The deadline for filing for benefits in the Yahoo data breach settlement is coming up soon, on July 20.
You may be eligible to collect part of a $117.5 million settlement fund — but how much and how soon is unclear.
If this has a repetitive, "Groundhog Day" vibe, it might be because of the recent Equifax data breach settlement, which involved similar choices. As with Equifax, claimants in the Yahoo case can file for free credit monitoring or choose cash if they already have credit monitoring. In addition, there is the potential for reimbursement for time and money spent on security measures taken as a result of the breach.
The Yahoo settlement page says the approval process may take more than a year. Of the $117.5 million settlement fund, lawyers were asking for up to $30 million for services and $2.5 million for expenses, leaving about $85 million to pay claims. However, at a hearing on June 18, U.S. District Judge Lucy Koh questioned the size of the lawyers’ fees. She also noted that the estimated settlement class has shrunk considerably, from around 194 million people to about 95 million.
Am I eligible and what might I get?
You’re eligible if you’re a resident of the U.S. or Israel, had one or more Yahoo accounts at any time from Jan. 1, 2012, through Dec. 31, 2016, or got a notice concerning the data breaches in 2016 or 2017. "Yahoo accounts" include email as well as Tumblr, Yahoo Fantasy Sports, Yahoo Finance and Flickr.
The lawsuit was a result of a combination of data breaches in which personal data was taken and some additional security intrusions where there was no evidence data was taken. Yahoo later disclosed that one of the incidents, in August 2013, affected all of the approximately 3 billion accounts then in existence. Because people could have multiple accounts, the number of people affected is much lower than that.
Free monitoring or cash
The free credit monitoring option provides at least two years of three-bureau monitoring from AllClear ID. The period could be extended if settlement money is left. It includes identity restoration services if you suffer identity theft or fraud and $1 million in identity theft insurance.
Mike Litt, consumer campaign director of U.S. Public Interest Research Group, notes that monitoring lets you know about a new, fraudulent account only after it has been set up. Freezing your credit, which is free, can prevent a scammer from opening accounts in your name.
If you already have monitoring and certify that you plan to keep it for at least one year, you can file a claim for alternative compensation of $100. The actual amount you receive will depend on the number of valid claims filed and could be much lower.
You may notice that the website says the payout could be as high as $358.80 — if there are few valid claims. However, according to Law.com, a court filing indicated nearly 75% of claimants were opting for cash, and the lead legal counsel for Yahoo characterized claims so far as "in the gajillion number."
Compensation for time or money spent
If you spent money or time trying to prevent or deal with harm related to the breach, you may be able to get compensation for "out of pocket costs" you incurred in 2012 or later.
Examples of the costs include money spent on monitoring services to safeguard against ID theft, and losses and legal fees connected to fraud or ID theft you suffered related to the breach. You also can file for up to 15 hours of time spent taking care of issues related to the breaches, but you must provide documentation. Without documentation, you may be eligible for five hours. Compensation for time spent is paid at $25 per hour or time off work at your usual pay rate, whichever is greater. There is a $25,000 cap on out of pocket cost claims.
As with the alternative compensation, the amount you actually receive could be reduced. If the total valid claims exceed the settlement amount, payouts will be reduced proportionally.
What if I paid for ad-free email or small business services?
You could be eligible for a refund of up to 25% of the amount you paid. You will need a Paid User Claim Form or Small Business User Claim Form, available on the website or by using the contact information below.
Paid users and small-business users can file for out-of-pocket costs in addition to the refund and can choose either the credit monitoring service or alternative compensation payment.
What do I need to know about applying?
The settlement website has forms you can fill out and file online. If you prefer, you can also file by mail. Download claim forms from the website, request them from the settlement administrator at 844-702-2788, or email [email protected] to request them. Completed forms should be mailed to:
In re: Yahoo Inc. Customer Data Breach Security Litigation
c/o Settlement Administrator,
PO Box 1760
Philadelphia, PA 19105-1760
Is there a filing deadline?
Yes, all claims must be postmarked or filed online by July 20, 2020.
When will I get my benefits?
No one knows, but the website warns that approval could take at least a year. The judge has yet to grant final approval of the deal, and then all types of claims must be processed before any will be paid. There is a process for forwarding benefits if you move, which suggests the process could take some time.
What if I do nothing?
If you don’t do anything, you won’t receive credit monitoring or other compensation and you give up your rights to file a lawsuit in the case. The deadline for excluding yourself from this settlement so that you can retain your right to sue has passed.
How can I protect myself now?
The best way to keep your data safe is to use good cybersecurity hygiene.
Freeze your credit if you don’t plan to apply for credit in the near future.
Sign up for free monitoring offered by personal finance websites or financial institutions you trust.
Consider using a password manager to help you create and store complex passwords.
Use two-factor authentication and password-protect electronic devices.
Don’t carry sensitive documents with you except on occasions you know you will need them.
If you use public Wi-Fi, get a virtual private network, or VPN, to keep your data safer.
Read bank and credit card statements carefully, checking for unauthorized charges.
Shred documents with personal information when you dispose of them.
Keep software up to date.
It’s not possible to prevent all types of identity theft, but it is possible to make yourself less of a target. It’s smart to assume your information is out there and to monitor accounts for signs someone is using it.