Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Yahoo Takes Second Swing at Data Breach Settlement$117.5 Million Settlement Would Be Largest Ever for a Data Breach, Plaintiffs Say
Yahoo is hoping a revamped proposed breach-related settlement will pass muster with a federal judge who rejected the first one for myriad reasons, including high attorney fees and a lack of transparency.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The revamped settlement, totaling $117.5 million, was filed on Tuesday in U.S. District Court in San Jose. U.S. District Judge Lucy Koh, who oversees the case, must approve the proposal.
Describing the settlement, the plaintiffs' attorneys write that it provides "the biggest common fund ever obtained in a data breach case," comparing it to a slightly smaller settlement reached after health insurer Anthem's massive breach.
"This settlement provides a fair and just mechanism for relief to the class," according to a memorandum supporting the proposed settlement. "It is certain and provides long overdue monetary and non-monetary compensation."
Yahoo, which was acquired by Verizon in 2016, experienced a series of devastating breaches between 2012 and 2014 that came to light years later. The intrusions compromised virtually all Yahoo accounts and marked one of the most comprehensive breaches on record (see: Yahoo Breach Alert: 1 Billion Accounts at Risk).
Yahoo's travails have also served as a warning for companies involved in mergers and acquisitions. The disclosure of the first breach forced Yahoo to discount its sale price during acquisition negotiations by $350 million to $4.48 billion. The deal finally closed in June 2016. Verizon and Yahoo later struck an internal agreement over how to bear the breach clean-up costs (see: Breach Repercussions: Yahoo Reports Verizon Deal Delay).
Compensation, Credit Monitoring
In January, Koh rejected the first proposed settlement, which included about $50 million for breach victims. She highlighted six key points as to why the proposal was inadequate, which have now been addressed (see: Yahoo's Proposed Data Breach Lawsuit Settlement: Rejected).
Many of the terms haven't changed. Victims will receive credit monitoring for at least two years. That offer, which will be provided by AllClear ID, will be open to all in the settlement class at an estimated cost of $24 million.
As a result of Koh's criticism the first time around, an estimate of the number of victims was determined: 194 million, covering some 896 million accounts. The settlement class comprises users in the U.S. and Israel.
As in the first proposed agreement, some individuals may be eligible for cash payments as reimbursement for out-of-pocket remediation costs related to the breach. Individuals can claim up to $25,000 as long as those costs can be traced directly to the breaches.
Payments to those who already have credit monitoring are capped at $100. If the settlement fund isn't entirely used, the cash payments could rise to as much as $358.
To perhaps make the agreement look more positive, attorneys included a graph comparing the proposed settlement with Anthem's, which had a $115 million common fund (see: Judge Approves Final $115 Million Anthem Settlement).
Administration costs have been limited to $6 million. Attorneys' fees are limited at $30 million plus $2.5 million in expenses, down from $35 million.
Koh had also criticized Yahoo for not committing to improvements in its information security practices. This time around, Yahoo - which is part of Verizon's Oath division - outlined how it plans to improve.
"As part of the amended settlement, Oath will maintain an information security budget of more than $300 million over the next four years and a team headcount of 200; amounts for that are at least four times and three times greater, respectively, than Yahoo maintained prior to this case," the memorandum reads.
Oath will also make other improvements, such as encrypting user database backup files, using enhanced intrusion detection tools and implementing NIST's Cybersecurity Framework. It will also maintain event logs for three years, which the memorandum says is two years longer than the industry standard. And it is now using a system incident and event management, or SIEM, system.
"Defendants have obtained enhanced intrusion and anomaly detection tools - industry standard tools that were lacking during the period of the breaches," according to the memorandum.