<b><i>Online Extra:</b></i> Yahoo Security Breach Sparks Class Actions

At least six class actions have been filed against Yahoo! Inc. in the wake of last month's announcement of a security breach that compromised an estimated 500 million account holders.

Yahoo said on Sept. 22 that the accounts had been stolen in 2014 by what it called a 'state-sponsored actor,' compromising customer names, email addresses, telephone numbers, birth dates and passwords.

The suits are all consumer class actions filed in federal and state courts in California and Illinois ' many by lawyers who've brought successful data-breach cases before. As with most data-breach cases, plaintiffs lawyers could face an uphill battle in arguing that most customers were actually injured by the hack. To that end, they have asserted in the lawsuits that financial information like bank and credit and debit card information might have been compromised, despite Yahoo's assurances to the contrary.

'It depends on how a user uses email,' said John Yanchunis of Morgan & Morgan's Tampa office, who filed a class action in the U.S. District Court for the Northern District of California on behalf of a New York man who claims he had to change all his bank accounts since the breach. Yanchunis has been lead counsel in data-breach litigation against Target Corp., Home Depot Inc. and the U.S. Office of Personnel Management. 'They can buy consumer purchases, provide debit card, credit card information, other sensitive information about their personal lives because in essence this is the way people communicate. It's a treasure trove of information.'

David Casey, managing partner of Casey Gerry Schenk Francavilla Blatt & Penfield in San Diego, who has filed cases in the U.S. District Court for the Southern District of California and San Diego Superior Court against Yahoo, said he's talked to consumers who've already reported that their financial information was stolen.

'A number of people who have contacted us have had financial information breached and didn't know why it was occurring,' he said. 'We're in the early stages, but had a number of people coming in complaining about that.'

One suit notes that consumers have had to pay to freeze their credit and debit accounts. The suits all were brought under negligence and other common law claims, consumer statutes in California and Illinois, as well as California and federal data-breach statutes.

All the cases allege that Yahoo's failure to identify the breach for two years is longer than most companies have taken when hacked.

In fact, questions have been raised about whether Yahoo CEO Marissa Mayer might have known about the breach in July, when the company was finishing its $4.8 billion sale to Verizon Communications Inc. To that point, U.S. Senator Mark Warner, D-Virginia, co-founder of the Senate cybersecurity caucus, wrote a letter on Monday to U.S. Securities and Exchange Commission Chairwoman Mary Jo White to look into whether Yahoo was in violation of federal securities laws by failing to notify investors of its breach four days after identifying the breach.

'The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it,' he said in a statement.

So far, no shareholder class actions have been filed.

Yahoo spokeswoman Megan Levinson declined to comment.

Amanda Bronstad writes for The Recorder, an ALM sibling of Internet Law & Strategy. She can be reached at'[email protected].