Updated on 1/30/19 to indicate that Judge Koh issued a superseding order clarifying that she authorized “five attorneys, who are not members of Plaintiffs' Executive Committee, to attend and help prepare their respective clients for depositions.”

The federal judge overseeing litigation targeting Yahoo! Inc. with data breach claims has rejected a proposed $85 million settlement citing a number of problems with the deal—including that the plaintiffs are asking for an “unreasonably high” attorneys fees of up to $35 million.

U.S. District Judge Lucy Koh, who has been overseeing In re Yahoo! Inc. Customer Data Security Breach Litigation since 2016, took issue with the fact that 143 lawyers at 32 firms were included in the $22 million lodestar calculation submitted by the plaintiffs, even though she only authorized five firms to work on the case.

|

Click here to read the full ruling

Koh wrote in a 24-page order issued Monday evening that legal issues involved were “not particularly novel.” The proposed deal, the judge noted, was filed before the parties finished briefing class certification. She also noted that the case involved only a limited number of claims under California law, and class counsel took only 7 depositions, declining to depose Yahoo's proposed experts.

“Specifically, the court finds that class counsel prepared limited legal filings with numerous overlapping issues, and that class counsel completed limited discovery relative to the scope of the alleged claims,” Koh wrote. “Moreover, class counsel fails to explain why it took 32 law firms to do the work in this case.”

Koh issued a superseding order Wednesday clarifying that she only authorized “five attorneys, who are not members of Plaintiffs' Executive Committee, to attend and help prepare their respective clients for depositions.”

Plaintiffs lead counsel, John Yanchunis, of Morgan & Morgan in Tampa, Florida, didn't immediately respond to an email seeking comment.

Koh has been overseeing the multidistrict litigation brought on behalf of 3 billion Yahoo account holders whose data was compromised in three massive breaches dating back to 2013. She previously signed off on an $80 million deal in Sept. 2018, which Yahoo reached with investors who claim the company misled them about the breaches.

In Monday's order, she called Yahoo's track record of nondisclosure and lack of transparency “egregious.” She further found that the proposed settlement failed to disclose that it released claims dating back to 2012, when Yahoo suffered smaller breaches that still affected millions of accounts. Koh found further found that releasing those claims would be improper, that the deal didn't adequately disclose the sorts of business changes Yahoo has made to protect customers going forward, and that estimated 200 million member class size was likely inaccurate.

“Any of these bases would be sufficient to deny the motion for preliminary approval,” Koh wrote.

Yahoo is represented in the matter by counsel at Gibson, Dunn & Crutcher and Hunton Andrews Kurth. Neither Gibson Dunn's Theodore Boutrous Jr. nor Hunton's Ann Marie Mortimer responded to messages Tuesday.

Read Judge Koh's Order:

Koh compared the Yahoo deal unfavorably to two prior high-profile class action settlements that she oversaw—the $415 million settlement on behalf technical workers to settle claims that their wages were suppressed by Silicon Valley companies' alleged agreements to avoid recruiting each others' workers, and the $115 million settlement Anthem reached on behalf of 79 million customers affected by the insurer's data breach.

Koh noted that the lodestar for the Yahoo lawyers was higher than the $18 million figure submitted by the lawyers working on the high-tech worker case, even though the latter had taken 93 depositions, served 28 third-party subpoenas, litigated two rounds of class certification, had handled an appeal in the case, and prepared it for trial.

Moreover, class counsel in In re High-Tech secured a significantly larger settlement of $415 million with more direct payments to class members than the $50 million settlement fund disclosed in the proposed notice here,' Koh wrote.

In the Anthem case, Koh noted, that the insurance company disclosed the breach timely and offered all those affected two years of free credit monitoring prior to settlement. Anthem also committed to tripling its data security budget for three years. By contrast, Koh found that Yahoo delayed disclosure and its customers' data ended up on the dark web.

“Yahoo's history of nondisclosure and lack of transparency related to the data breaches are egregious,” Koh wrote. “Unfortunately, the settlement agreement, proposed notice, motion for preliminary approval, and public and sealed supplemental filings continue this pattern of lack of transparency.”

Worth noting for the Yahoo lawyers: In both the high-tech case and the Anthem data breach Koh gave the plaintiffs lawyers lower fees than they had requested. She granted the high-tech lawyers less than half the $81 million they'd requested and cut more than $9 million from the $38 million the Anthem lawyers requested.

Related stories: