January 14, 2019
January 14, 2019
A California judge recently approved a $29 million settlement in three shareholder derivative lawsuits filed against Yahoo!’s former officers and directors over allegations that they breached their fiduciary duties in failing to properly oversee the handling of a series of cyberattacks from 2013 to 2016. Three billion user accounts were compromised in the attacks, making it one of the largest reported hacks in US history.
The settlement is more or less a win for Yahoo’s former leaders, including ex-CEO Marissa Mayer, but by no means cause for a victory lap. The settlement is, to date, the only cash recovery in a derivative action involving a data breach, which sets potentially dangerous precedent for future breach-related derivative actions.
Until now, breach-related derivative lawsuits have been settled for a combination of governance changes and modest attorney fee awards. The money from the settlement, to be paid by insurance carriers, will go to Altaba, the holding company created after Yahoo’s internet operations were sold to Verizon Communications last year for $4.48 billion.
Under the settlement, the shareholders’ lawyers will walk away with approximately $11 million in fees and expenses, with the remaining $18 million paid directly to Altaba. (Click here to review the settlement in whole.)
While in corporate America $18 million is a relatively modest sum—especially for an Internet pioneer that once touted a market capitalization of more than $100 billion—it begs the much broader question of why the insurers broke with precedent and agreed to a settlement that exceeded governance changes and attorneys’ fees.
The official justification for the settlement payment is that it was in all parties’ best interests and that significant data security improvements have been put in place with the help of the plaintiff’s lawyers. That makes sense and is consistent with past breach-related derivative settlements.
But what accounts for the $18 million now headed for Altaba’s coffers? There are at least five reasons that merit consideration:
First, the 120-page shareholder complaint—much of which is heavily redacted—is chock full of nasty allegations. It accuses Yahoo’s former leaders of engaging in a years-long, elaborate plot to cover up hacks going back to 2013, and conducting a “sham” investigation to “conceal the largest hacking incident in U.S. history.”
Second, Yahoo was a pioneer of the Internet era and provided news, entertainment, and online communications—a confidential way for users to communicate with each other. The expectation was that those communications would stay private, a fact not lost on the shareholders or insurance carriers. It’s one thing for the corner dry cleaners not to understand the importance of consumer privacy. It’s quite another for an Internet company to lose sight of this fact.
Third, shareholder derivative suits are difficult but not impossible cases to win. Shareholders carry a heavy legal burden and must show that board members breached their fiduciary responsibilities by consciously disregarding their duties. These claims have been called “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.” Yet, even with such an uphill climb, the insurance carriers clearly saw the risk of potentially damaging facts coming out in the course of the case that might substantiate the allegations in the shareholders’ complaint.
Fourth, the U.S. Securities and Exchange Commission (SEC) cease and desist order against Yahoo for failing to make timely disclosure of the data breach—the agency’s first action for a cybersecurity disclosure violation—also contains fistfuls of harmful charges. In fining the company $35 million for its tardy disclosure, the SEC didn’t mince words. According to the cease and desist order, “Yahoo had learned of a massive breach of its user database that resulted in the theft, unauthorized access, or acquisition of hundreds of millions of its user’s personal data…Yahoo senior management and relevant legal staff did not properly assess the scope, business impact or legal implications of the breach…[and] did not share information regarding the breach with Yahoo’s auditors or outside counsel…”
And finally, although the sale of Yahoo’s Internet assets to Verizon went through, the purchase price was lowered to $4.48 billion because of the cyberattacks and Yahoo’s failure to disclose them during the due diligence process. That resulted in a $350 million or 7.25 percent hack discount.
Even if there’s a hint of truth behind the allegations made against Yahoo’s former leaders, the risks of not settling the derivative cases would be overwhelming and explain the insurers’ motivation for breaking with precedent. At minimum, though, companies and their boards might want to think long and hard before concluding that they have nothing to fear from shareholders.
Craig A. Newman is a partner with Patterson Belknap Webb & Tyler, the New York law firm, and chair of its Privacy and Data Security Practice. All thoughts are his own.