On January 4, 2019 a federal district court in California approved a $29 million settlement in a shareholder derivative lawsuit against former Yahoo directors and officers regarding high-profile data breaches at Yahoo between 2013 and 2016. The settlement is a noteworthy departure from other breach-related derivative suits – which have been largely unsuccessful. As the number of data breach derivative lawsuits against directors and officers continues to increase, the relatively large size of this settlement may create valuation expectations that will drive up the settlement costs of other pending and future data breach-related derivative cases.
Yahoo Data Breaches
On July 25, 2016 Verizon announced plans to acquire the core of Yahoo’s Internet business in a transaction valued at $4.8 billion. Less than two months later, in September 2016, Yahoo, the once dominant internet giant, announced that it had been the victim of a massive data breach in 2014 that exposed the names, email addresses, dates of birth, encrypted passwords and telephone numbers of 500 million users – the biggest known intrusion of a single company’s computer network at that time. Months later, in December 2016, Yahoo disclosed that an even larger breach had occurred in 2013 involving the same type of sensitive information of an estimated one billion Yahoo users. Yahoo subsequently disclosed that all three billion of its users were hacked in the 2013 data theft, tripling its earlier estimate and sharply increasing the legal exposure of its future owner, Verizon. Following the disclosure of these data breaches, Verizon negotiated a $350 million reduction of Yahoo’s sale price attributed to reduction in value for Yahoo’s shareholders.
Litigation and Settlement
Yahoo shareholders filed securities and derivative lawsuits against Yahoo’s board and senior managers for their handling of the 2013 and 2014 data breaches. The various derivative suits were ultimately consolidated into one litigation. The consolidated derivative complaint in that action contains allegations that Yahoo officials breached their fiduciary duties by failing to protect Yahoo’s data, failing to investigate and remediate the breaches after they occurred, by failing to put proper safety mechanisms in place to prevent such attacks (i.e., “the Board’s refusal to spend necessary money to improve [Yahoo’s] data security infrastructure exposed [Yahoo] to significant hacking incidents”) and by issuing false and misleading statements about Yahoo’s knowledge of the data breaches.
The shareholders maintained that Yahoo officials had “contemporaneous knowledge” of the breaches, failed to disclose the breaches to the public in a timely manner as required by law, and engaged in a “years-long” cover up of the hacking incidents. In addition, the allegations regarding infrastructure are important because as data breaches increase and cybersecurity liability becomes an increasing concern for executives, the focus is not simply on what a company can do after a breach. Rather, a company needs to be aware of how it can invest in proper safety precautions to avoid future breaches, and the board of directors is expected to lead those efforts to increase awareness and system protections.
The former directors of Yahoo eventually agreed to settle the derivative litigation for $29 million to be paid by insurers on behalf of the individual defendants – as well as Verizon, which faced allegations that it had aided and abetted Yahoo’s failure to disclose the data breaches. Under the settlement, the shareholders’ lawyers secured approximately $11 million in fees and expenses with the remaining $18 million to be paid to Altaba, Yahoo’s successor-in-interest.
This derivative settlement is significant for at least three reasons. First, shareholders previously had little success in holding board of directors accountable for data breaches. In fact, the $29 million settlement is reportedly the first time shareholders have been awarded monetary damages in a data breach-related derivative lawsuit (although plaintiff attorneys’ fees have been awarded in other cases). The settlement could inspire future civil actions and usher in a new wave of shareholder derivative litigation seeking to hold directors liable for damages to the company resulting from cybersecurity breaches and alleged board oversight duty failures.
Second, Verizon was in the process of purchasing Yahoo when the data breaches were disclosed. As a result of Yahoo’s disclosures, Verizon was able to negotiate a $350 million reduction of the purchase price. Unlike other data breach-related derivative lawsuits, where the actual damages to the company might be difficult to quantify, the reduction in the purchase price constituted a clear example of the damages allegedly sustained by Yahoo.
Third, as in most public company D&O cases, historical settlements are used for comparison purposes in pricing future cases for settlement purposes. Now that there has been a substantial settlement of a breach-related derivative lawsuit, we can expect that future litigants of breach-related derivative cases will seek to use the Yahoo settlement as a baseline settlement amount for higher or lower settlements.