Yesterday’s post examined a case called In re Yahoo! Inc. Customer Data Security Breach Litigation. In In re Yahoo!, Yahoo sought to dismiss data-breach claims based on disclaimers and limitations of liability contained in Yahoo’s online terms of service.

As we discussed, the court rejected Yahoo’s reliance on security-related disclaimers in those terms of service as a basis to dismiss the plaintiffs’ contract claims. The court granted Yahoo’s motion in part, however, based on limitations of liability contained in the terms of service.

Those limitations precluded recovery of indirect, incidental, or consequential damages, including damages for “loss of data or other intangible losses” resulting from “unauthorized access to or alteration of your transmissions or data.”

But the court invited the Plaintiffs to amend their complaint, and gave the plaintiffs a roadmap to avoid dismissal the second time around. The plaintiffs, said the court, might be able to make out a viable contract claim by alleging that Yahoo’s limitations of liability were unconscionable.

A second bite at the apple

The plaintiffs filed an amended complaint that characterized the limitations of liability in Yahoo’s terms of service as procedurally and substantively unconscionable.

The limitations were procedurally unconscionable, said the plaintiffs, because they involved both surprise and oppression. Those limitations appeared in the middle of a clickwrap agreement and could only be viewed after a user scrolled “through many pages of contract legalese.” And Yahoo offered that agreement on a “take it or leave it” basis with no opportunity for negotiation or modification.

As to substantive unconscionability, the plaintiffs alleged federal and state law already required Yahoo to maintain reasonable data-security measures. By seeking to avoid responsibility for consequential damages—a “clear and well-understood consequence of a data breach,”—Yahoo, “an internet titan,” was unfairly seeking to re-allocate risk to individuals “who just want to sign up for an email address.”

Yahoo again moved to dismiss. It argued the plaintiffs could not show “surprise” because the limitations were clear, conspicuous, and prominently displayed in bold typeface. Nor, argued Yahoo, were those limitations oppressive. The plaintiffs willingly chose to sign up for Yahoo’ email service from “a field of alternative mail service providers.”

Yahoo also argued that it was the plaintiffs who were seeking an unfair allocation of risk. Yahoo offered its services on a free or low-cost basis, and exercised no control over whether and how the plaintiffs used those services to transmit sensitive personal information. Yahoo, the company argued, should not have to bear the full economic risk of the plaintiffs’ choices in that regard.

The Court’s decision

The court sided with the plaintiffs.

The court first concluded that the amended complaint adequately alleged procedural unconscionability because Yahoo’s limitations appeared near the end of a take-it-or-leave-it contract. The mere fact that the plaintiffs could use other email service providers might weaken the plaintiffs’ unconscionability allegations, but could not overcome them.

The court also rejected Yahoo’s risk-allocation arguments. It acknowledged that a defendant who offers a free or low-cost service could reasonably seek “to minimize its exposure to monetary damages claims by users of the service.” But Yahoo’s limitations, concluded the court, were substantively unconscionable given the plaintiffs’ allegation that Yahoo took “minimal action” to protect their information despite knowing about its inadequate security measures.

Lessons for litigants

In re Yahoo! contains some important lessons for companies.

First, the case makes clear that boilerplate disclaimers that a service is not “100% secure” or is provided on an “as is” basis might not protect against data-breach lawsuits that allege a company violated affirmative security promises.

Second, limitations of liability may not provide a reliable shield against consumer data-breach lawsuits, even when limited to consequential and other indirect damages. That’s especially true where those terms are included in clickwrap agreements, such as online terms of service, that lend themselves to unconscionability arguments like those made by the In re Yahoo! plaintiffs.