US Judge Rejects Yahoo Data Breach Settlement

A U.S. judge rejected Yahoo's proposed settlement with millions of people whose email addresses and other personal information were stolen in the largest data breach in history, faulting the Internet services provider for a lack of transparency. From a report: In a Monday night decision, U.S. District Judge Lucy Koh in San Jose, California, said she could not declare the settlement "fundamentally fair, adequate and reasonable" because it did not say how much victims could expect to recover. Yahoo, now part of New York-based Verizon Communications, was accused of being too slow to disclose three breaches from 2013 to 2016 that affected an estimated 3 billion accounts. The settlement called for a $50 million payout, plus two years of free credit monitoring for about 200 million people in the United States and Israel with nearly 1 billion accounts.

$50M for 200M people

[MachineShedFred]

So everybody gets a shiny quarter for having their account information ripped.

No wait, forgot about the lawyers and legal fees. Now everyone gets a dime and a law firm gets fkin rich.

That's definitely a fair settlement. I can't imagine why a judge would toss it out.

Re:$50M for 200M people

You're right that the class members could have looked for a firm to handle this for free or much less than it actually cost in legal fees.

End result: everyone gets nothing, and Yahoo faces no consequences at all.

Which is the better outcome?

Re: $50M for 200M people

A bigger restitution is the better outcome. The judge rejected the settlement -- maybe would have approved a better one -- so the better outcome can be figured out in court.

Re:$50M for 200M people

You're right that the class members could have looked for a firm to handle this for free or much less than it actually cost in legal fees.

End result: everyone gets nothing, and Yahoo faces no consequences at all.

Which is the better outcome?

Yahoo facing no consequences would be the better outcome, since it would clearly demonstrate that the tort system is broken.

All these Libertarians and right wing conservatives that falsely assume law suits are going to fix things might actually get a clue and stop being delusional about the need for regulation. We might even be able to get them to stop equating regulation with socialism (I might be overly optimistic here).

In which case the tort system could be replaced with something better, something that leads to real consequences with no opportunity just pass costs on to the consumer (or the ordinary minority stock holder with no voting power), something that doesn't primarily serve the interests of special interest groups (such as legal professionals) while doing enormous long-term economic, social, and legal harm to society.

People harmed by Yahoo's negligence wouldn't get compensation, but they're not getting anything anyway (anyone thinking otherwise hasn't been paying attention), so over the long term everybody (except the special interest groups) would be better off.

Re:$50M for 200M people

>demonstrate that the tort system is broken.
>Libertarians ... might...get a clue and stop being delusional about the need for regulation.

Those broken courts are also your only protection from the government. You can see how it's brain dead to count on the free market to just generate free lunch solutions to social ills, but can you see that it's just as ideologically motivated and economically ignorant to assume regulators make things better just because they do something? Okay, we need some authorities and regulations, granted. But we also need anti-authoritarians and regulation skeptics. And I would argue our default should be regulation skepticism.

Re:$50M for 200M people

[alexo]

You're right that the class members could have looked for a firm to handle this for free or much less than it actually cost in legal fees.

End result: everyone gets nothing, and Yahoo faces no consequences at all.

Which is the better outcome?

1. False dichotomy

2. Class members are usually opted in into a class action without their knowledge or consent.

Re:$50M for 200M people

How about this? Any company that handles data in a careless way goes down. A criminal case is started and people go to jail. So Google, Facebook, Amazon and others are removed. Some execs and employees serve 5+ years in prison.

Re:$50M for 200M people

You can see how it's brain dead to count on the free market to just generate free lunch solutions to social ills, but can you see that it's just as ideologically motivated and economically ignorant to assume regulators make things better just because they do something?

You're jumping to conclusions. I wasn't making any such assumption. The problems with regulation (such as regulatory capture) are well documented - and my statements were made in full knowledge that these problems exist.

They were also made in full knowledge of the fact that Adam Smith pointed out in 1776 that some regulation is necessary in an economic system that serves the public good, in his seminal work on what we today call capitalism (The Wealth of Nations).

Getting reasonable fixes for bad regulation is likely to prove a simpler problem then curing the cancer known as unethical practice of law, which has metastasised and spread throughout the entire US legal system, and is slowly killing the patient. No unbiased person, with an open mind, can possibly examine US legal history and not come to the conclusion that there are serious and crippling problems in legal ethics - and they getting worse.

Economists have done numerous studies supporting this conclusion: see The Captured Economy.

The tort system can not be relied upon to fix problems: it can be relied upon to do enormous social and economic harm.

Other nations have managed to implement many systems subject to regulation that are reasonably efficient, admittedly with some struggle. Even with respect to simple things like internet service, the USA is quite backwards compared to other nations.

We're never going to have a perfect system, but the one we do have is badly broken and there is plenty of room for improvement.

Those broken courts are also your only protection from the government.

In many cases, those broken courts are a big part of the reason government has been allowed to become a problem, in which case they aren't protecting me from the government. Judges selected by politicians influenced by campaign contributions aka bribes will probably not turn out to be good judges.

Re:$50M for 200M people

You know, the amount of legal work that doesn't happen anywhere near courts vastly outweighs the amount that does. The only larger gulf I can think of is the difference between media-reported legal work and that that never gets reported anywhere.

An unbiased person might realize they have little idea what goes on in a giant field of well over a million professionals and not just assume 'legal ethics are getting worse' because of some high-profile shit they don't agree with. And the tort system fixes thousands of problems every day- you just don't read about them because reasonable parties settle and agree to non-disclosure.

Now, given there are about 15% more lawyers than there were 10 years ago, I think it's simple math to say there are 15% more unethical lawyers. But that's not what you meant.

Re:$50M for 200M people

It isn't a false dichotomy and you clearly misunderstand class action lawsuits.

Perhaps you're aware of some case that says you can be bound to a class without notice and would care to share it with us? Didn't think so, because it doesn't exist. One of the reasons why is that the individual, whose damages weren't large enough to litigate directly in the first place, certainly isn't going to sue over the even smaller difference between those damages and the award on offer.

Re:$50M for 200M people

An unbiased person might realize they have little idea what goes on in a giant field of well over a million professionals and not just assume 'legal ethics are getting worse' because of some high-profile shit they don't agree with.

There you go, jumping to conclusions again. What makes you assume it's the high profile stuff that is leading to this conclusion?

When examination of legal history leads to the same conclusions as economic studies (which through statistics take into account what all those professionals are collectively doing), a sensible person should take notice.

In the social sciences, it's really hard to get the same results using multiple techniques, because the measurement methods are so primitive. But that's exactly what's happening here.

And the tort system fixes thousands of problems every day- you just don't read about them because reasonable parties settle and agree to non-disclosure.

It also causes thousands of problems every day. These problems are often not seen by ordinary people, because they don't understand how the economy is interconnected. Organizations and individuals are forced to take many precautions because of the fear of lawsuits, which are often expensive and sometimes result in infringement of fundamental rights.

For example, businesses or private individuals often fence-off property - thus infringing the right to roam (a right that has existed for centuries in many legal traditions and certainly should exist in the "Land of the Free" - and not just on navigable waterways) - because of fear of lawsuits.

While the USA was fighting the "Civil Rights Movement" to get rid of the highly illegal Jim Crow laws, the British were fighting their own Civil Rights Movement for the right to roam - and they won. The outcome is ironic: despite the US historical inheritance of the English legal tradition, and the notion that the USA is supposed to be the "Land of the Free", people in Britain today have far more freedom to exercise some fundamental rights then Americans do.

The need to buy insurance to protect against liability - and to take other defensive measures against abuse of the tort system - affects most business (and every individual that is saving for retirement will sooner or later probably be wise to get personal liability insurance). All of these defensive measures cost money, which has a variety of economic effects, which are multiplied by compounding throughout the economy from node to node in the logistics networks of businesses. To make matters worse, it's not just simple compounding: there is feedback. Increased costs for the farmer mean increased costs for the plumber, who in turn has to charge the farmer more for plumbing services, and hence the feedback. Logistics networks are graphs not trees.

The problems are especially bad in health care, with the USA spending roughly 17% of GDP on health care, compared to 9-11% for other developed nations - and getting worse results on many key indicators. It's not just the direct final-stage expenditures on liability insurance that are in play here, but the compounding effect of all the economic elements needed to deliver the goods and services required for health care.

Studies done for insurance companies show that tort expenses in the USA, whether taken per capita or as a fraction of GDP, greatly outweigh the corresponding expenses in other developed nations (by 2-3x, Risk Management and Insurance - Rejda). The indirect expenses probably swamp the direct ones, since the insurance companies are paying for a lot of these tort expenses, and they need to make a profit after overhead. Plus there's all the defensive measures (a larger legal staff, retention procedures, special software, special training, and so forth) organizations such as businesses need to take - above and beyond insurance (or sometimes as a requirement for getting insurance) - all of which cost money.

The net effect is that legal ethics pro

Re:$50M for 200M people

[dcw3]

Class members are usually opted in into a class action without their knowledge or consent.

Not sure where you got that from, I've been a member of more class action suits than I can remember, and normally receive something in the mail stating that I've been identified as part of the class action, and notifying me of my rights to litigate it...often separately.

My Yahoo email just got hijacked last week.

[King_TJ]

I had a very old email address with an swbell.net domain (the old Southwestern Bell telephone), from back when they were my dial-up 56K ISP in St. Louis, Missouri.

I had an opportunity to migrate it over when AT&T started handling DSL service, and later, U-Verse broadband service in the area. Since they partnered with Yahoo by that point, they had them do the mail hosting -- so the account stayed live with Yahoo even after I moved away from St. Louis and started using other services like Comcast.

To be honest, that address had started collecting so much spam, it wasn't a HUGE problem to just let it go and use other accounts after it was hacked. But my frustration is with the lack of ability to actually communicate with anyone at Yahoo to try to get the account back again. When I try to reset the password, it prompts me for my security questions. But both of them are ones I know I never set up. So of course, I can't answer them correctly. When I tried to Google for assistance, I found a number of different pages with conflicting info on how to deal with the problem. Some referred me to AT&T support pages, which have nothing to do with the issue -- beyond them migrating my swbell.net account to Yahoo while I was an AT&T customer, years and years ago. It looks like I *could* have proactively implemented 2 factor authentication for the account at some point .... but that's "water under the bridge" now.

It's obvious the company really just wants to automate things like their email accounts and wash their hands of any problems they can related to lost passwords, stolen accounts, etc.

Use yahoo mail?

Does anyone still use yahoo mail?

Re:Use yahoo mail?

I do!

How to know if I'm affected?

[danbuter]

Is there a way to know if I'm affected by the breach? I'm assuming I am, as I use Yahoo Mail.

Re:How to know if I'm affected?

What's your email address?

Re:How to know if I'm affected?

[godel_56]

Is there a way to know if I'm affected by the breach? I'm assuming I am, as I use Yahoo Mail.

Just assume you have been breached and change your password to something completely new.

Have I Been Pwned dot com

https://haveibeenpwned.com/

Strangely enough, the only e-mail address that I use which is not pwned is my Yahoo (rocketmail) e-mail dating back to the mid 1990's. My Google and work accounts are all pwned according to this website.

the moon

[jmccue]

yahoo, first of all who used their real name and address when creating their email address ?

Second I am far more worried about the Equifax breach. That company got away with far worse than what Yahoo did. Equifax should be paying for 20 years of credit checks plus full restitution if your identify is stolen.

But nice, will be fun seeing how the 25 cent check is mailed to:

Melvin
4 via Moltke
Mare Tranquillitatis
Moon x192t34-9a911z

Re:the moon

I hope to live to see the day addresses require Earth or Moon or Mars or something else appended :D