Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Yahoo Faces Lawsuits Over BreachBut Breach Litigation in U.S. Has Mixed Record of Success
Several civil lawsuits have been filed against Yahoo following a disclosure that 500 million accounts were compromised in what the company claims was a state-sponsored intrusion in late 2014 - one of the largest-ever data breaches.
The quick filing of lawsuits has become a ritual after a major data breach. But such lawsuits often are not successful, and an ambiguous Supreme Court ruling that was hoped would provide clarity actually made the legal landscape more ambiguous.
"The results [of lawsuits] to date are very mixed, not in favor of the consumer and very court driven," says Scott Vernick, partner and head of the data security practice at Fox Rothschild LLP in Philadelphia.
Nonetheless, lawsuits are a large headache for companies following a breach, adding to the cost of recovery. Three civil suits have been filed against Yahoo in U.S. District Court for the Northern District of California in San Jose, while USA Today reported that two other similar lawsuits have been filed in Illinois and San Diego.
One of the suits, filed on behalf of New York resident Ronald Schwartz, alleges that Yahoo's "misconduct was so bad" that it allowed access to users' personal information for close to two years. "Despite the fact that the attack took place in late 2014, Yahoo was so grossly negligent in securing its users' personal information that it says that it did not even discover the incident until the summer of 2016," the complaint reads.
Verizon, which announced in July it would acquire Yahoo for $4.8 billion, did not learn of the breach until around two days before Yahoo disclosed it publicly on Sept. 22, the suit says.
"Circumstantial evidence suggests that certain Yahoo insiders did know of the breach long before it was disclosed, but hid it from the public until after a $4.8 billion sale of the company to Verizon," the suit says.
The Wall Street Journal, citing an anonymous source, reported on Sept. 23 that Yahoo actually detected the attack several weeks after it occurred and suspected it originated from Russia. Attackers were seeking data related to 40 Yahoo users, the publication says (see Yahoo Breach: The Great 'Nation-State' Cop Out).
The data breach is expected to complicate Verizon's acquisition of Yahoo, which is winding its way through regulatory and shareholder reviews. Yahoo officials had no comment on the lawsuits.
Did Breach Cause Harm?
To pursue a claim in federal court, plaintiffs must have standing, the legal term for articulating harm caused by another party. Many data breach-related lawsuits have ground to a halt after not gaining standing.
As a result, plaintiffs often then turned to using consumer statutes, such as the Fair Credit Reporting Act and the Telephone Consumer Protection Act, to show violations of law by a defendant in order to get statutory damages.
A class-action suit against data aggregator Spokeo was hoped to provide clarity on whether statutory violations were enough for plaintiffs to gain standing. Plaintiff Thomas Robbins accused Spokeo of sharing inaccurate information about him, which he alleged hurt his employment prospects. Spokeo, he alleged, violated the Fair Credit Reporting Act.
But the Supreme Court ruling on May 16 didn't provide clarity on whether showing a statutory violation was enough for a case to proceed, Vernick says. It gave both plaintiffs and defendants room to argue either way, he said. The case was sent back to a lower court for more litigation (see Supreme Court Rejects Online Privacy Case).
The language of the ruling "is muddled enough that it sort of gives something for everybody [to argue]," Vernick says. So the landscape is checkered. But if cases overcome the hurdle around standing, odds are the case will eventually be settled, he says.
In May, a federal judge in Maryland dismissed a lawsuit against Baltimore-based health insurer CareFirst BlueCross BlueShield following a data breach that affected 1.1 million individuals.
An investigation showed members' names, birthdates, email addresses and subscriber identification numbers may have been compromised. In dismissing the case, the judge said the plaintiffs had not shown that the leak had caused harm or that data had been abused. A claim that those affected by the breach could be harmed in the future was also dismissed as speculative (see Anthem Breach Lawsuit Proceeds; CareFirst Suit Dismissed).
In August 2014, LinkedIn agreed to a $1.25 million settlement for a data breach in June 2012 that at the time was thought to have compromised 6.5 million account details. Consumers were eligible for up to $50 in compensation (see LinkedIn Settles Data Breach Lawsuit). Earlier this year, LinkedIn confirmed that it had vastly underestimated the scope of breach, with more than 164 million accounts compromised.
Sony Pictures Entertainment, whose network was compromised and then virtually destroyed by North Korean hackers in November 2014, chose to settle a lawsuit filed by current and former employees (see Sony Breach Settlement: A Good Deal?). The settlement provided cash reimbursement for validated losses connected to the attack. Sony dedicated $2.5 million to that fund. Victims are also entitled to free identity theft monitoring services.
In the case of Yahoo, Vernick says it might be difficult to prove consumers were harmed, especially in light of many other breaches. Although the attackers obtained a substantial amount of information from Yahoo, it might be difficult for consumers to show direct harm because cybercriminals sometimes perpetrate fraud based on data from several breaches, Vernick says.
"It's hard to say [a criminal act] is tied directly to the Yahoo breach," he says.