Yahoo Faces California Data Breach Class Actions

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By David McAfee

Oct. 13 — Yahoo! Inc. is facing litigation fallout in federal and state courts after a high-profile hacking attack that exposed information of over 500 million accounts.

Howard M. Privette, a partner at Greenberg Gross LLP in Costa Mesa, Calif., told Bloomberg BNA that “it appears that the state plaintiffs want to try to pursue claims under California law on behalf of California residents, rather than have their claims mixed together with residents of other states in a single huge federal lawsuit.”

The plaintiffs and their counsel more than likely picked California because of the state's “strong consumer protection statutes,” Privette said. California has among the strictest laws governing data security and privacy issues, he said.

“Class action defense counsel often consider federal court to be a more hospitable forum, and I would not be surprised to see Yahoo try to have these cases removed to federal court under the Class Action Fairness Act,” he said.

Whether to file a consumer class complaint in federal or state court can be a major decision that impacts the overall outcome of the case and the amount of a potential settlement. Plaintiffs and defendants may pick and choose different litigation paths based on the specific facts of the case.

There are six active lawsuits in California state courts filed since the breach became public Sept. 22 (15 PVLR 1881, 9/26/16), according to Bloomberg Law data as of Oct. 13. The plaintiffs in the state cases have raised California constitutional, breach of contract, invasion of privacy and consumer protection claims, Bloomberg Law data show.

Additionally, there is a federal consolidated putative class action in the U.S. Judicial Panel on Multidistrict Litigation and other federal cases arising out of the data breach claims (15 PVLR 1950, 10/3/16).

It is unknown whether Yahoo will file a motion to compel the state court actions to federal court and the company declined to comment on the pending litigation Oct. 13.

Federal or State?

Privette said one of the primary issues plaintiffs in data breach cases face is the requirement that they must have suffered an “injury in fact” traceable to the defendant’s conduct in order to sue in federal court under Article III of the U.S. Constitution (15 PVLR 1799, 9/12/16).

“Although this is still a developing area of the law, a number of federal courts have dismissed data breach cases right at the outset because they found this requirement lacking,” Privette said.

“California courts do not have the same strict Article III limitation on their jurisdiction, and plaintiffs may try to use the absence of that limitation to avoid some of the threshold standing arguments they might face in federal court,” he said.

To contact the reporter on this story: David McAfee in Los Angeles at

To contact the editors responsible for this story: Donald G. Aplin at ; Daniel R. Stoller at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security