14 September 2019

Houhinyms and Yahoo(s)

I've been offered yet more worthless "credit monitoring" to settle a massive privacy breach! Yay!

Most people (or, at least, most people who might read this blawg) know about the Equifax data breach settlement, which essentially offers ten years of free credit monitoring — a "prize" with an implied (but not actual) retail value of $125, but whose actual cost to the vendor is somewhere around $9. I already intend to object to this settlement as inadequate because it improperly devalues the privacy interests at stake… and allows the miscreant to evade substantial responsibility for its acts and omissions that actually caused the privacy breach.

Yesterday's e-mail included a notice regarding a proposed settlement of the Yahoo data breach. On the one hand, it was "only" an e-mail provider. On the other hand, it is offering only two years of credit monitoring… without regard to, and on its face not stackable with, the Equifax monitoring. So my potentially breached privacy at Yahoo1 will cost less than $2 for Yahoo to "fix," without regard to whether someone else is already "paying" the $2 for the identical "fix."

What this reflects, more than anything else, is a failure of will on the part of the plaintiffs'-side class-action bar, combined with scorched-earth litigation tactics and an utter absence of ethics2 on the part of defense counsel. This is a particularly poorly-considered coupon settlement.3 The fundamental problem with coupon settlements (and their various equivalents) is that they actually evade responsibility. It's one thing to assert that the victims are getting "full compensation" for the wrongs inflicted on them, which is no where near factually accurate in the first place. It's another thing entirely to allow corporate actors — and only corporate actors — to take such a severe discount on the cost of that compensation that it's reduced to a cost of doing business. <SARCASM> Presuming that the two sides of the equation are supposed to balance, one must wonder who's paying for the difference. </SARCASM> It's ok to drive a negligent driver into bankruptcy when the victim's damages exceed the driver's policy limits (and even if the victim's claim can't be discharged, it leaves nothing for the driver to deal with anything else), but we almost never do the same with corporations any more (without even considering veil-piercing).

  1. I am carefully omitting the exclamation point at the end of this mark, because an exclamation point is meaningful in all established search systems, specifically including all search systems (and regular-expression systems) in existence at the time Yet Another Heirarchical Object Organizer was first made available to the public. This is my "F*ck you!" to Yahoo's marketing moronsgeniuses, and more generally to assholes who establish trademarks and brand identity without regard to their actual meaning, usage, or perhaps-unintended-but-excrutiatingly-obvious consequences. In short, the mark should be disrespected — and perhaps even cancelled — due to bad faith in its selection and registration.

    There's no contempt issue here. The underlying conduct, and carelessness in preventing, detecting, and responding to it, was beneath contempt.

  2. Cf., e.g., R. Prof. Cond. 4.1:

    In the course of representing a client a lawyer shall not knowingly:
       (b) fail to disclose a material fact to a third person when disclosure is necessary to avoid assisting a criminal or fraudulent act by a client, unless disclosure is prohibited by Rule 1.6.

    Cf. also R. Prof. Cond. 3.4, 4.3, 4.4. Leaving aside value or anything else, there is no disclosure on the notice that this proposed settlement overlaps with another proposed settlement, thereby substantially reducing and/or potentially completely eliminating its value to significant numbers of members of the class. And defining that overlap is incredibly easy and obvious:

    {all persons members of the Equifax settlement class}

    {all persons members of this settlement class}

    which is obviously not an empty set. There is at least one member: Me. More to the point, it was predictable that there are at least enough other members (25–40) to create an independently-certifiable class on its own.

  3. I have substantial experience as counsel on the plaintiffs' side of class actions. See, e.g., Gibson v. Bob Watson Chevrolet-Geo, Inc., 112 F.3d 283 (7th Cir. 1997) (Posner, J.) (which one should ponder regarding note 2 above, and specifically its relationship to R. Prof. Cond 4.1(b)), and more than a dozen other reported opinions. That said, I've never been in favor of coupon settlements and their functional equivalents for the simple reason that they directly, or at best indirectly-at-one-remove, tie victims to continuing to do business with miscreants after the miscreant has been found out… even if, and perhaps especially when, the miscreant continues to maintain that it has done nothing wrong and won't do it again.