Finally, at last, the end may be near,
For the multiple class actions that Yahoo did bear.
Arising from three data breaches that occurred in the past,
A proposed settlement has been reached, let’s start with the class.
The proposed settlement class under Rule 23,
Includes residents and small businesses, both U.S. and Israeli.
Who from 2012 to 2016 had Yahoo accounts,
Of course, this will not include those who validly opt out.
This proposed settlement class covers about a billion accounts,
Upwards of 200 million individuals, almost too many to count!
Drafted deliberately broad to cover users from 2012 to ’16,
This is notable since the first breach occurred in 2013.
Despite this being the case, there was an expert report that had shown
Multiple intrusions occurring in 2012, with damages unknown.
To provide robust protection and cover all who may have suffered,
The class period was drafted to provide a small buffer.
Critical to the proposed settlement is enhanced data security,
In response to what the plaintiffs identified as Yahoo’s deficiencies.
The proposed business practice commitments lay out new security rules,
Like increasing the security team headcount and enhanced intrusion detection tools.
The settlement also requires $50 million to be paid
After the court enters the Final Approval of Order and Judgment, within 20 days.
The fund will compensate settlement class members for out-of-pocket costs,
And will reimburse those who paid for email services 25 percent of what they have lost.
In addition to the $50 million, Yahoo has agreed to cover the fees
For two years of credit monitoring services from AllClear ID.
For settlement class members who do not need identity theft protection,
The settlement fund will be used to provide alternative compensation.
And last, but not least, let’s discuss attorneys’ fees,
Thirty-five million dollars it is promised to not exceed.
And $2.5 million dollars in litigation costs and expenses,
Are you keeping track of Yahoo’s costs? They truly are tremendous.
In exchange for all this, the settlement class members have agreed
To release all claims against Yahoo, for which they have grieved.
And while the parties reached a settlement, it is really for the court to decide,
Whether these terms are fair and reasonable, or if they are denied.
Thus, while it seems like the end, there is still a ways to go –
On November 29, the parties will hear from Honorable Judge Koh.
For now, let this proposed settlement be a lesson to us all:
While Yahoo can withstand it, a data breach could be a company’s downfall.
Sadia Mirza is an Orange County-based attorney at Troutman Sanders LLP, a national law firm with offices across the country, including three in California. Mirza focuses on cybersecurity and privacy issues and compliance across the consumer financial services industry.