On Friday, March 9, 2018, United States District Court judge Lucy Koh handed a victory to the plaintiffs in the data breach case filed against Yahoo! Inc. and one of its subsidiaries. In ruling on the second motion to dismiss filed by Yahoo!, Judge Koh found in favor of the plaintiffs on many of the claims. The ruling means that Yahoo! must file an answer to the plaintiffs’ operative complaint and the case will move forward to the next stage.
The Yahoo! litigation, which was centralized by the Judicial Panel on Multidistrict Litigation in front of Judge Koh, a federal judge in the Northern District of California, concerns three separate data breaches: A breach in 2013, a breach in 2014, and a “forged cookie” breach.
Yahoo’s public announcement of both the 2014 and 2013 breaches generated numerous headlines given their sheer size. For example, the 2014 breach is estimated to have involved 500 million Yahoo! user accounts. And that is not even the largest one. After announcing the 2014 breach, Yahoo! then announced the 2013 breach, which Yahoo! originally estimated to have affected 1 billion user accounts. Nearly a year later, after the litigation was filed, Yahoo revised that estimate upward to include every Yahoo! account; roughly 3 billion. Yahoo! made this revised estimate public only after it had announced an agreement to sell its operating assets to Verizon.
Plaintiffs in this litigation, led by an Executive Committee, allege that Yahoo! had a culture of lax data security and ignored warnings that its stored data, including users’ personally identifying information, was vulnerable to large-scale hacking efforts. As a result, Plaintiffs allege, its data security was breached in a spectacular fashion.
Judge Koh’s most recent ruling comes after Yahoo! tried to have several of the legal claims made by the plaintiffs either trimmed or dismissed outright. Judge Koh rejected many of the arguments made by Yahoo! and allowed numerous of the claims to proceed.
By: Jeremy K. Robinson