On March 2, 2018, Yahoo! entered into a proposed settlement of a securities class action filed against the company following its disclosures in 2016 that it had suffered significant data breaches in 2013 and 2014.[1]  Under the settlement, which is still subject to court approval, Yahoo! has agreed to pay $80 million to settle claims that it misled investors by failing to disclose the breaches in its public filings, while still touting the strength of its cybersecurity practices.  On the same day the settlement became public, Yahoo! moved to dismiss the claims being pursued by an opt-out plaintiff.  Among other things, Yahoo! asserted in its motion that the complaint failed to adequately allege that it had misrepresented the strength of its cybersecurity protections, arguing that statements like “we take the securities of our users very seriously,” and “Yahoo is committed to gaining your trust,” were both not actionable misstatements and not rendered false by the data breaches.[2]

Notably, the proposed settlement marks the first significant recovery in a suit brought by shareholders under Section 10(b) of the Securities Exchange Act of 1934 based on a company’s alleged failure to adequately disclose cybersecurity incidents and risks.  With the growing focus on cybersecurity, such cases are becoming commonplace following data breaches or other significant cybersecurity incidents at public companies.  Public entities should thus stay vigilant on cybersecurity disclosure issues, including by taking into account the SEC’s new cybersecurity guidance, as discussed in our recent alert memorandum.

[1] In re Yahoo! Inc. Securities Litigation, No. 17-00373 (LHK) (N.D. Cal.).

[2] Yahoo! Inc. and Marissa Mayer’s Notice of Motion and Motion to Dismiss Plaintiffs’ Second Amended Class Action Complaint; Supporting Memorandum of Points and Authorities at 13 (In re Yahoo! Inc. Securities Litigation, No. 17-00373 (LHK) (N.D. Cal.), ECF No. 75).