What Yahoo's rejected settlement means for industry expectations of breach aftermath

With the rise of privacy concerns and proposed legislation, the actions taken after a data breach are under more scrutiny than ever before. When and how a company discloses a data breach is proving just as important as stopping unauthorized access.

Yahoo sat on knowledge of massive data breaches before notifying users that 3 billion accounts were impacted.

That waiting period is now a factor in a judge's decision to reject Yahoo's proposed settlement of $50 million in damages related to its data breaches and two years of free credit monitoring. U.S. district judge Lucy Koh criticized Yahoo's lack of transparency during the time of three data breaches, which took place between 2013 and 2016. The company was unaware of the 2013 intrusion until a third party notified it in 2014.

In its initial settlement, Yahoo offered a payout for about 200 million impacted individuals with close to one billion accounts.

While "providing relief is appropriate, it must be done correctly," said Koh, in a decision released Monday night. The settlement, as proposed by Verizon-owed Yahoo, is insufficient for Koh.

As industry sees breached companies continuously fall on legal woes, companies are under more pressure to secure personal data. GDPR, California's data privacy law and the continuous news cycle on Facebook's questionable data practices are shaping the data privacy narrative in favor of the victims — all too trusting consumers.

How a company deals with the aftermath is now part of the legal ramifications it faces. The damage of Yahoo's data breach is already done, "it's not about the fight, it's about how you resolve the fight," said Avivah Litan, distinguished VP analyst for Gartner, in an interview with CIO Dive.

Yahoo failed to specify how much the breaches' victims could expect in restitution. "Yahoo misrepresents the number of affected Yahoo users by publicly filing an inflated, inaccurate calculation of users," while "simultaneously filing under seal a more accurate, much smaller number," wrote Koh.

The settlement was also rejected for six reasons:

Inadequate disclosures of breaches that also occurred in 2012
Release of the 2012 claims were "improper"
Improper disclosure of the settlement fund size
Settlement fund "appears likely to result in an improper" reverter of attorneys' fees
Settlement doesn't sufficiently disclose "the scope of nonmonetary relief"
The size of the settlement class isn't clearly defined

The matter of transparency

The scope of Yahoo's breaches were unknown until Verizon announced its planned acquisition of the company in 2016, thus adding to the company's public mishandling of the breach and an overall lack of trust. The judge "seemed disappointed in the low class recovery and the high attorneys' fees," Paige Boshell, managing member at Privacy Counsel LLC, told CIO Dive, and specifically highlighted Yahoo's lack of transparency.

"This leads to a really interesting point," said Boshell; transparency is "a privacy concept, rather than a data breach concept."

In comparison to the Anthem 2016 breach settlement, the insurer "was proactive in its disclosure of the breach to regulators and patients and proactive in its remediation efforts," said Boshell. Yahoo, however, is issuing relief years after the initial breach.

Yahoo has exhibited "repeated failures to follow industry-standard security practices," which is highlighted by its less-than-timely disclosure announcements, said Koh. The company failed to report the remaining two billion accounts in existence had also been impacted by the breaches until October 2017.

"Yahoo's history of nondisclosure and lack of transparency related to the data breaches are egregious," said Koh. The three billion accounts illegally accessed cemented Yahoo's place as the largest known data breach in history.

Treating the breach and its aftermath is becoming a common theme in major data breaches. And in this separation, the courts and public are likely to trace all the steps a company took after learning of its breach.

"The post-breach period may be even more critical than the breach itself," said Boshell. Unlike the Anthem breach, Yahoo "bought back" data sold on the dark web, which is "something we definitely don't often hear about," said Litan.

Though it's unknown, Yahoo likely bought the data back to know what data was compromised and who it belonged to. "When the bad guys steal the data, they steal a copy of the data," said Litan, Yahoo wasn't buying it back because it entirely lost it.

A familiar story

During Senate testimony in November 2017, former Yahoo CEO Marissa Mayer said the company was still unaware of how the breach was perpetrated, though knew it was a Russian state-sponsored attack.

Mayer sat beside the former CEO of Equifax Richard Smith during the hearing just as the credit firm was also under intense scrutiny relating to its own data breach.

Similar to Yahoo, Equifax was criticized for its delayed disclosure of the breach, impacting upwards of 145 million consumers. But all companies that offer credit monitoring is nothing short of a PR move, according to Litan.

"Credit monitoring has nothing to do with the data that was stolen," said Litan, and the same is true with the data compromised by the Equifax and Marriott breaches.

The companies face mounting calls for accountability in cases of data negligence. And Yahoo's current predicament is "obviously not a pushover," said Litan. "Every case sets a tone for the next case."