Today, opening a Yahoo account has an almost peculiar feel to it. Millions of people now carry a different kind of weight with that familiar interface: the unspoken awareness that their personal information was probably in the hands of someone else at some point between 2012 and 2016. Not just a few thousand accounts were impacted by Yahoo’s data breaches. They made contact with more than three billion people. The fact that it took years and a federal lawsuit before many users saw any acknowledgment at all may be due to the size of that number, which makes it seem abstract.
The Yahoo class action lawsuit became one of the most important privacy cases of the last ten years, not because the company was particularly bad, but rather because the scope of the case made courts, businesses, and regular people consider the true value of user data. On paper, the $117.5 million settlement that was ultimately reached sounds significant. It’s another matter entirely whether those who filed claims felt that way.
The breaches themselves took place over a number of years, and Yahoo didn’t make them public until 2016, long after the incidents had already happened. The legal argument revolved around that delay. Through the Northern District of California, class counsel negotiated a settlement that covered both US and Israeli account holders and addressed several breach events at once. The fund was created to compensate users for a variety of real-world effects, including reimbursements for paid Yahoo Mail subscriptions, documented out-of-pocket losses up to $25,000, and at least two years of free credit monitoring services for those without credit monitoring. Alternative compensation, ranging from $100 to $358.80, was available to users who already had credit monitoring elsewhere.
The compensation categories might have been carefully thought out. It’s also possible that their design made it difficult for the majority of people to obtain much. Documentation was needed to file a claim. It took time. Distribution didn’t start until June 2023, almost three years after the deadline closed on July 20, 2020, amid a worldwide pandemic. Administrators were only able to start cutting checks and setting up electronic transfers after the appellate court upheld the settlement in September 2022. Physical checks alone could take six to eight weeks to arrive, according to reports at the time. The timeline had a way of making a breach that had impacted people years earlier even more frustrating.
Nevertheless, the Yahoo class action lawsuit accomplished something significant. It set a precedent for holding a big tech company responsible when its security flaws caused widespread harm, albeit a messy and flawed one like most legal precedents. As a result of the settlement, Yahoo, which is now owned by a different corporation, had to enhance its data security procedures moving forward. It’s difficult to say whether that requirement had actual teeth, but it did exist.
There seems to be a more general pattern here that merits labeling. Businesses of a certain size frequently prioritize reputational issues over human issues when it comes to data breaches. At least somewhat, the Yahoo lawsuit challenged that intuition. It stated that there should be repercussions if billions of people entrust a platform with their names, passwords, and email histories and that platform fails to secure them. The settlement wasn’t ideal. It’s likely that many eligible users never filed. It’s possible that many who did got far less than they anticipated.
It’s difficult not to feel that the system functions, albeit very slowly and sometimes not in the best interests of those who are most directly impacted, as you watch this specific case develop over almost ten years, from the breaches themselves to the lawsuits, appeals, and final checks in the mail. As a turning point in data privacy litigation, the Yahoo class action lawsuit will be examined. The majority of the three billion people whose accounts were compromised will likely only remember it as something they hazily heard about years ago on the internet.
