Friday, March 16, 2018
There's a class action going on over data breaches at Yahoo! between 2013 and 2016, and a recent decision in the case in the Northern District of California, In re: Yahoo! Inc. Customer Data Security Breach Litigation, Case No. 16-MD-02752-LHK (behind paywall), finds that Yahoo!'s limitation-of-liability provisions have been adequately pled to be unconscionable.
The provision at issue was found in Yahoo!'s terms of service and attempted to limit Yahoo!'s liability. The class action sought consequential damages, and Yahoo! moved to dismiss the claims for those damages, citing the provision. However, the plaintiffs argued that the provision was unconscionable, and the court agreed that they had sufficiently pled their argument to survive the motion to dismiss.
In terms of procedural unconscionability, Yahoo!'s terms of service were a non-negotiable adhesion contract, and the limitation-of-liability provision was found near the end of its twelve pages. The fact that the plaintiffs could have chosen other email services did not bar a finding of procedural unconscionability.
As far as substantive unconscionability goes, the plaintiffs alleged that the limitation-of-liability provision was one-sided and acted to block the plaintiffs from achieving adequate relief. The provision prohibited nearly every type of damages claim, virtually guaranteeing that the plaintiffs would not be able to be made whole in the event of a breach. In this case, consequential damages generally follow from data breaches, so the plaintiffs argued that consequential damages were necessary for their case. Finally, the plaintiffs argued that the only party in a position to guard against data breaches was Yahoo!, yet the limitation-of-liability provision placed the risk on the plaintiffs should Yahoo! fail to maintain adequate security.