You might think that a company that lives online to the extent that Yahoo does would have excellent security. But you would be wrong, says this securities class action. The complaint claims that Yahoo used inadequate security measures and failed to disclose data breaches that were some of the largest ever. These failures to disclose the truth, says the complaint, are violations of the Securities Exchange Act of 1934.
The class for this action is all persons who acquired Yahoo securities between April 30, 2013 and December 14, 2016.
Yahoo! is an international technology company that provides services such as a web portal, a search engine, e-mail, news, financial information, sports, advertising, and the micro-blogging and social networking site Tumblr. Consumers must sign up before using its services. The company is presently known as Altaba.
Most of its revenues come from search, display, and native advertising, and the complaint claims that a critical element in this is the ability of advertisers to target users according to the personal information on file, demographics, and browsing and offline habits. This information is also valuable to identity thieves. Even access to e-mail accounts can offer them a lot.
Yahoo claims that protecting user information is important to it and says, “We have physical, electronic, and procedural safeguards that comply with federal regulations to protect personal information about you.” It admitted in public filings during the class period that cybersecurity attacks were a material operating risk for the company.
Yet, according to the complaint, the company used outdated and inadequate means to protect its information files.
Because of the seriousness of identity theft, almost every state in the US has made it illegal for a company to delay notifying customers of data breaches. Yet Yahoo failed to disclose the two largest data breaches in US history, the complaint claims, one in 2013 exposing the data of three billion users to hackers, and another in 2014, which involved 500 million users’ information; and it also failed to disclose large data breaches in 2015 and 2016.
The complaint claims that Yahoo wanted to hide the data breaches for other reasons as well. Having had some years of poor performance, the company was trying to sell itself to Verizon in 2016. According to the complaint, Yahoo claimed in a filing around that time that there had not been any security breaches.
When the breaches finally came to light, the complaint says, Verizon threatened to walk out on the deal, but later negotiated a $350 million price reduction. Meanwhile, the company’s stock fell by about 31%, harming investors. The complaint claims that Yahoo is now being investigated by US and foreign regulatory entities, including the SEC, the Federal Trade Commission, and state attorneys general offices.