On March 5, 2018, Yahoo! Inc. (Yahoo) announced that it had accepted a proposed settlement in In re Yahoo! Inc. Securities Litigation – a U.S. class action lawsuit launched in the United States District Court for the Northern District of California. The settlement has yet to be approved by the court.

The Yahoo class action was filed in California in January 2017 in response to cyber security breaches experienced by Yahoo.  The first, occurring in 2013, involved the theft of names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions from more than 1 billion Yahoo user accounts.  The second, occurring in late 2014, involved the theft, allegedly by state-sponsored hackers, of similar data from more than 500 million user accounts.

Yahoo disclosed both cyber security breaches in late 2016. Upon these disclosures, Yahoo’s share price dropped. Subsequently, several shareholders launched class action lawsuits, which were eventually consolidated into one proceeding.

The Plaintiffs alleged that, between 2013 and 2016, Yahoo had made materially false and/or misleading statements in its quarterly reports to the Securities and Exchange Commission (SEC). Specifically, the Plaintiffs alleged that Yahoo neglected to disclose that:

  • it had failed to encrypt its users’ personal information and/or failed to encrypt its users’ personal data with an up-to-date and secure encryption scheme;
  • sensitive personal account information from more than 1 billion users was vulnerable to theft; and
  • a data breach resulting in the theft of personal user data would foreseeably cause a significant drop in user engagement with Yahoo’s websites and services.

After extensive mediation, the parties agreed to the settlement announced on March 5, 2018.  Under the terms of the agreement, Yahoo will settle the claims for $80 million dollars paid to shareholders, but will not admit to violating securities law or misleading investors.

However, one of the named Plaintiffs did not agree to the settlement terms. Yahoo has moved to dismiss the claims being pursued by this non-settling plaintiff.

With increased inter-connectivity, political tensions, and criminal sophistication, entities that safeguard large amounts of customer data, such as financial institutions and technology companies, frequently face more attacks of an increasingly sophisticated nature.  Given this and associated risks arising from a data breach,  regular reviews of cyber security practices and the adoption of current industry best practices may help to mitigate this risk.

For more on cyber security within the securities context, please refer to our previous postings on the matter:

Only 61% of issuers address cyber security in their risk factor disclosure. Is your company one of them?

More Cyber Security Lessons from the Canadian Securities Administrators


The author would like to thank Samuel Keen, Student-At-Law, for his contribution to this article.