Organisations are being scrutinised by judges with regards to their commitment to cyber security in the wake of cyber security breaches.
Across Ireland, United States, Germany and France, it’s not only the regulators who are asking more questions around cyber security but the judges awarding costs to victims of cyber security breaches.
Recently, Yahoo was criticised by a US Judge, for “making only vague commitments to improve its cyber-security.
January this year, a judge rejected Yahoo’s attempt to draw a line under a series of breaches it experienced between 2013 and 2016. The firm had proposed a payout to lawyers acting on behalf of affected US and Israeli users.
But while the deal said the attorneys could claim up to $37.5m (£28.5m) in fees and costs, it did not disclose the sum reserved for victims of the cyber breaches.
The Yahoo class action lawsuit specifically covers three data breaches that affected the web portal’s users’ personal information:
1. a 2013 event in which hackers were able to access all 3 billion Yahoo accounts
2. a 2014 attack, which the firm said had affected more than 500 million accounts
3. a breach that happened between 2015-16, in which the plaintiffs allege that the data stolen in 2014 was used to gain access to specific user accountsThe California judge also objected to Yahoo being too vague about what remedial steps it was taking.
Notification to customers and authorities, and actions to cease cyber breaches
Delayed notification: The lawyers prosecuting the case noted that Yahoo had repeatedly delayed notifying the public of the incidents until some time after it had become aware of them.
In one instance, the business acknowledged it had paid for data from millions of its hacked accounts that had been advertised on the dark web, but disputed claims that it had failed to prevent the information being purchased by others.
Among the evidence presented to the court was a report submitted by the plaintiffs that alleged there had been further breaches dating back to 2008 involving “several million accounts”, which Judge Koh noted that Yahoo continued to deny.
The judge first expressed reservations about the settlement at a hearing in November, when she complained that she had been unable to “figure out the total estimated sum” being promised.
In rejecting the settlement figure, the judge was sending a clear message to Yahoo and other organisations:
Firstly, Judge Koh said she was dissatisfied that it released Yahoo from having to make further payouts related to breaches prior to 2013.
Since the firm had not admitted to any such events, the judge said the court was unable to evaluate what harm might have been experienced by users.
Judge Koh added that a failure to disclose the total size of the settlement fund meant that those affected would be unable to determine if it was reasonable.
In addition, she expressed concern that the sum that could be claimed by the 140 lawyers pursuing the case “may be unreasonably high”.
The judge also claimed Yahoo had publicly declared an “inflated, inaccurate” estimate of the number of users affected while filing under seal – meaning it does not become part of the public record – “a more accurate, much smaller number”.
This might reduce the amount that could be claimed by each victim and act as a disincentive to them seeking recompense.
Furthermore, the judge criticised the tech firm for making only “vague commitments” to improve its cyber-security.
“Yahoo’s history of non-disclosure and lack of transparency related to the data breaches are egregious,” Judge Koh concluded.
“Unfortunately, the settlement [and related filings] continue this pattern of lack of transparency.”
* Be responsible and notify as soon as there is a breach. This is part of your legal obligation.
* Ensure that you have clearly documented and have evidence of cyber security practices.
* Be transparent about your data breaches.
* BE clear about what action you are taking and assist customers to protect themselves.
Our Key message – if it is private, confidential or sensitive – encrypt it!