U.S. derivative lawsuit stemming from data breach settles for $29M
Although we haven’t yet witnessed the trend in Canada, there have been several shareholder derivative lawsuits filed against boards south of the border in connection with large scale data breaches. However, none of these cases ultimately saw the plaintiffs obtain a significant monetary recovery – the majority fell at defendants’ motions to dismiss, while others settled for solely the amount of plaintiffs’ attorneys’ fees. A recent milestone case has experienced a different outcome though, with plaintiff’s obtaining a substantial settlement.
In September 2016, Yahoo! Inc. (Yahoo) publicly revealed a data breach that had taken place two years prior, affecting the personal identifiable information (PII) of up to 500 million users. Later that year, in December 2016, the company announced a second breach that had occurred three years prior in 2013, compromising PII of potentially all of Yahoo’s 3 billion users. A multitude of lawsuits ensued, both in Canada and the U.S. Shareholders in the U.S. filed both a securities class action lawsuit and a derivative lawsuit, which were ultimately consolidated and collectively alleged breach of fiduciary duty, unjust enrichment, insider trading, and waste against various defendants including Yahoo, Yahoo’s board of directors and certain officers and senior managers. The plaintiffs claimed that Yahoo executives and board members were aware of the privacy breaches prior to public disclosure and, moreover, that the individual defendants sought to cover up the breaches. The complaint also noted that many individual defendants sold their personal shares after the data breaches had taken place but before the public was informed of such. Verizon, which ultimately acquired the assets of Yahoo, was also named in the litigation for allegations of aiding and abetting. Verizon had initially announced plans to acquire Yahoo in July 2016. Following Yahoo’s disclosure of the data breaches, Verizon negotiated a $350 million reduction in the acquisition price.
Recently, in January 2019, the Superior Court of the State of California approved a settlement of $29 million pertaining to the lawsuit. It has been stated that the amount will be funded by insurers of both the individual defendants and Verizon, as agreed to and allocated between the two parties. Only time will tell whether this recent settlement will evidence a change in tide in data breach related derivative litigation recovery or be remembered as an outlier for its substantial settlement. A directors’ and officers’ (D&O) liability insurance policy can provide coverage for individual board members and executives when faced with management liability claims, including those brought derivatively by shareholders. A D&O policy could also provide the corporate entity with coverage if named in a securities lawsuit. Although entity coverage for securities claims has typically been restricted to lawsuits involving the named insured’s own securities, it may now be possible, in very limited circumstances, for some insureds to obtain a form of ‘aiding and abetting’ coverage, which would extend coverage to claims filed by shareholders of a target company in the context of an acquisition.