Your browser is unsupported

We recommend using the latest version of IE11, Edge, Chrome, Firefox or Safari.

Yahoo Faces Wave of Data Breach Class Actions

Yahoo was hit with another blow following the revelation that it suffered an unprecedented data breach: a wave of class action suits. This data breach stands to be the largest data breach in history — affecting at least 500 million user accounts. This breach is believed to have been perpetrated by a “state-sponsored actor” in late 2014.

Bob Lord, Yahoo’s Chief information Security Officer (CISO), stated that hackers accessed names, email addresses, telephone numbers, birth dates, security questions and passwords associated with the breached accounts. Lord said last week that the company does not believe that hackers obtained information about financial accounts. And, most of the passwords were encrypted.

At least three separate complaints have been filed to date across the country: Havron v. Yahoo, S.D. Ill., No. 16-cv-01075; Myers v. Yahoo, S.D. Cal., No. 16-cv-02391; Schwartz v. Yahoo, N.D. Calif., No. 16-cv-05456.

The complaints all allege that Yahoo failed to adequately protect users’ information. For example, one complaint alleges, “Yahoo’s failure to safeguard its users’ very personal, sensitive information, in direct violation of its promises, is utterly unacceptable in this day and age.”

Some complaints also include allegations related to the delay between the data breach and Yahoo’s disclosure, potentially in violation of data breach notification laws. Per these complaints, the lag time prevented users “from protecting themselves from the security breach.”

Cases like these are regularly dismissed for lack of standing. These type of cases are dismissed on the basis that consumers can not establish an “injury” based on their fear of future economic harm. However, recently, the Seventh Circuit Court of Appeals reinstated a class action lawsuit against Neiman Marcus, which suffered a data breach in 2013. The Seventh Circuit ruled, consumers “should not have to wait until hackers commit identity theft or credit card fraud” before proceeding in court.