Directors Beware: Yahoo Derivative Breach Settlement—What It Means for Personal Exposure of Directors for Cybersecurity Breaches
This Bulletin is brought to you by AHLA’s Business Law and Governance Practice Group.
- October 04, 2019
- Annette M. Bevans , Hofstra University Maurice A. Deane School of Law , Uniondale, NY
Recently, former directors and officers of Yahoo agreed to pay $29 million to settle a breach of fiduciary duty lawsuit.1 The settlement marks the first time that shareholders have been awarded monetary damages in a data breach-related derivative lawsuit. In the past, such lawsuits have been dismissed by the courts or settled without payment to the shareholders.
Yahoo experienced three separate security breaches between 2013 and 2016 that affected all three billion Yahoo users at the time.2 The information obtained was extensive and included names, emails, phone numbers, dates of births, hashed passwords, and security questions and associated answers. Collectively, the breach marked the largest to date. The 2013 initial breach, of which very little further information has been disclosed, affected all user accounts. Court filings in a related class action have indicated that Yahoo had contemporaneous knowledge of that breach and the following two breaches.3 The second data breach occurred in late 2014. That breach was committed by Russian state-sponsored actors and affected approximately 500 million user accounts. Between 2015 and 2016, a third, separate breach involving forged security cookies affected an unknown number of accounts. Together these incidents affected users of all Yahoo’s various free and subscription-based services across the globe from 2013 to 2016.4
Also noteworthy are the facts disclosed in a Northern District of California class action, which also recently received judicial approval for settlement.5 In the 120-page consolidated class action complaint, the individual users of Yahoo’s paid services affected by the breach alleged misconduct at the highest levels of the organization, citing examples of the directors breaching their fiduciary responsibilities by consciously disregarding their duties. Allegations included accusations of officers engaging in a years’ long cover up and conducting a sham investigation, all with the purpose of hiding the breach from shareholders and the general public. Plaintiffs’ expert in a 92-page report on security outlined specifically how Yahoo’s directors allegedly failed to follow industry standards, respond to breaches, provide and train staff, or acknowledge their contemporaneous knowledge of the breaches, which case filings allege occurred as far back as 2008 and included millions of accounts and internal systems.6
On July 22, 2016, Yahoo and Verizon agreed to a $4.8 billion stock purchase for Yahoo’s internet operations. Yahoo’s initial public disclosure regarding the data breaches occurred two months later in September 2016, when a printed press release disclosed only the 2014 breach perpetrated by Russian state-sponsored agents. After media pressure, Yahoo issued a security notice on December 14, 2016, which revealed the 2013 breach; but only as affecting one billion users. In February 2017, Yahoo began to disclose to customers the extent of the 2015-2016 data breach. As a direct consequence of these public disclosures, Verizon and Yahoo amended the sales agreement and reduced the price by $350 million.7 On June 8, 2017, Yahoo shareholders approved the company's sale of some of its internet operations to Verizon for $4.48 billion.8 Later that year in October, Oath, a subsidy of Verizon, disclosed the 2013 breach had in fact affected all three billion users.9
As a result of these disclosures and the reduction to the sales price of Yahoo’s internet operations, several lawsuits emerged alleging a series of claims, ranging from breach of fiduciary duty to aiding and abetting and misappropriation. The derivative actions were consolidated in the Superior Court of California, which recently approved a $29 million settlement.10 This bulletin considers this derivative action as it relates to personal exposure of directors for cybersecurity breaches.
In re YAHOO! Inc. Securities Litigation—Consolidated Derivative Action
On July 12, 2017, three pending actions seeking to enjoin the shareholder vote on the sale of Yahoo to Verizon were consolidated in the Superior Court for the State of California, County of Santa Clara.11 The deal was set to close July 13, 2017.12 The original actions were filed in Delaware chancery court, California state court, and two federal district courts.
The consolidated amended complaint, dated January 2, 2018, alleged six separate causes of action: (1) breach of fiduciary duty against individual defendants, (2) derivative action for corporate waste against director defendants, (3) direct claim for breach of fiduciary duty against individual defendants, (4) direct claim for aiding and abetting against Verizon, (5) derivative claim for aiding abetting against Verizon, and (6) derivative claim for insider trading and misappropriation against four Yahoo executives.13 Among other things, the complaint alleged that Yahoo officials knew about the data breaches long before they were disclosed to the public and that the defendants sought to cover up the breaches instead of disclosing them to the public.14 The complaint also alleged that several of the individual defendants sold Yahoo stock from their personal holdings after becoming aware of the data breaches and before they were made public.15
After completing discovery, the parties signed a stipulation to stay the proceeding and scheduled mediation to resolve the dispute. The parties’ mediation resulted in the proposed settlement, which was subsequently approved by California Superior Court Judge Brian Walsh.16 The reasonableness of the settlement was determined based on the amount of resources expended during litigation, the class size, and the apportionment of fees.17
The settlement represents the first time shareholders have been awarded monetary damages in a derivative data breach suit. Insurance will provide the $29 million settlement fund, which goes directly to Yahoo’s successor Albata, except for fees and separate payments.18 The settlement includes an award of $11 million for fees, which includes up to $250,000 in attorney’s fees, an $8,875,000 derivative fee, and $2 million directly paid to co-lead counsel for the proxy litigation.19
To be sure, the circumstances involving the Yahoo data breaches are somewhat unique—namely, the scale of the data breaches and the significant lag time before they were disclosed to the public. In fact, underlying the lawsuits and settlements is the amount of time the massive data breach went unaddressed by the directors and officers.
Another notable circumstance is that Verizon renegotiated the price of its asset acquisition, reducing the value of the deal by $350 million, which represented a very significant and undeniable financial consequence resulting from the data breaches.
The lesson for board members is to be on the lookout for security and data breach issues and to disclose them in a timely way. A $29 million settlement might seem small, but it signals that director and officer liability for cybersecurity oversight is entering a whole new era.
Boards should consider implementing, if they have not already, a tailored cyber risk management program to minimize the legal and business risks of a data breach. The program should include having adequate cyber risk insurance to cover the harm of any data breaches as well as appropriate directors and officers liability insurance to cover shareholder derivative claims. Upfront planning can help minimize the effects and repercussions if a data breach does occur.
1 In re YAHOO! Inc. Securities Litig., Stipulation and Agreement of Settlement, No. 17-CV-00373-LHK (Mar. 2, 2018), http://securities.stanford.edu/filings-documents/1060/YI00_03/201832_r01x_17CV00373.pdf; In re YAHOO! Inc. Shareholder Litg, Stipulation and Agreement of Settlement, Case No. 17-CV-307054 (Sept. 14, 2018), https://www.blbglaw.com/cases/00302/_res/id=Attachments/index=0/YahooStipulationSettlement.pdf.
3 In re YAHOO! Inc. Securities Litig, Order Denying Motion for Preliminary Approval of Class Action Settlement, Case No. 16-MD-02752-LHK (Jan. 28, 2019), https://www.courthousenews.com/wp-content/uploads/2019/01/Yahoo-denial.pdf.
4 In the settlement agreement rejected by Judge Koh of the Northern District of California, Yahoo sought a release of claims related to an unauthorized access of data in 2012. Id.
5 In re YAHOO! Inc. Customer Data Security Breach Litig., Order Granting Motion for Preliminary Approval (Jul 20, 2019), https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=2ahUKEwiBtN6j1PbkAhWvV98KHWShCwUQFjADegQIARAC&url=https%3A%2F%2Fyahoodatabreachsettlement.com%2Fen%2FHome%2FGetDocument%2F%3FdocumentName%3DYahoo%2520Preliminary%2520Approval%2520Order.pdf&usg=AOvVaw3VZvGglY6ctDWSjw2Tk0LY.
7 Verizon, Press Release, Verizon and Yahoo Amend Terms of Definitive Agreement (Feb. 21, 2017), https://www.prnewswire.com/news-releases/verizon-and-yahoo-amend-terms-of-definitive-agreement-300410420.html.
8 Bloomberg Law News, Yahoo, Verizon Agreement Nears After Shareholder Approval (June 9, 2017), https://news.bloomberglaw.com/corporate-law/yahoo-verizon-agreement-nears-after-shareholder-approval-1 (subscription required).
9 OATH, Yahoo provides notice to additional users affected by previously disclosed 2013 data theft (Oct. 3, 2017), https://www.oath.com/press/yahoo-provides-notice-to-additional-users-affected-by-previously/.
10 In re YAHOO! Inc. Shareholder Litig., Notice of Pendency and Proposed Settlement of Shareholder Derivative Actions, Lead Case No. 17-CV-307054 (Oct 28, 2018), http://www.bottinilaw.com/sites/default/files/Settled/FULL%20NOTICE.pdf.
11 In re YAHOO! Inc. Shareholder Litig., Stipulation and Agreement of Settlement, Lead Case No. 17-CV-307054 (Oct 28, 2018), https://www.blbglaw.com/cases/00302/_res/id=Attachments/index=0/YahooStipulationSettlement.pdf.
12 Matt Weinberger, It’s official: Yahoo shareholders approve the $4.48 billion sale to Verizon, Business Insider (June 8, 2017), available at https://www.businessinsider.sg/yahoo-verizon-sale-approved-2017-6/.
13 In re YAHOO! Inc. Shareholder Litig, Verified Amended Consolidated Shareholder Class Action and Derivative Complaint, Lead Case No. 17-CV-307054 (Jan 2, 2018), https://www.blbglaw.com/cases/00302/_res/id=Attachments/index=1/2018-01-02%20Amended%20Complaint.pdf.
16 In re YAHOO! Inc. Shareholder Litig, Stipulation and Agreement of Settlement, Case No. 17-CV-307054 (Sept. 14, 2018), https://www.blbglaw.com/cases/00302/_res/id=Attachments/index=0/YahooStipulationSettlement.pdf.