In re Yahoo! Inc. Customer Data Sec. Breach Litig.
313 F. Supp. 3d 1113
N.D. Cal.2018Background
- Plaintiffs (nine named, multiple putative classes including U.S., California subclass, Israel, Small Business, and Paid Users) allege Yahoo/Aabaco failed to secure user PII and delayed disclosure of three breaches (2013 breach, 2014 breach, 2015–16 forged-cookie breach), causing identity theft, fraud losses, and mitigation costs.
- Plaintiffs contend Yahoo had prior security warnings and assessments (Mandiant, SecureWorks, Leaf SR), used outdated MD5 hashing, and that executives (including CISOs) knew of security deficiencies and breaches while concealing them during corporate transactions.
- The FAC asserts 13 causes of action (California statutory and common-law claims including UCL (unlawful/unfair/fraudulent), deceit by concealment, negligence, various contract claims, CLRA, and two CRA provisions) across the putative classes.
- Defendants moved to dismiss most claims and to preclude punitive damages; the court considered standing, economic-loss rule, reliance/damages for fraud claims, contract unconscionability, CLRA applicability, CRA scope/retroactivity, and punitive-damages pleading requirements.
- Rulings: court granted in part and denied in part — dismissed some UCL and CRA claims with prejudice (certain plaintiffs and certain breaches), but allowed deceit-by-concealment, negligence, most contract claims (unconscionability adequately pled), CLRA (for paid user), certain CRA claims for 2014 and forged-cookie breach survived, and limited punitive-damages requests were dismissed as a matter of law for some claims.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| UCL standing (Rivlin, Granot, Mortensen) | Plaintiffs: breach placed them at risk / Mortensen paid for premium service and lost benefit of the bargain | Defendants: speculative future risk insufficient; Mortensen didn’t lose promised benefit | Rivlin/Granot: dismissed with prejudice (risk alone insufficient). Mortensen: UCL standing pled (benefit-of-the-bargain loss) — claim survives |
| Deceit by concealment (reliance & damages) | Plaintiffs: Yahoo concealed material security defects and breach knowledge; would have acted differently; seek compensatory damages (not limited to out‑of‑pocket) | Defendants: plaintiffs didn’t read Privacy Policy/rely; damages limited to out‑of‑pocket under Cal. Civ. Code §3343 | Reliance adequately pled (omissions theory). Damages not limited to out‑of‑pocket; deceit claim survives |
| Economic loss rule re negligence & deceit | Plaintiffs: services contract and special relationship (J'Aire factors) allow tort recovery | Defendants: economic loss rule bars tort recovery where contract governs | Contract is for services; J'Aire special-relationship adequately pled; economic-loss rule does not bar negligence or deceit claims |
| Contract damages / limitation of liability | Plaintiffs: limitation-of-liability clause is unconscionable (procedural & substantive) and cannot bar consequential damages from data breach | Defendants: Terms of Service bar consequential damages; provision enforceable | Court finds procedural and substantive unconscionability adequately alleged; contract claims survive despite limitation clause |
| CLRA applicability (Mortensen) | Plaintiffs: Yahoo Mail is a "service" and Yahoo omitted material facts about security; Mortensen relied | Defendants: software/platform not a CLRA good/service; no reliance pled | Court: Yahoo Mail adequately pled as a "service"; reliance sufficiently pled; CLRA claim survives |
| CRA §1798.81.5 (reasonable security) and §1798.82 (timely notice) | Plaintiffs: CRA governs Yahoo's duties to secure PII and timely notify California residents for breaches | Defendants: pre-2016 CRA definition did not cover online-account credentials; CRA obligations did not apply to 2013/2014 data types; plaintiffs fail to plead when Yahoo discovered 2013 breach | §1798.81.5 claim based on 2013/2014 breaches dismissed with prejudice (pre-2016 text did not cover the alleged exposed data as pled). §1798.82 claim based on 2013 breach dismissed with prejudice for failure to plead date of discovery; claims based on 2014 and forged-cookie breaches survive as in prior order |
| Punitive damages | Plaintiffs: request punitive damages across several tort/statutory claims; allege high-level executives knowingly concealed breaches | Defendants: punitive damages improper where not alleged conduct by officer/director/managing agent or where statutory scheme precludes punitive damages | Court: punitive damages survive for deceit, misrepresentation, negligence as sufficiently pled against officers/agents; punitive damages dismissed with prejudice for contract implied‑covenant claim and for CRA claims (statutory remedies exclusive) |
Key Cases Cited
- Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) (plausibility standard for Rule 12(b)(6))
- Ashcroft v. Iqbal, 556 U.S. 662 (2009) (pleading must include factual content to state a plausible claim)
- Kwikset Corp. v. Superior Court, 51 Cal.4th 310 (2011) (UCL standing requires lost money or property; benefit-of-the-bargain is a cognizable injury)
- J'Aire Corp. v. Gregory, 24 Cal.3d 799 (1979) (special relationship exception to economic-loss rule; six-factor test)
- Robinson Helicopter Co. v. Dana Corp., 34 Cal.4th 979 (2004) (economic loss rule and limits on tort recovery for disappointed contractual expectations)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (Article III standing requirements)