Security

Yes, Yahoo's 1B data breach victims can sue the company, judge says

A US judge has ruled that users can sue Yahoo over a host of breaches that occurred between 2013 and 2016.

Video: Use the data breach calculator to determine how much cyber-intrusions might cost your company

According to a recent ruling from US district judge Lucy Koh, Yahoo will face litigation regarding a set of data breaches that occurred between 2013 and 2016, and left more than 1 billion user accounts exposed.

In a 93-page response, Koh outlined the multiple breaches that Yahoo dealt with, and how many users were potentially affected. Despite the massive size of the breaches, Yahoo took a long time to disclose them to users--in some cases, even years. John Pironti, cybersecurity expert and president of IP Architects, said that Yahoo should be held responsible for its slow response.

"Individuals should have a reasonable expectation that their personal information will be properly protected by the organizations they provide it to and also to be notified immediately upon verification of a breach if their data has been compromised," Pironti said.

SEE: How to build a successful career in cybersecurity (free PDF)

While Yahoo proposed that the users didn't have a standing to sue, Koh said otherwise. In the decision, Koh wrote that the data breach victims suffered the "risk of future identity theft" and the "loss of value of PII."

In the response, Koh cited the Adobe Systems, Inc. privacy litigation from 2014, which gave plaintiffs the standing to sue when their PII was exposed in a data breach. Koh also mentioned Remijas vs. Neiman Marcus Group, in which it was decided that the plaintiff didn't have to wait until the stolen information was used before bringing suit, as there was a "reasonable likelihood" that it would happen.

Some plaintiffs alleged that they had spent money to protect themselves against such future threats, and others alleged to have changed passwords or canceled accounts because of the breaches.

Pironti said that it is ultimately a good thing that the court didn't strike down the ability of the affected users to sue Yahoo, as doing so would have created a "concerning legal precedent" for future breaches.

"If there is no negative consequence for a data breach, organizations may feel more comfortable taking risks with personal identifiable information they collect about individuals they interact with," Pironti said. "This ultimately could result in the relaxing of security controls and requirements which would most likely lead to an increase in data breaches and open the door for less capable and sophisticated adversaries to carry out malicious attacks on system and data."

Yahoo's sale price to Verizon was also impacted by the breaches--it dropped by roughly $350 million as a result.

The 3 big takeaways for TechRepublic readers

  1. A US judge has ruled that Yahoo will face litigation regarding the massive data breaches it experienced between 2013 and 2016, leading to exposed user data.
  2. Judge Lucy Koh wrote that the victims were at risk of future identity theft, and a loss of value for their personally identifiable information (PII).
  3. Security expert John Pironti said that it is a good thing that the judge is allowing litigation, as not doing so may have created a dangerous legal precedent for corporate data breaches.

Also see

Image: iStockphoto/weerapatkiatdumrong
Visit TechRepublic