Yahoo agrees to hack lawsuit settlement; will pay victims $25 an hour for their time
You've been hacked, and now you have a mess to clean up. Maybe an imposter rampaged through your bank accounts, so you have to make dozens of calls. Maybe you have to play email tag with huge firms like Facebook or Google to reclaim your accounts. You probably have to explain to your boss why you are spending so much company time dealing with personal matters. Or maybe you just worry about what might happen next.
How much is all your time and frustration worth? Well, $25 an hour, according to a proposed settlement of a class action lawsuit targeting the massive Yahoo hack. The settlement calls for Yahoo to set aside $50 million for victim compensation.
Settlement terms filed Monday still require court approval, but here's what you can expect, according to the Associated Press:
"The fund will compensate Yahoo account holders at a rate of $25 per hour for time spent dealing with issues triggered by the security breach, according to the preliminary settlement. Those with documented losses can ask for up to 15 hours of lost time, or $375. Those who can’t document losses can file claims seeking up to five hours, or $125, for their time spent dealing with the breach," it says.
That $25-per-hour number places an interesting price tag on digital age disruption. It's not bad, but if you are a person who's had to recover from a nasty bought of identity theft, you probably think you deserve more than $100 for an afternoon ruined by hackers.
The bigger issue is this: I spent months investigating the Yahoo hack for our podcast Breach (listen to all five episodes here, or read about the series here.) And like so many hacks, we know less than we don't know. There were actually two hacks. One is blamed on the Russian government. The other one? We have no idea. Who did that and why? What are the likely consequences? What did the Russian government do with the data it stole? Well, we know those hackers read millions of victims' emails for more than two years. What was the result of that intrusion? What harm was done? What harm might still be done? How do we value that? We just don't know.
Lawsuits require demonstrated harm to trigger compensation, however, so this kind of crazy math comes into play.
"Estimates of damages caused by security breaches vary widely, with experts asserting the value of personal information held in email accounts can range from $1 to $8 per account. Those figures suggest Yahoo could have faced a bill of more than $1 billion had it lost the case. But Yahoo had disputed those damages estimates and noted many of its accountholders submitted false information about their birthdates, names and other parts of their lives when they set up their email."
I guess you might conclude that it's smart to use false information when setting up accounts.
These are big questions, made bigger by the sheer size of the hack. The settlement says there were 200 million victims - some 3 billion accounts were hacked, but we'll presume some had multiple accounts, and others would be ineligible to participate in the class action.
If you were a victim -- and let's face it, who over 30 didn't have a Yahoo account? -- there's nothing to do yet. Later this month, a federal judge will consider the settlement terms. After that, you can begin applying for compensation, which will also include two free years of credit monitoring. If the settlement is approved, one group will be quite happy. Lawyers representing the class will get up to $37.5 million in fees and expenses.
While on the subject of Breach, here's a reminder that we are deep into work on Season 2, which I'm very excited about. Is there a bigger hack than Yahoo? Indeed, there is. Meanwhile, we are releasing a special production on Monday that will examine election hacking, just in time for the 2018 midterms. Here's a tease for that episode.