Judge Trims Claims in Yahoo Email Data Breach Class Action Lawsuit

Top Class Actions’s website and social media posts use affiliate links. If you make a purchase using such links, we may receive a commission, but it will not result in any additional charges to you. Please review our Affiliate Link Disclosure for more information.

A federal judge trimmed some claims in a Yahoo email data breach multidistrict litigation, but lets others stand, finding flaws in most of the consumers’ effort to sue for punitive damages.

On Friday, U.S. District Judge Lucy Koh stated that some of the consumers did not face previous harm done by Yahoo, and could only claim that they were in danger of future harm from the data breach. However, she did note that other consumers’ injuries qualified as past harm done by the data breach.

Judge Koh said that the consumers made several valid claims — she noted that the plaintiffs had sufficiently alleged that Yahoo knew that their system had severe vulnerabilities as early as 2012, but did not disclose this to consumers and did not take adequate steps to enhance their security.

Judge Koh also sided with plaintiffs when Yahoo claimed that consumers still accessed their email via Yahoo after the data breaches. She argued that consumers “already established their ‘digital identities around Yahoo Mail’” and in general did not have sufficient knowledge to protect themselves against leaks of their personal information. So, Koh determined that the consumers could seek out-of-pocket compensation for the impacts of the hack.

In December 2016, class action lawsuits filed against Yahoo for their alleged negligence in preventing a massive data breach were consolidated in the Northern District of California by Judge Koh. In April 2017, the merged complaint was filed, representing in its Class all current and former Yahoo users who had identifying information exposed or compromised in the data breach.

According to the announcement made by Yahoo in 2016, the company’s system was infiltrated by hackers in 2014. Information stolen included names, passwords, and other account information from over 500 million users.

The 2014 breach was allegedly determined to be the largest in history until Yahoo revealed that they had experienced a 2013 data breach exposing information of 1 billion of its users. They later revised this statement to say that they believed the number of impacted consumers was 3 billion. According to Yahoo, this data breach was achieved by hackers through their use of forged cookies that allows them to access account information without a password.

The Yahoo data breach multidistrict litigation developed further when Judge Koh partially accepted but partially denied Yahoo’s August 2017 bid to dismiss the claims against them. In her decision, Koh allowed the consumers to amend their complaint to pursue further litigation.

Yahoo fired back in January 2018, claiming that the consumers’ amended complaint failed to specifically identify how they had been harmed by the data breach. Yahoo claims that this shortcoming has persisted from the beginning of the Yahoo multidistrict litigation, and that it renders the consumers’ case defective.

The consumers are represented by John A. Yanchunis of Morgan & Morgan Complex Litigation Group, Ariana J. Tadler of Milberg LLP, Karen Hanson Riebel of Lockridge Grindal Nauen PLLP, Gayle M. Blatt of Casey Gerry Schenk Francavilla Blatt & Penfield LLP and Stuart A. Davidson of Robbins Geller Rudman & Dowd LLP.

The Yahoo Data Breach Multidistrict Litigation is In re: Yahoo Inc. Customer Data Security Breach Litigation, Case No. 5:16-md-02752, in the U.S. District Court for the Northern District of California.

UPDATE: On Oct. 22, 2018, Yahoo users are seeking approval from a California federal judge for a $50 million settlement deal that would end three class action lawsuits claiming that Yahoo’s negligence led to data breaches affecting American and Israeli email users.

UPDATE 2: On Jan. 28, 2019, a federal judge denied a $50 million Yahoo class action settlement, finding the proposed deal lacked specific information about ways the tech company would improve data security.

UPDATE 3: On April 9, 2019, Yahoo has now agreed to pay $117.5 million to resolve legal claims regarding three large data breaches that affected the internet company.

UPDATE 4: On July 20, 2019, a federal judge has preliminarily signed off on a $117 million class action settlement agreement between Yahoo and accountholders who were affected by numerous data breaches.

UPDATE 5: September 2019, the Yahoo data breach class action settlement is now open. Click here to file a claim.