In what appears to be the first test case for the Northern District of California’s new class settlement guidance, lawyers submitted new details about the $85M Yahoo data breach settlement in response to probing questions from a federal judge.
Following lawyers’ court papers to approve last month’s settlement, one of the largest for a data breach, U.S. District Judge Lucy Koh issued two orders for supplemental information that largely mimic the Northern District of California’s new guidance for class action settlements, widely considered the strictest in the nation.
In a Nov. 9 response, some of which was sealed, lawyers filled up 21 pages answering Koh’s nine questions, which included more information on the potential class recoveries had the case not settled and the lodestar, or the amount of hours billed by plaintiffs lawyers multiplied by their average hourly rates. Among other things, the guidance said lawyers should provide billing calculations in their fee request and estimate the recoveries had plaintiffs succeeded on their claims.
In their response, lawyers attached an exhibit detailing a lodestar of $22 million for 32 law firms, including Morgan & Morgan, New York’s Milberg Tadler Phillips Grossman and Casey Gerry Schenk Francavilla Blatt & Penfield in San Diego. Yet information regarding how much the class could have gotten if the case had not settled was largely sealed.
“Disclosure of this information would reveal class counsels’ work product and mental impressions of the case,” wrote plaintiffs’ lawyer John Yanchunis in a declaration. “Protection of attorneys work product in the form of mental impressions is sacrosanct.”
Neither Yanchunis, of Morgan & Morgan in Tampa, Florida, nor defense attorney Ann Marie Mortimer of Hunton Andrews Kurth in Los Angeles, responded to requests for comment. The defendants are Altaba Inc., the division of Verizon formerly known as Yahoo, and Oath Holdings Inc., which owns Yahoo’s holding company.
Koh plans to hear oral arguments on preliminary approval of the settlement at a Nov. 29 hearing.
In 2016, Yahoo announced that 500 million accounts had been hacked in 2014, compromising names, email addresses, phone numbers, birth dates and passwords. Months later, Yahoo disclosed another breach in 2013 that affected 1 billion accounts, a figure that Verizon increased to 3 billion last year. The settlement also involves a third breach in 2015 and 2016.
The deal is one of the largest data breach settlements in U.S. history. It resolves cases in multidistrict litigation before Koh, as well as those brought in California state court, later coordinated in Orange County Superior Court, and class actions brought in Israel.
The settlement includes a $50 million fund from which consumers can make claims for cash reimbursements of out-of-pocket costs, such as fraud charges and professional fees, associated with the breaches. In addition, Yahoo has agreed to provide at least two years of credit monitoring and identity theft protection insurance to class members, and implement enhancements to its security programs.
Lawyers filed a motion for preliminary approval on Oct. 22. Then, on Nov. 1, the Northern District of California published its new guidance on class action settlements.
On Nov. 2, Koh ordered the lawyers in the Yahoo settlement to provide more information. She also asked why the deal involved 200 million individuals with about 1 billion Yahoo accounts, when three breaches compromised more than 3 billion accounts. She also asked about how they selected the settlement administrator and the number of class members expected to submit claims—both aspects in the guidelines. In a Nov. 5 order, Koh asked more questions about the calculation of the plaintiffs’ fee request and the use and retention of class member data provided in the settlement.
In their response, lawyers said they reached the 200 million figure by estimating that 80 percent of the U.S. population of adults living in the United States had Yahoo accounts during the class period. They noted that the number of accounts dropped after Koh dismissed claims by account users in foreign countries, except Israel. Not to mention, they wrote, many individuals had more than one account.
They estimated that between 1 percent and 3 percent of class members would submit claims, based on other breach cases. They also said that Yahoo is paying for and selected the settlement administrator, whose costs could be more than $5 million.
As to the class member data, lawyers said it would be “stored in a climate-controlled data center, with security cameras and restricted key access,” and transferred through a “secure web portal” and “encrypted file share.”