Yahoo Data Breach MDL: $117.5 Million Settlement for 3 Billion Compromised Accounts
Won by CaseyGerry.
Gayle Blatt served on the five-member Plaintiffs' Executive Committee that secured a $117.5 million settlement in multidistrict litigation arising from the largest data breach in history, covering roughly 3 billion Yahoo accounts compromised between 2013 and 2016.
What happened
Between 2013 and 2016, Yahoo suffered a series of data breaches that exposed the personal information of an estimated 3 billion account holders, later confirmed to be the largest breach in history. Stolen data included names, email addresses, telephone numbers, birth dates, hashed passwords, and in some cases encrypted or unencrypted security questions and backup email addresses. What made the litigation more damaging was evidence that Yahoo's senior management and legal teams had learned of the intrusions but did not fully investigate, did not disclose the breaches to users for years, and did not inform regulators or investors in a timely way.
Dozens of federal lawsuits were consolidated into a multidistrict proceeding before Judge Lucy H. Koh in the Northern District of California, docketed as In re Yahoo! Inc. Customer Data Security Breach Litigation, No. 5:16-md-02752. In February 2017, Judge Koh appointed a Plaintiffs' Executive Committee to coordinate the litigation. Gayle M. Blatt of Casey Gerry Schenk Francavilla Blatt & Penfield was named to that five-member committee, and was the only California attorney among the plaintiffs' leadership group.
The committee spent years litigating the scope of the breaches, the adequacy of Yahoo's security practices, and the company's years-long delay in disclosing known intrusions to its users. A first proposed settlement of $50 million was rejected by Judge Koh in 2019 over concerns about how per-claimant recoveries were calculated. Plaintiffs' counsel renegotiated and returned with a revised agreement of $117.5 million, which Judge Koh preliminarily approved in July 2019.
The revised settlement fund included at least $55 million for victims' out-of-pocket expenses and documented losses, $24 million for two years of credit monitoring services, up to $30 million in attorneys' fees, and an additional $8.5 million for case expenses. Individual claimants could recover up to $25,000 for documented out-of-pocket costs. Roughly 194 million class members were covered. A lawyer for the plaintiffs described it at the time as the largest common fund ever obtained in a data breach case.
Judge Koh granted final approval on July 22, 2020. Approximately 1,779 class members opted out of the settlement. The case citation is In re Yahoo! Inc. Customer Data Sec. Breach Litig., 2020 U.S. Dist. LEXIS 129939 (N.D. Cal. July 22, 2020).
Sources
This account is drawn from contemporaneous public reporting and the court record.
- 1.U.S. District Court docket (govinfo.gov), In re Yahoo! Inc. Customer Data Security Breach Litigation, No. 5:16-md-02752-LHK: court record of the MDL before Judge Lucy H. Koh and the Plaintiffs' Executive Committee (Blatt, Davidson, Riebel, Tadler) appointed Feb. 9, 2017
- 2.CBS News (2019): reports the $117.5 million settlement, the rejected $50 million prior deal, and the fund allocation ($55M losses, $24M credit monitoring, up to $30M fees, $8.5M expenses)
- 3.National Law Review (2020): court final approval of the $117.5 million settlement for approximately 194 million class members, July 22, 2020
- 4.Best Lawyers (2026, staffed editorial by Justin Smulison): confirms Blatt as only California attorney on the five-member executive committee and the $117.5 million settlement