney fee will go to victims
In the new proposed settlement Unpaid lawyer fees will remain in the class member settlement system.
Yahoo has also committed to "maintaining an information security budget of over $ 300 million over the next four years and a team corps of 200, amounts at least four times and three times greater, than Yahoo maintained before this case. . "
The plaintiffs requested the court to find that the new settlement agreement is" fair, reasonable and sufficient. "
Yahoo has settled several other lawsuits related to data breaches, including a $ 35 million settlement with the Securities and Exchange Commission for misleading investors by not disclosing data breaches; $ 80 million in a federal securities class action related to Yahoo's lack of information on data breach; and a $ 29 million settlement in a shareholder class action.