Geonetta & Frucht, LLP
By: Geonetta & Frucht, LLP

Yahoo – also known as Yahoo, Inc. or as Yahoo! – is facing lawsuits in both federal and state courts after a high-profile hacking attack that exposed the information of over 500 million accounts. The Sunnyvale-based company, which was a leader in the early days of the internet, is facing a number of lawsuits from people who fear that their Yahoo accounts have been hacked and who claim that the company was grossly negligent for putting their financial and personal data at risk.

A complaint filed in the U.S. District Court in San Jose in September claims that Yahoo was “grossly negligent.” A similar lawsuit filed in the U.S. District Court in San Diego charges that the hack caused an “intrusion into personal financial matters.” And six lawsuits against Yahoo have been filed in state courts in California since the company revealed information about a massive data breach that happened back in 2014.


Purported victims of the Yahoo breach who are filing their claims in state courts are hoping that their claims will benefit from California’s history of stricter cybersecurity and data privacy enforcement. California’s state courts have a history of upholding the rights of data breach victims. However, the first lawsuit against Yahoo in California was filed by a New York resident, Ronald Schwartz, accusing Yahoo of “reckless disregard for the security of its users’ personal information that it promised to protect.”


Californians bringing claims against Yahoo may choose to bring their class action lawsuits only against plaintiffs who are California residents since certain state laws, like California’s strict data breach notification statute, will apply only to Californians. However, the key reason for bringing claims through the California state courts, according to privacy expert Rebecca Herold of Rebecca Herold & Associates, is this: “The Federal court has historically required proof of actual injury to have occurred as a result of a breach,” but in California, “courts have not been as strict in requiring such evidence of injury.”

The lawsuits filed in state courts cite California’s personal injury and negligence laws as well as accusing Yahoo of breach of contract, invasion of privacy, and the failure to issue a timely data breach notification. California has been a pioneer regarding data breach notification requirements, and with allegations flying that Yahoo may have discovered the breach earlier than company officials are admitting, there are concerns that Yahoo may have violated the state’s strict data breach regulations by delaying notification reports to account holders.


“California,” says Herold, “has long been seen as consumer-friendly with strong support for privacy protection, for over 14 years now. With that history of being pro-consumer and pro-privacy, the plaintiffs from California may believe they are more likely to win their case than they would from a federal court, which historically has seemed to support businesses more than consumers when it comes to privacy breaches.”

An attorney representing plaintiffs in the federal lawsuit filed against Yahoo in San Diego told CNNMoney, “We have had a number of people approach us who had things accessed such as their tax accounts or credit cards, and they couldn’t figure out how people were getting into those. When this was disclosed, they went ‘Whoa, there’s an explanation.’” The San Diego complaint charges that Yahoo spent an “unusually long period of time” uncovering the breach, and in the two years since, account holders have been at risk for identity theft.

Whether or not to pursue a consumer complaint in a federal or a state court is a key decision that can affect the result of the case and the sum that must be paid if the plaintiff prevails. Plaintiffs may select different legal paths for their claims based on the particular details of each case. “Class action defense counsel often consider federal court to be a more hospitable forum, and I would not be surprised to see Yahoo try to have these cases removed to federal court under the Class Action Fairness Act,” one attorney told


Legally, what is an invasion of privacy, and how is it defined? According to one San Francisco personal injury attorney, an invasion of privacy can only happen if someone has what the law calls a “reasonable expectation” of privacy and that reasonable expectation is violated. Let’s say that you have a private letter with personal information. If someone steals the letter from your hand or pocket, it may or may not be an invasion of privacy. If that same someone shares the information and your reputation is damaged – or you suffer some other injury – you can sue for invasion of privacy.


But if you accidentally leave a private letter with personal information on a table at a restaurant or in the back of a taxicab, you have no reasonable expectation of privacy. Therefore, if someone reads and uses the information in the letter to injure you in any way, you have no grounds to sue that person – at least, no grounds to sue for invasion of privacy. Thus, a plaintiff suing for an invasion of privacy claim must prove that:

  • There was a reasonable expectation of privacy.
  • Privacy was invaded.
  • Injury was a direct result of the privacy invasion.


The data breach incident at Yahoo may or may not have injured the company’s account holders – that’s a question the courts will decide. But so much damage has been done to the company that it may trigger a clause in Yahoo’s recent merger agreement with Verizon which would enable Verizon to renegotiate the $4.8 billion arrangement made between the two companies this summer.


The California Constitution establishes privacy as an inalienable right in this state. If you believe that your own privacy rights and your expectation of privacy have been violated by Yahoo or by any other company you deal with, and if you believe you’ve suffered harm as a result of that violation, arrange to discuss your rights and options with an experienced San Francisco personal injury attorney.

California law guarantees that if a company exposes someone’s sensitive information in this state, the exposure must be reported to the citizen in a timely manner. California’s “Shine the Light” law, which took effect in 2005, sets forth the rules about how and when a company must disclose the use of an account holder’s personal information and imposes civil damages for violation of the law.

Geonetta & Frucht, LLP
By: Geonetta & Frucht, LLP