• by Wendy Davis  @wendyndavis, January 29, 2019

A federal judge has rejected a proposed class-action settlement that would have required Yahoo to pay up to $85 million to resolve claims stemming from massive data breaches that affected billions of Yahoo accounts.

The deal would have created a $50 million fund for around 200 million people whose data was hacked between 2012 and 2016 and who had monetary losses -- either because they paid for credit monitoring, or for premium email accounts. The agreement also provided for up to $35 million in attorneys' fees for class counsel.

U.S. District Court Judge Lucy Koh found the settlement improper for several reasons, including Yahoo's failure to disclose the full details of its data breaches.

“Yahoo misrepresents the number of affected Yahoo users by publicly filing an inflated, inaccurate calculation of users and simultaneously filing under seal a more accurate, much smaller number,” she wrote in a 24-page decision released this week. “Yahoo’s history of nondisclosure and lack of transparency related to the data breaches are egregious. Unfortunately, the settlement agreement, proposed notice, motion for preliminary approval, and public and sealed supplemental filings continue this pattern of lack of transparency.”

Koh also noted that the settlement would have released the company from claims by users whose data was stolen in 2012, although the class-action complaint didn't reference any 2012 data breaches.

“The parties must provide sufficient information for the Court to review the settlement and for class members to make informed decisions as to their participation in the settlement based on any unauthorized access of data in 2012. The current record is devoid of such information,” she wrote. “Yahoo has never disclosed any such harm to its users and continues to deny any data breach prior to 2013. ... Accordingly, the Court and class members have no basis to evaluate the 2012 claims and their release.”

The class-action complaint focused on three data breaches that occurred between 2013 and 2016.

In 2013, hackers stole data -- including, in some cases, names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions and answers -- associated with an estimated 3 billion Yahoo accounts. Yahoo didn't disclose that breach until December of 2016. 

In 2014, a separate data breach resulted in the theft of similar information associated with 500 million accounts; the company didn't disclose that breach in September of 2016, when it was about to be acquired by Verizon.

The third breach, which occurred between 2015 and 2016, involved hackers gaining access to users' passwords by forging cookies. 

The company previously agreed to pay $35 million to settle charges by the Securities and Exchange Commission, which alleged Yahoo misled investors by waiting nearly two years to disclose the 2014 data breach.