Last week, victims of Yahoo’s data breaches between 2012 and 2016 were given good news, with the proposed settlement from the US class-action lawsuit heading to a judge for final approval.
Yahoo, now owned by Verizon, has agreed to pay $117.5 million (about £91 million) in compensation to users whose personal data was leaked.
That sounds promising until you learn how complicated the renumeration process is and, even if you jump through the necessary hoops, you are likely to receive as little as $100.
Meanwhile, the lawyers overseeing the case have awarded themselves 25.5% of the payout, which equates to $30 million (about £23 million).
The compensation process
Victims are only eligible to claim compensation if they are a US or Israel resident, had an active Yahoo account between 2012 and 2016, and subscribed to a credit monitoring service.
But the difficulties don’t stop there. Anyone who wants to claim compensation must also answer five questions to verify their identity.
The good news for those willing to go to the effort is that fewer claimants means a bigger share of the compensation, but the process doesn’t exactly scream ‘justice for data breach victims’ – nor does the involvement of the lawyers who agreed to these terms.
How did the lawyers get such a big payday?
If you thought $30 million in legal fees was high, bear in mind that the settlement was delayed last year in part because the lawyers wanted $35 million.
Judge Lucy Koh balked at the request while also pointing to mistakes that the legal team made.
For example, she noted that the claim was too vague and didn’t describe the website breaches sufficiently, and that the settlement included several law firms and attorneys who weren’t authorised to work on the case.
Verizon’s legal team has spent the past year revising its paperwork and reduced the fee to $30 million.
However, this is still a huge amount, especially compared to how much the victims themselves will be awarded. Even though such practices tend to be par for the course in claims like this, many commenters are outraged.
For example, cyber security law professor Andrew Rossow wrote:
You would think when it comes to data, justice and resolution would be the only goals here. Unfortunately, the truth couldn’t be farther from the courtroom.
The settlement isn’t about justice. It’s about who can capitalize off an incident that affects all of us. […] How can anyone claim this settlement is anything but an absolute joke?
Joke or not, it’s the best that victims of Yahoo!’s data breaches can hope for. Some will hold out for their slim reimbursement, but many will simply put the incident behind them and won’t bother claiming their compensation.