A federal court recently issued a decision approving a class action settlement resolving litigation stemming from five Yahoo! data breaches that occurred from 2012 to 2016 and affected at least 194 million Yahoo! customers. The company agreed to establish a $117.5 million settlement fund and institute numerous business practice changes designed to prevent future data breaches. Of particular interest in the approval order, however, was the Court's comparison of the instant settlement to a prior in-district data breach settlement. A review of the approval order provides insight into the factors judges analyze to ensure settlements are reasonable, proper, and in the best interests of the class.

Factors Considered in Evaluating the Settlement

In evaluating a proposed class action settlement pursuant to Federal Rule of Civil Procedure 23(e), a district court must determine if a settlement "is fundamentally fair, adequate and reasonable." In doing so, courts may consider, among other factors, the strength of plaintiffs' case, the risks, expenses, complexity, and duration of further litigation, and the total settlement amount. In Yahoo!, the Court found that all of these factors supported the approval of the settlement. Specifically, with respect to the risk, expense, and complexity, the Court noted that the parties reached a settlement prior to the Court's ruling on hot-button issues, namely class certification and the filing of any Daubert motions. Thus, the Court was convinced that settlement avoided significant further litigation and provided the class "with timely and certain recovery."

Comparison of Settlement Amount to Other Data Breach Settlements

In addition, the Court undertook a careful review of the overall settlement amount as compared to the prior in-district settlement associated with Anthem Inc.'s 2015 medical information data breach. See In re Anthem, Inc. Data Breach Litigation.

Comparing Yahoo!'s $117.5 million settlement fund for a class of approximately 196 million to Anthem's $115 million settlement fund for a class of approximately 79 million, the Court noted that Yahoo!'s per-capita settlement recovery was $0.60 - much smaller than Anthem's $1.46. In addition, the Court found that "there [were] numerous factors in the instant case that create[d] the expectation of a larger recovery for the Settlement Class than in other data breach cases." Specifically, Judge Lucy H. Koh focused on the fact that Yahoo! had multiple data breaches over a five year period and, in each instance, denied knowledge of any breach in its filings with the Securities and Exchange Commission and delayed notifying its users even when it "had contemporaneous knowledge of the breaches." The Court determined that these circumstances "weigh[ed] in favor of a larger settlement" than Anthem, but acknowledged that the personal information at issue may not have been as sensitive as the information stolen in Anthem.

The Court also explained that the Yahoo! settlement "compares favorably [to Anthem] in some respects but unfavorably in others." For example, Yahoo! provided two years of credit monitoring while Anthem provided six years, but Yahoo! capped out-of-pocket expenses at $25,000 while Anthem's settlement class members were capped at only $10,000. Nevertheless, the Court found Yahoo!'s settlement largely followed the Anthem settlement and concluded that the settlement "is a significant sum" and provided "adequate recovery to the settlement class." Further, the Court was satisfied with the non-monetary business practice changes Yahoo! agreed to implement to prevent future data breaches. These included allocating at least $66 million a year to its information security budget, the employment of 200 full-time security employees, and a commitment to undergo annual third-party security assessments.

Conclusion

Yahoo! makes clear that judicial review of the adequacy and reasonableness of large class action settlements does not take place in a vacuum. To the contrary, the case serves as a reminder that courts rely on prior in-district settlements as points of reference for evaluation of reasonableness, and that ultimately, judges are inclined to approve a settlement if they find that class members will receive an adequate recovery.

Is Your Class Action Settlement Reasonable? A Look Inside The Court's Approval Of The Yahoo! Data Breach Settlement May Shed Some Light

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mr Marc Palmer
Proskauer Rose LLP
Eleven Times Square
(Eighth Avenue & 41st Street)
New York
10036-8299
UNITED STATES
Tel: 2129693000
Fax: 2129692900
E-mail: gpolk@proskauer.com
URL: www.proskauer.com

© Mondaq Ltd, 2020 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source Business Briefing