Yahoo Mail Application

Yahoo appears to be nearing a final settlement in a class action spurred by data breaches exposing up to 200 million users, even though the presiding judge still has questions about why 32 plaintiffs firms had to be involved in the case.

At a hearing before U.S. District Judge Lucy Koh in San Jose on Thursday, the Sunnyvale-based web services provider got another crack at pitching a proposed settlement in mulitidistrict litigation stemming from a series of data breaches at the company earlier this decade. Earlier this year, Koh smacked down what would've been one of the largest American data breach cases in history—a proposed $85 million settlement including a $35 million attorney fee request—in part, because of a perceived bloat in attorneys fees. 

In April, attorneys involved in the case upped the settlement fund to $117.5 million, with a $25,000 cap for individuals. 

In response to a request to add Daniel Robinson of Robinson Calcagnie in Newport Beach an attorney in state court proceedings, Koh said Thursday she was reluctant to take away more money from class members.

“Why should I expand class counsel?” she said. “I still don't see an answer to my question why 23 law firms were necessary in the MDL and 8 in the state court case?” 

Koh agreed to add Robinson to the executive counsel committee to give the state court plaintiffs representation in the settlement after he promised that he would continue to not bill for any work done after the first proposed settlement.

The judge, who has been presiding over the case since 2016, only authorized five firms to work on the case. Yet, in the initial proposed settlement, plaintiffs lawyers submitted a $22 million lodestar—the amount of hours billed multiplied by their average hourly rates—covering 143 lawyers at 32 firms.

“Specifically, the court finds that class counsel prepared limited legal filings with numerous overlapping issues, and that class counsel completed limited discovery relative to the scope of the alleged claims,” Koh wrote in her 24-page order in January. “Moreover, class counsel fails to explain why it took 32 law firms to do the work in this case.”

At Thursday's hearing, Koh took particular issue with vague language in the short- and long-form notices of the class action settlement. The documents ask Yahoo users to refer back to press announcements regarding the data breaches made as far back as seven years ago. “My impression is that Yahoo doesn't want to admit that it has been breached basically every year since 2012,” she said. “If [the notices is] not clear, I'm not going to approve it.” 

Koh said the notices should include the date and time of the breaches, so that potential victims can make an informed decision. John Yanchunis, lead counsel and head of the class action department for Morgan & Morgan in Tampa, Florida, said it wasn't the intent to make the notices unclear and that legal team would correct the notices in short order.

Koh also orally denied the settlement team's motion to seal information regarding data breaches that occurred in 2012. Yanchunis agreed to revise the motion to only include sensitive technical information.

The settlement team has 14 days to refile the second amended settlement, which Koh said she expects to approve outside of minor nits. After that, she intends to give parties 230 days to opt out of or object to the deal, setting a tentative fairness hearing date of April 2, 2020. 

Yahoo's data breaches leaked the names, email addresses, phone numbers, birth dates and passwords of millions of account holders. The company did not announce its 2014 data breach until 2016.

The Yahoo case was one of the first to be scrutinized under the Northern District of California's new guidelines for class action settlements updated in November 2018. The guidance requires lawyers to detail billing calculations in fee requests, summarize plaintiff recoveries and explain the reasoning behind settlement administrator appointments.

Read more: