Yahoo Breach Combined Class Suit May Grow to 1.5B Accounts

By Daniel R. Stoller

A massive putative class of consumers already suing Yahoo! Inc. over breached personal data may expand to cover another 1 billion compromised accounts, class action attorneys said.

Two huge data breaches that Yahoo revealed in the past four months may be consolidated in Silicon Valley’s federal court, they told Bloomberg BNA.

If consolidated, Silicon Valley stalwart Judge Lucy Koh would likely be tasked with presiding over the largest data breach in history. Her past experience handling some of the technology sector's trickiest cases, such as Apple Inc. and Samsung Electronics Co.'s long-running patent case, may help consumers and companies better handle the complex litigation ahead.

Jay Edelson, plaintiff-side partner and founder of Edelson PC in Chicago, told Bloomberg BNA Dec. 15 that the data breach litigation likely “will get rolled up” into a single multidistrict case. Additionally, any “derivative hacks—i.e. hacks of specific user accounts on other, unrelated services,” may also get pulled into the same multidistrict litigation.

Barry Goheen, class litigation partner at King & Spalding LLP in Atlanta, told Bloomberg BNA Dec. 15 that most data breach litigation gets settled before the court even considers class certification. There may be some commonalities with the breaches, but combining two breaches of such magnitude is “uncharted waters,” he said.

Yahoo said in a Dec. 14 statement that it had discovered a major data breach that affected over 1 billion accounts. The company said in a statement that it hasn’t been able to identify the intrusion associated with the theft, which occurred in August 2013.

The recent breach has also reinvigorated calls for Verizon Communications Inc. to abandon its deal with Yahoo or drastically cut its agreed to merger price of $4.8 billion. The deal was expected to close in the early part of 2017, Bloomberg data show, but the recent breach may have impacted those plans.

Yahoo is the ninth largest public internet media company in the world with approximately $39 billion in market capitalization, Bloomberg data show.

Similar Hacks, Common Facts?

On the same day of the recent announcement, a class complaint—what is no doubt the first of many—was filed in the U.S. District Court for the Northern District of California claiming Yahoo failed to provide adequate data security to “protect users’ personal and private information.”

Multiple federal class actions were filed in regards to the first breach that affected over 500 million accounts. The Judicial Panel on Multidistrict Litigation consolidated 14 class complaints from the first breach. The first breach was disclosed in September but Yahoo may have known about the attack as early as 2014.

The question now is whether lawsuits over the two incidents will be consolidated into a single proceeding. In general, cases aren’t consolidated unless they arise from common questions of fact. In this instance, that might mean whether the hacks in the two breaches were carried out by similar means or exploited some common data security vulnerability.

Goheen said that if the plaintiffs are able to prove through discovery that the same security flaw existed in both data breaches then class certification may be appropriate. However, a company simply experiencing a prior data breach “doesn’t satisfy commonality at all,” he said.

Although Yahoo may be hoping the cases are consolidated to save attorneys fees and other litigation costs, it will still have to fight state litigation, federal and international enforcement probes and almost certain congressional investigations.

Yahoo spokesman Charles Stewart declined to comment to Bloomberg BNA on the ongoing litigation.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.