California Justice believes that the figure proposed by Yahoo is insufficient to address all the drawbacks caused by 2014 data breach
Lucy Koh, a federal court district judge in San
Jose, California, rejected the proposed agreement for the data breach that Yahoo
suffered back in 2014. According to network security specialist from the
International Institute of Cyber Security, the judge quoted at least five
reasons to think the agreement is not adequate.
“Yahoo’s omissions and lack of transparency in
relation to data breach are obvious,” the judge said. “The conciliation
agreement, the notification, the proposal and the motion for approval, all
continue with this pattern of lack of transparency.”
Judge Koh ordered both parties to indicate how
they want to continue the legal process by February 7. Despite the long
negotiations to end the process, the case could still go to trial. If the
parties involved decide to go to trial, they should report to the court before
February 14, mentioned experts in network
security. Sources close to the process claim that the parties will most
likely draw up a revised version of the agreement to re-submit it to the court.
Yahoo data security incidents have generated an
endless chain of legal processes against the technology company. According to
network security specialists, the main problem is that Yahoo decided not to
disclose these incidents according to the legal notification process, so as not
to affect its merger process with Verizon.
When Yahoo reported on the Verizon agreement to
the U.S. Securities and Exchange Commission (SEC), it said it had no knowledge
of data security incidents. However, less than two weeks later (in December
2014) the data breach was disclosed. In 2016 Yahoo even notified the
authorities of a similar incident, almost a year after it occurred.
In April 2018, the SEC imposed a $35M USD to
Yahoo for its omissions in the notification of data theft in 2014. This also
hindered the merger process with Verizon, plus the agreement was reduced by
more than $350M USD. Yahoo has also faced various legal actions as a result of
these omissions.
In this case, the agreement rejected by Judge
Koh included a fund of $50M USD for those affected by these incidents. The
agreement also included $35M USD in attorney’s fees. However, Judge Koh
stressed that the agreement was not sufficient to cover the costs of credit monitoring
for fraud prevention, nor did it reflect the total impact of the incident.
In this agreement it was also to rid Yahoo of
any claim for data security of 2012 or earlier. The judge mentions that this is
unacceptable, as Yahoo is aware of data security incidents dating back to the
year 2008.
Koh also based its decision on Yahoo’s
inability to establish a plan to improve its computer security practices.
“Yahoo is not committed to doing any specific action to improve its data
management policies, its proposals are just vague ideas so far,” the judge
said.
