POMERANTZ MONITOR | NOVEMBER DECEMBER 2021

By the Editors

In 2013, Russian hackers stole the records of Yahoo’s 3 billion users — including usernames, phone numbers, encrypted passwords and other sensitive information — in what remains, to this day, the largest data breach in U.S. history. In 2014, Russian hackers again compromised the accounts of 500 million Yahoo users. From 2013 through 2015, while Yahoo continued to tout its robust security measures, news of security issues at the company repeatedly surfaced. In 2016, while closing a deal with Verizon, Yahoo finally disclosed the 2014 breach.

Historically, data breach disclosures by publicly traded companies were not generally followed by significant stock price declines, making it difficult to show that investors suffered material harm. With stock prices largely unaffected, cyber-related disclosures, if they engendered any litigation, mainly drove shareholder derivative or consumer protection actions. Data breach securities class actions, when filed, were typically dismissed early on by courts, leaving virtually no precedents.

Pomerantz’s initial investigations revealed a strong indication that Yahoo and its directors had knowingly concealed the company’s deficient security practices and the data breaches of 2013 and 2014. However, the Firm was aware that, given the history of similar litigation, bringing a lawsuit based on such claims was risky. Eager to shape new law, Pomerantz, along with co-counsel, filed a putative securities class action against Yahoo in March 2017.

Jeremy A. Lieberman and Emma Gilmore led Pomerantz’s litigation team. As part of her extensive due diligence, Emma located critical evidence showing that Yahoo’s management had concurrent knowledge of at least one of the data breaches. Importantly, these records showed that Yahoo’s Board of Directors, including Defendant CEO Marissa Mayer, had knowledge of and received repeated updates regarding the breach despite Yahoo denying in its public filings that the CEO knew about the breach. The CEO’s knowledge was a key issue in the case.

The complaint alleged that Yahoo and some of its officers failed to disclose the massive data breaches of 2013 and 2014, as well as two additional data breaches in 2015 and 2016, which affected an additional 32 million Yahoo users. The suit further alleged that defendants knowingly concealed its grossly outdated and substandard information security methods and technologies throughout the class period, while continuing to reassure the public that Yahoo had “physical, electronic, and procedural safeguards that [complied] with federal regulations to protect personal information about [its users],” that it would publicly disclose all security vulnerabilities within 90 days of discovery, and that its data security employed “best practices,” among other misrepresentations.

Beyond the 31 percent decline in share price allegedly suffered by Yahoo’s investors over the course of the class period in reaction to its data breach disclosures, Pomerantz and co-counsel further argued that these data breach disclosures had a substantial and quantifiable financial impact on Yahoo, evidenced when Verizon Communications, Inc. reduced its bid to acquire Yahoo by a whopping $350 million, to $4.4 billion.

After hard-fought litigation, on September 7, 2018, Pomerantz and co-counsel achieved final approval of an $80 million settlement for defrauded Yahoo investors. “While many elements of the Yahoo securities class action may be factually unique,” reported JD Supra’s Carlton Fields and J. Robert MacAneney, “the settlement is a milestone because it is the first significant securities fraud settlement from a cybersecurity breach.”

A month after the class action settlement received preliminary approval from the court, the SEC imposed a $35 million fine on Yahoo in connection with the 2014 data breach, marking the first time a publicly traded company had been fined for a cybersecurity hack. While the SEC acknowledged that large companies are at risk of persistent cyber- related breaches by hackers, it did not excuse companies from reasonably dealing with these risks and of responding to known cyber-breaches. The SEC said that Yahoo continued to mislead investors with generic public disclosures about the risks of cyber-related breaches, when it knew a significant breach had occurred.

Following on the heels of this fine, the SEC updated its guidance on cybersecurity disclosures to stress the importance of cybersecurity policies and procedures and advise companies that they need “disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition and results of operations.” It also calls for public companies to be more open when disclosing cybersecurity risks, with companies expected “to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal or reputational consequence.”

Kacy Zurkus, on securityboulevard.com, wrote: Yahoo agreed to settle the securities class action lawsuit to the tune of $80 million, which should serve as a wake-up call for boards. Why? It’s the first of its kind—a milestone shareholder settlement related to a data breach. … [T]here has been little evidence to motivate boards to get started on making real changes—until the Yahoo settlement. The settlement amount—$80 million—is a hefty sum, which makes it much more difficult to ignore the reality that litigation continues to pick up steam.

JD Supra’s Fields and MacAneney presciently concluded at the time that, “Together, the Yahoo proposed settlement and the new SEC guidelines may provide the groundwork that enables plaintiffs’ law firms to bring securities actions to pursue these claims.”