Yesterday, a Superior Court judge in Santa Clara, California approved what is believed to be the first monetary award to a company in a data breach-related derivative lawsuit. Until now, such breach-related derivative cases have settled through a combination of governance changes and modest awards of attorney’s fees.
But the former officers and directors of Yahoo! Inc. agreed to pay $29 million to settle charges that they breached their fiduciary duties in the handling of customer data during a series of cyberattacks from 2013 until 2016. Three billion Yahoo user accounts were compromised in the attacks, making it one of the largest reported hacks in U.S. history. The settlement puts an end to three derivative lawsuits filed in Delaware and California against the company’s former leadership team and board including ex-CEO Marissa Mayer.
Under the settlement, the lawyers will walk away with just under $11 million in fees and expenses, with the remaining $18 million paid to Yahoo! (now called Albata, Inc.). The settlement will be funded by insurance.
A derivative lawsuit gives the owners of a company – the shareholders – a way to hold corporate directors and management accountable for their actions. To do so, shareholders file a claim on the company’s behalf, with any money recovered going to the corporation, not the individual shareholders, because the violation only harmed the organization.
The backstory of the Yahoo D&O settlement might never become public. In court filings, the parties have called the settlement fair, in the best interest of all parties and pointed to a laundry list of data security improvements have been put in place at the company. But insurers don’t pay millions of dollars to settle a derivative case – especially when there’s a low likelihood of success that the shareholders would prevail in the case – without some concern that their exposure would be greater than the settlement.