(Reuters) - A U.S. judge rejected Yahoo’s proposed settlement with millions of people whose email addresses and other personal information were stolen in the largest data breach in history, faulting the Internet services provider for a lack of transparency.
In a Monday night decision, U.S. District Judge Lucy Koh in San Jose, California, said she could not declare the settlement “fundamentally fair, adequate and reasonable” because it did not say how much victims could expect to recover.
Yahoo, now part of New York-based Verizon Communications Inc, was accused of being too slow to disclose three breaches from 2013 to 2016 that affected an estimated 3 billion accounts.
The settlement called for a $50 million payout, plus two years of free credit monitoring for about 200 million people in the United States and Israel with nearly 1 billion accounts.
But the judge said the accord did not disclose the size of the settlement fund or the costs of the credit monitoring, and the proposed class may be too big because the number of “active” users that Yahoo disclosed privately to her was far lower.
Koh also said the maximum $35 million of fees for the plaintiffs’ lawyers may be “unreasonably high,” saying the legal theories of the case were “not particularly novel.”
A lawyer for the plaintiffs did not immediately respond on Tuesday to requests for comment.
Verizon said: “While preliminary approval of the settlement was not granted, we’re confident that we can achieve a viable path forward.”
Yahoo revealed the full scope of the breaches after having agreed in July 2016 in to sell its internet business to Verizon for $4.83 billion. The revelations prompted a cut in the purchase price to $4.48 billion.
U.S. prosecutors charged two Russian intelligence agents and two hackers in connection with one of the breaches in 2017. One hacker later pleaded guilty.
Koh contrasted her decision with her approval last August of health insurer Anthem Inc’s $115 million settlement over data breaches affecting about 79 million victims.
The judge said Anthem, unlike Yahoo, timely disclosed the breaches, offered free credit monitoring even before settling, and committed to upgrading its data security.
“Yahoo’s history of nondisclosure and lack of transparency related to the data breaches are egregious,” Koh wrote.
“Unfortunately, the settlement agreement, proposed notice, motion for preliminary approval, and public and sealed supplemental filings continue this pattern of lack of transparency,” she added.
The case is In re: Yahoo Inc Customer Data Security Breach Litigation, U.S. District Court, Northern District of California, No. 16-md-02752.
Reporting by Jonathan Stempel in New York; editing by Jonathan Oatis