Yahoo Faces Punitive Damages Over Data Breaches
Yahoo Inc. will face punitive damages over data breaches that affected more than 3 billion email user accounts after a federal judge refused to dismiss most of the claims.
March 12, 2018 at 06:12 PM
3 minute read
The original version of this story was published on The Recorder
Yahoo Inc. will face punitive damages over data breaches that affected more than 3 billion email user accounts after a federal judge refused to dismiss most of the claims.
In a Friday order, U.S. District Judge Lucy Koh of the Northern District of California found that plaintiffs had sufficiently pleaded allegations that Yahoo should face punitive damages for its negligence. In particular, the judge cited, Yahoo's former chief information security officers knew there were problems with Yahoo's data security. She specifically referenced internal documents between one of the former chief information security officers and Yahoo's general counsel that contradicted the company's public statements.
“These circumstances make plausible plaintiffs' claim that high-ranking executives and managers at Yahoo, including its CISO, committed oppressive, fraudulent, or malicious conduct,” Koh wrote.
Lead plaintiffs attorney John Yanchunis of Morgan & Morgan in Tampa, Florida, called the decision a “significant win.”
“The order is extremely well written, a tremendous amount of analysis,” he said. “The claims that allow us to get punitive damages are pretty significant. We tether those to negligence claims, and she found if we could provide conduct of reckless nature, we could get punitives from a jury. And that's substantial here.”
Last month, Yahoo, represented by Hunton & Williams, brought in Gibson, Dunn & Crutcher as additional counsel in the case. Ann Marie Mortimer of Hunton & Williams and Theodore Boutrous of Gibson Dunn did not respond to requests for comment.
The case involves three breaches that occurred between 2013 and 2016.
In 2016, Yahoo disclosed that 500 million accounts had been hacked in 2014, compromising names, email addresses, phone numbers, birth dates and passwords.
Months later, Yahoo disclosed another breach from 2013 that affected 1 billion accounts. On Oct. 3, Yahoo parent company Verizon upped that figure to about 3 billion accounts.
In 2017, Yahoo notified users about a third breach that had occurred in 2015 and 2016.
In August, Koh largely refused to dismiss the consolidated complaint.
Friday's order pertained to 11 of the 13 claims in an amended complaint filed on Dec. 19. Those included claims that Koh had previously allowed plaintiffs to amend, plus punitive damages that were added to the case.
Koh didn't uphold all the claims. She dismissed claims that Yahoo violated California's breach notification law by failing to timely disclose the full scope of the 2013 breach, calling those allegations “too uncertain to divine any date of discovery, whether specific or estimated.”
“We're in discovery, and we may be able to come back to her and convince her that that claim should survive,” Yanchunis said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
A Plan Is Brewing to Limit Big-Dollar Suits in Georgia—and Lawyers Have Mixed Feelings
10 minute read
HUD Charges Texas HOA With Housing Discrimination in Last Days of Biden Administration
5 minute read
Trending Stories
- 1Gunderson Dettmer Opens Atlanta Office With 3 Partners From Morris Manning
- 2Decision of the Day: Court Holds Accident with Post Driver Was 'Bizarre Occurrence,' Dismisses Action Brought Under Labor Law §240
- 3Judge Recommends Disbarment for Attorney Who Plotted to Hack Judge's Email, Phone
- 4Two Wilkinson Stekloff Associates Among Victims of DC Plane Crash
- 5Two More Victims Alleged in New Sean Combs Sex Trafficking Indictment
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
