Court rejects Yahoo’s proposal on massive data breach

Yahoo Launches Gryffin, a Web Security Scanning Platform

California Justice believes that the figure proposed by Yahoo is insufficient to address all the drawbacks caused by 2014 data breach

Lucy Koh, a federal court district judge in San Jose, California, rejected the proposed agreement for the data breach that Yahoo suffered back in 2014. According to network security specialist from the International Institute of Cyber Security, the judge quoted at least five reasons to think the agreement is not adequate.

“Yahoo’s omissions and lack of transparency in relation to data breach are obvious,” the judge said. “The conciliation agreement, the notification, the proposal and the motion for approval, all continue with this pattern of lack of transparency.”

Judge Koh ordered both parties to indicate how they want to continue the legal process by February 7. Despite the long negotiations to end the process, the case could still go to trial. If the parties involved decide to go to trial, they should report to the court before February 14, mentioned experts in network security. Sources close to the process claim that the parties will most likely draw up a revised version of the agreement to re-submit it to the court.

Yahoo data security incidents have generated an endless chain of legal processes against the technology company. According to network security specialists, the main problem is that Yahoo decided not to disclose these incidents according to the legal notification process, so as not to affect its merger process with Verizon.

When Yahoo reported on the Verizon agreement to the U.S. Securities and Exchange Commission (SEC), it said it had no knowledge of data security incidents. However, less than two weeks later (in December 2014) the data breach was disclosed. In 2016 Yahoo even notified the authorities of a similar incident, almost a year after it occurred.   

In April 2018, the SEC imposed a $35M USD to Yahoo for its omissions in the notification of data theft in 2014. This also hindered the merger process with Verizon, plus the agreement was reduced by more than $350M USD. Yahoo has also faced various legal actions as a result of these omissions.

In this case, the agreement rejected by Judge Koh included a fund of $50M USD for those affected by these incidents. The agreement also included $35M USD in attorney’s fees. However, Judge Koh stressed that the agreement was not sufficient to cover the costs of credit monitoring for fraud prevention, nor did it reflect the total impact of the incident.

In this agreement it was also to rid Yahoo of any claim for data security of 2012 or earlier. The judge mentions that this is unacceptable, as Yahoo is aware of data security incidents dating back to the year 2008.

Koh also based its decision on Yahoo’s inability to establish a plan to improve its computer security practices. “Yahoo is not committed to doing any specific action to improve its data management policies, its proposals are just vague ideas so far,” the judge said.