Claims against Yahoo Inc. over its handling of data breaches will proceed in Silicon Valley’s federal court.
The plaintiffs- four consumer classes, including small businesses, Israel-based users, and paid and free users of the search company’s services-successfully connected alleged injury from the breaches with Yahoo’s perceived inaction despite signs of its cybersecurity vulnerabilities, Judge Lucy Koh of the U.S. District Court for the Northern District of California ruled March 9. The plaintiffs were also able to demonstrate certain contractual relationships to keep the claims in federal court, she ruled.
Yahoo and its small business arm Aabaco Small Business LLC faced California tort, contract, and consumer protection claims stemming from three massive breaches from 2013-16. The complaints were consolidated in Koh’s court.
Koh’s decision ensures that consumers affected by one of the most notorious breaches in cybersecurity history will have their arguments heard in Yahoo’s home court, which has experience in such cases.
Yahoo beat some claims, including those under the California Customer Records Act, which requires companies to implement reasonable data security procedures to protect Californians’ data. The court dismissed claims from other consumer classes because they didn’t allege sufficient harm.
The breaches at Yahoo, which exposed the data of about 3 billion user accounts, triggered waves of public outcry and congressional investigations. Verizon Communications Inc. closed its acquisition of Yahoo last year, paying a lower price than the earlier agreed-upon price partly due to the breaches.
Plaintiffs alleged that earlier data security shortcomings should have put Yahoo on notice that it was prone to cyberattacks. They claimed that Yahoo “failed to adequately protect its users’ accounts, failed to disclose its inadequate data security practices, and failed to timely notify users of the data breach,” according to the opinion.
Yahoo’s alleged data security shortcomings date back to 2008 and 2009, when cybercriminals first hacked its networks, according to the opinion. Data security incidents continued to plague Yahoo to the point that hackers allegedly launched an attack in 2012 to warn the company. The hackers stated in a message that they hoped “the parties responsible for managing the security” of Yahoo “will take this as a wake-up call, and not as a threat,” according to the opinion.
Yahoo was represented by Hunton & Williams LLP. Plaintiffs were represented by Morgan & Morgan LLP, Robbins Geller Rudman & Dowd LLP, Milberg Tadler Phillips Grossman LLP, Lockridge Grindal Nauen Pllp, and Casey Gerry Schenk Francavilla Blatt & Penfield LLP.
A Yahoo spokesman didn’t immediately respond to Bloomberg Law’s email request for comment.
The case is In re Yahoo! Inc. Customer Data Breach Sec. Litig. , N.D. Cal., No. 16-md-02752, 3/9/18.