The recent Yahoo! settlement marks a substantial step in data breach shareholder derivative litigation that increases the risk for officers and directors of companies that have a data breach. On January 9, 2019, Yahoo! Agreed to pay a total of $29 million to its shareholders to settle a lawsuit against several former directors and officers alleging that their poor management of the company led to the data breaches which substantially impacted the company’s value.

The $29 million settlement amount represents $18 million in damages to the company’s shareholders and $11 million for their legal fees. This settlement is significant because, while many similar cases have been filed previously, this is the first one that has settled for such a large amount. Before this settlement, in 2017, Home Depot settled similar claims for $1.125 million for plaintiffs’ attorney’s fees and the promise to make cybersecurity improvements. In May of 2018, Wendy’s settled its shareholder derivative litigation for similar promises and payment of $950,000, which was paid by D&O insurance.

The overall trend for data breach litigation has been evolving, albeit slowly, toward permitting those harmed from data breaches to recover for those injuries. This same trend continues with litigation against companies’ directors and officers and it is likely to increase and gain momentum in the future.

Corporate directors and officers should protect themselves against this risk by ensuring their companies have taken these steps:

  1. They have implemented and are maturing an appropriately tailored cyber risk management program to minimize the legal and business risks of a data breach;
  2. They have adequate cyber risk insurance to cover the harm of any data breaches, should they occur; and
  3. They have appropriate directors and officers liability insurance to cover shareholder derivative claims should such a breach occur.