Classified Class Action Blog

  • All Topics
  • Contributors
  • About
  • Contact
  • Subscribe

No Celebration For Yahoo!: Data Breach Claims Survive Motion to Dismiss

April 12, 2018 by Carlton Fields

After Yahoo! Inc. suffered three data breaches in a span of four years, plaintiffs brought a putative class action lawsuit against the internet service provider and a subsidiary (collectively, “Yahoo”), alleging defendants failed to use appropriate safeguards to protect users’ personal information despite their representations that such information was secure. The breaches included a 2013 hack allegedly due to outdated encryption technology, which affected all three billion user accounts and exposed both personal information and email contents; a 2014 “spear phishing” breach that affected 500 million accounts and led to the sale of users’ personal information on the dark web but was not made public for two years; and a breach in 2015 or 2016 in which hackers used forged “cookies” to access user accounts. Plaintiffs emphasized that Yahoo should have been on notice of its data security issues because of prior security failures, including a 2012 breach that allegedly compromised hundreds of thousands of user accounts and was purportedly designed to highlight the company’s security vulnerabilities.

Plaintiffs brought their claims on behalf of four putative classes, including small business users, paid users, account holders located in Israel, and users located in the United States, with an additional California subclass. Numerous earlier lawsuits arising from the breaches had previously been consolidated in the U.S. District Court for the Northern District of California; after the court granted in part defendants’ motion to dismiss, the operative complaint was filed in December 2017. Plaintiffs alleged thirteen causes of action under California law, including breach of contract, breach of implied contract, breach of the implied covenant of good faith and fair dealing, misrepresentation, violation of the California Unfair Competition Law (“UCL”), and claims under the California Customer Records Act (“CRA”) and the California Consumers Legal Remedies Act (“CLRA”).

Defendants again moved to dismiss, and, last month, the court granted the motion in part. As with most data breach class actions, this one raised the issue of standing — specifically, for purposes of the UCL. In particular, with regard to claims under the unfair and unlawful prongs, defendants argued plaintiffs did not establish that they had “lost money or property,” as required for UCL standing. The court partially agreed, dismissing the UCL claims of certain plaintiffs who alleged only that they were at risk for — as opposed to had suffered — identity theft, holding that the threat of future harm did not suffice to establish standing. However, the court refused to dismiss the claims of the plaintiff representing paid users, who alleged he expected to receive secure email services and would not have paid for his account in the absence of such assurances. Relying on the California Supreme Court’s decision in Kwikset Corp. v. Superior Court and the holding of the Northern District of California in In re Anthem, Inc. Data Breach Litigation, the court found these benefit of the bargain losses established standing for purposes of the UCL.

The court went on to dispose of the majority of defendants’ other arguments in favor of dismissal. First, it rejected defendants’ contention that plaintiffs’ claims for deceit by concealment and negligence were barred by the economic loss rule, in light of the parties’ special relationship, and refused to dismiss the concealment claim based on defendants’ arguments that plaintiffs failed to plead reliance or damages. The court also declined to dismiss plaintiffs’ contract-based claims, finding plaintiffs sufficiently alleged the limitation of liability clause in Yahoo’s Terms of Service was unconscionable, and subsequently refused to dismiss plaintiffs’ declaratory relief claim as duplicative of the contract claims because it sought different relief —namely, a declaration that certain provisions of the contract are unconscionable, which would clarify the parties’ rights and govern their ongoing interactions, rather than simply damages for past harms.

The court additionally rejected defendants’ arguments that it was not subject to the CLRA because its email was neither a “good” nor a “service” subject to the Act and that plaintiffs failed to plead reliance for purposes of that claim. However, it dismissed plaintiffs’ claims under two provisions of the CRA, despite finding injury in fact sufficient for standing. The court held plaintiffs failed to allege when Yahoo had learned of the 2013 breach for purposes of a provision requiring expedient notification, while the statute’s prior definition of personal information precluded plaintiffs’ claim under a provision requiring businesses to maintain reasonable measures to protect such information.

Finally, the court dismissed plaintiffs’ claims for punitive damages with regard to their good faith and fair dealing and CRA claims, finding such damages were unavailable as a matter of law, but refused to dismiss the punitive damages claims with regard to plaintiffs’ negligence, misrepresentation, and deceit by concealment causes of action.

Thus, although defendants’ motion succeeded in part, Yahoo’s data breach saga continues.

In re Yahoo! Inc. Customer Data Security Breach Litigation, No. 16-MD-02752-LHK (Mar. 9, 2018).

Print Friendly, PDF & Email

« Previous Article

Student-Athletes Score Partial Win on Challenge to NCAA’s Scholarship Caps

Next Article »

DC Court Weighs Whether Bristol-Myers Squibb Applies to Class Actions in Whole Foods Case
Avatar

About Carlton Fields

Get Weekly Updates!

2020 Class Action Survey – Now Available!

DOWNLOAD NOW
Carlton Fields Logo A blog focused on the latest class action developments and trends by the attorneys of Carlton Fields.

Search

Topics

Industries/Practices
  • Construction
  • Consumer Finance & Banking
  • Food & Beverage
  • Health Care
  • Insurance
  • Labor, Employment & ERISA
  • Manufacturing & Products
  • Pharmaceutical
  • Privacy & Technology
  • Securities
  • Telecommunications

Substantive/Procedural
  • Arbitration
  • CAFA
  • Certification
    • Adequacy
    • Ascertainability
    • Commonality
    • Numerosity
    • Predominance
    • Superiority
    • Typicality
  • Decertification
  • Settlements
  • Standing
  • Striking of Class Allegations

Courts/Jurisdiction
  • Federal District Courts
  • Federal Circuit Courts of Appeal
  • United States Supreme Court
  • State Courts

Monthly Archives

Recent Articles

  • MDL Court Denies Class Certification of Proposed “NAS Babies” Class
  • What’s Good for Trial Is Good for Class Certification: Fifth Circuit Rules That Daubert Applies at Class Certification Stage
  • One Game, One Stadium: Eleventh Circuit Spikes Collateral Challenge to Tampa Bay Buccaneers Proposed Class Action Settlement

Get Weekly Updates!

Carlton Fields

  • carltonfields.com
  • Practices
  • Industries
  • Class Action Survey

Related Industries/Practices

  • National Class Actions
  • National Trial Practice
  • Appellate & Trial Support
  • Our Class Action Experience

Classified: The Class Action Blog

  • All Topics
  • Contributors
  • About
  • Contact

Classified Logo
© 2014–2021 Carlton Fields, P.A. · Carlton Fields practices law in California as Carlton Fields, LLP · All Rights Reserved · Privacy Policy · Disclaimer

Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please contact us. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites. This site may be considered attorney advertising in some jurisdictions.