If you've received an email from Yahoo in recent weeks alerting you to a data breach settlement, now is the time to pay attention and take action.
As part of a proposed class action settlement, Yahoo — now part of Verizon — agreed to pay $117.5 million to settle claims that it failed to properly protect and respond to five data breaches that occurred from early 2012 through 2016 and affected up to 3 billion users worldwide.
Any U.S. resident who had a Yahoo account between January 1, 2012 and December 31, 2016 is eligible to join the class, which is expected to include 194 million people in the U.S. and Israel, or roughly 896 million accounts.
Under the terms of the settlement, affected consumers or small business could potentially get up to $25,000 in reimbursement if they had out-of-pocket expenses tied to the breach, such as losses or fees incurred as a result of setting up credit monitoring or handling identity fraud.
Even if you didn't suffer any direct harm from the breach, you could claim free credit monitoring or a cash payout of up to $100 if you already have credit services in place.
For consumers who didn't incur any out-of-pocket expenses from the breach, you have a few options at this point in the process, including doing nothing. But with several deadlines fast-approaching, here's a look at the ways to respond.
Credit monitoring is a service that alerts you when there are any changes to your personal information or new credit inquiries. This can include normal updates, such as a change to your address when you move, to potentially fraudulent activity, such as someone opening up a credit card in your name.
Consumers affected by the Yahoo breach will have the opportunity to receive at least two years of credit-monitoring services through AllClear ID, which not only keeps an eye on your credit file at Experian, Equifax and TransUnion, but also provides up to $1 million in identity theft insurance and identity restoration services. This service provides assistance for those who actually experience identity theft or fraud, everything from canceling and replacing credit and debit cards to recovering financial losses.
It's worth noting that while this service is more robust than many of the free credit monitoring services such as Credit Karma, Credit Sesame and Mint, it can't prevent identity theft or credit card fraud, nor does it prevent scam emails or phone calls.
"You can have all the credit monitoring services in the world, and if someone takes your ID and uses it for something non-financial, or uses it to break into your account, or to access your medical records or personal pictures, then it doesn't matter if you have credit monitoring," cyber-security expert Joseph Steinberg tells CNBC Make It.
And while Steinberg says this is a "grossly inadequate" service to protect people after a data breach, if you don't already have this layer of protection set up, then "you may as well get it," he says.
To claim this benefit, you'll need to fill out a claim form for basic account holders and select the Option 1 (Credit Monitoring Services). To file a claim, you'll need to provide personal details, including your home address and contact information, as well as your Yahoo account info.
You need to file a claim before July 20, 2020 to get the credit monitoring.
You might already be using a site that offers credit monitoring, and if that's the case, you can file a "Alternative Compensation Claim" of up to $100. According to the settlement, the amount of the cash payment paid depends on how many people file for the benefit, similar to what happened last year with the Equifax settlement.
"Everybody probably has free credit monitoring at this point," Steinberg says, adding that companies keep giving credit monitoring out after data breaches. So this cash payment option attempts to provide some relief if you fall into that camp.
If there are remaining funds after all the claims are paid, the alternative compensation claim amount could increase to $358.80. However, that possibility doesn't seem likely, considering there are 194 million potential class members. If just a third of these people file a claim, the payout is only $1.84 per person.
To claim this cash payment benefit, you'll need to fill out a claim form for basic account holders and select Option 2 (Alternative Compensation). As with option 1, to file a claim, you'll need to provide personal details, including your home address and contact information, as well as your Yahoo account info.
Additionally, you'll need to provide the name of the credit monitoring service you're using, when you started using it and how long you expect to keep it in place. As with option 1, you have until July 20, 2020 to file a claim.
If you don't want to participate in the settlement, but you still want to preserve your future right to sue Yahoo, you have until March 6, 2020 to send in a letter stating your intent. You cannot opt out via email or by calling — you must send a letter to:
In re: Yahoo! Inc. Customer Data Security Breach Litigation
c/o Settlement Administrator
PO Box 1760
Philadelphia, PA 19105-1760
Your letter also must include the following:
- The name and case number of the lawsuit: In re: Yahoo! Inc. Customer Data Security Breach Litigation, case number: 16-md-02752-LHK
- Your full name and mailing address, as well as your email address or telephone number
- An explanation of why you qualify for the class action, such as the fact that you had a Yahoo account at any point between 2012 through 2016 or that you received an emailed settlement notification.
- You need to include the words "Notification of Exclusion" or a statement that you want to be excluded from the Settlement
- You need to include your signature or an electronic signature through DocuSign. An attorney's signature or a typed signature is not sufficient.
It's common for settlements to require potential class members to opt out by mail, says Ted Frank, director of litigation for Hamilton Lincoln, which houses the Center for Class Action Fairness. "The procedures are not set up to protect individual class members, it's there to ram the settlement down their throat," he adds.
If you haven't yet experienced any harm, yet worry your identity could be stolen in the future as a result of the Yahoo breach and are willing to sue over this — then this may be an option. Small business owners, for example, who may be liable for not only their identity, but also customers' information, could fall into this category.
Some of the hacked Yahoo data may have been sold on the dark web. That said, Steinberg says that the value of that data may have diminished by this point.
There are some pieces of information that don't typically change, such as Social Security numbers and your home address, that do become more valuable over time, aging like a fine wine, Steinberg says. "As time goes on, it becomes more valuable because people are becoming less vigilant and it's still good [information]," he says.
In the case of Yahoo, the data that was accessed during the breaches included names, email addresses, telephone numbers, birth dates, passwords, security questions and answers, as well as potentially the contents of emails, calendars and contacts.
If you're not going to sue Yahoo on your own, then your best option may be to file for credit monitoring or the alternative cash payment.
"If you don't have an attorney who's willing to bring your individual case, it doesn't make sense to opt out," Frank says. "If millions of people opt out, the settlement might go away, but millions of people will not opt out."
There's always the choice to simply ignore the emails. In that case, you'll miss any chance of getting some compensation or credit monitoring from Yahoo, but you'll also give up your rights to file any future lawsuits related to the data breaches that occurred between 2012 and 2016.
For some, it might feel as though they're signing up for a "booby prize," Steinberg says, but without the settlement, the average person likely would've received nothing at all.
"It probably pays to fill out [a claim] if there's no chance in the world that you'd sue Yahoo anyway," Steinberg says. "You're getting something instead of nothing. But if you're expecting to get $100, you're probably going to be significantly disappointed."
Like this story? Subscribe to CNBC Make It on YouTube!