Yahoo has proposed a new $117.5m offer to its customers to settle a class action lawsuit following a devastating 2013 breach.
All eyes will now be on US district judge Lucy Koh, a veteran of tech cases, who still has to approve the new offer.
She rejected the original back in January after expressing concerns that it might not be “fundamentally fair, adequate and reasonable,” as it didn’t specify how much victims could expect to recover.
She also argued that the $35m set aside for the plaintiff’s lawyers was excessive, given that the case, in legal terms at least, was “not particularly novel.”
The new settlement includes at least $55m for victim, $24m for two years of credit monitoring, up to $30m for legal fees, and up to $8.5m for other expenses, according to Reuters.
It reportedly covers 194 million users in the US and Israel with around 896 million accounts. Some three billion accounts were compromised back in 2013, Yahoo finally admitted in 2017.
High-Tech Bridge CEO, Ilia Kolochenko, argued that the pay-out of around $25 per compromised account amounted to an “embarrassingly modest compensation,” although was not unusual in offering more to the attorneys than the victims.
“Otherwise, the settlement conveys an illusory message of relatively modest penalties for negligent data protection,” he added.
“In 2019, even a less severe breach is capable of exposing your company to incomparably severe and harsh sanctions in different jurisdictions. We have to take cybersecurity seriously or pay a considerable price.”
More interestingly, new owner Verizon has agreed to spend $306 million over the next four years on cybersecurity, which is reportedly five times what Yahoo spent in the period 2013-2016. It is said to have also committed to quadrupling staff in the IT security department.
The key will be how wisely the funds are spent. Gartner estimated last year that global cybersecurity spending in 2019 would exceed $124bn, with GDPR compliance and risk management within digital transformation programs driving much of the investment.
Source: Infosecurity Magazine