SAN JOSE -- After admitting it was at fault to suitors and consumers about what some expert suggest is the largest digital breach today, Yahoo now is facing a mountain of class-action litigation.
In fact, one complaint asserts the company failed to establish "basic data security protocols." The outcome of the series of lawsuits could reshape the landscape of litigation related to data protections, experts say.
While the scope of the breach is yet unknown, more than 500 million users accounts are believed to have been compromised in an attack that took place back in 2014.
Ahead of an announced sale to Verizon for $4.8 billion, Yahoo admitted to the breach and suggested that it might have been the work of "a state-sponsored actor."
Yahoo alleged it only learned about the massive intrusion in the summer of 2016, a fact one of the class-action complaints points to as evidence that the company was "grossly negligent" in securing its users' personal information.
So far, there have been two complaints filed against Yahoo directly related to the breach. One was filed in U.S. Court for the Northern District of California and the other in the Southern District of Illinois.
The company might face more lawsuits unrelated to the data breach, but associated with its email service and the recent revelations about the company spying on its users on behalf of the U.S. government.
With regards to the data breach, Yahoo is facing several charges, including gross negligence and bailment, from the plaintiffs. As more details about the breach and what was actually stolen emerges, more complaints could follow.
When it comes to security breaches, the spectrum of harms alleged by consumers typically fails into at least one of three groups.
Those include financial harm from identity theft, stolen credentials with no financial harm and the possibility of future risk, according to Bess Hinson, an associate at Nelson Mullins Riley & Scarborough’s privacy and information security practice group at the firm's Columbia, South Carolina, office.
"What I think is interesting here, in terms of the Yahoo breach, is that many things could happen with the information that was stolen," Hinson told the Northern California Record.
It depends upon exactly what information was stolen, she said.
"Was only email and password pairs accessed or did it also include the content of messages, which would add a new dimension for the potential for harm?" she said.
One of the likely results of the Yahoo case is that it will prompt calls for more government intervention as regulators seek to hold the company accountable or its data protection practices, Hinson said.
"Following the Ashley Madison data breach, there were some foreign regulators who investigated Ashley Madison because, like Yahoo, Ashley Madison was also a website accessed by citizens of other countries," Hinson said. "Foreign data protection regulators came down hard on them for not having adequate security safeguards in place at the time that the hacks occurred."
The Ashley Madison case saw several international regulators combine their probe into the married dating site, concluding with the company consenting to several enforcement and compliance agreements, Hinson said.
"I think that will happen here again in the Yahoo case and there have probably been inquiries from European regulators into Yahoo's data protection practices," Hinson said. "We are seeing an increasing interest expressed by foreign regulators in U.S.-based companies' handling of information because these websites are attracting a global audience."