Johnson v. Yahoo! Inc.

Filing 1

COMPLAINT against All Defendants ( Filing fee $ 400, receipt number 0971-11027805.). Filed byJohn Johnson. (Attachments: # 1 Civil Cover Sheet, # 2 Certificate of Interested Entities or Parties)(Cotchett, Joseph) (Filed on 12/22/2016)

Download PDF
1 2 3 4 5 6 7 JOSEPH W. COTCHETT (SBN 36324) ( NANCI E. NISHIMURA (SBN 152621) ( ADAM J. ZAPALA (SBN 245748) ( CAMILO ARTIGA-PURCELL (SBN 273229) ( COTCHETT, PITRE & McCARTHY, LLP San Francisco Airport Office Center 840 Malcolm Road, Suite 200 Burlingame, CA 94010 Telephone: (650) 697-6000 Facsimile: (650) 697-0577 8 Attorneys for Plaintiffs 9 IN THE UNITED STATES DISTRICT COURT 10 FOR THE NORTHERN DISTRICT OF CALIFORNIA 11 SAN JOSE DIVISION 12 13 14 15 JOHN JOHNSON, Individually and on behalf of all others similarly situated, Case No. CLASS ACTION COMPLAINT FOR: Plaintiffs, 1. NEGLIGENCE; 2. NEGLIGENT MISREPRESENTATION; 3. BREACH OF EXPRESS OR IMPLIED CONTRACT; 4. VIOLATION OF CALIFORNIA CIVIL CODE § 1798.80, et seq.; 5. VIOLATION OF CALIFORNIA’S UNFAIR COMPETITION LAW; 24 6. BAILMENT; and 25 7. UNJUST ENRICHMENT. 16 v. 17 18 19 YAHOO! INC., Defendant. 20 21 22 23 26 DEMAND FOR JURY TRIAL 27 28 Law Offices COTCHETT, PITRE & MCCARTHY, LLP ______________________________________________________________________________ COMPLAINT 1 TABLE OF CONTENTS Page 2 3 INTRODUCTION..............................................................................................................1 II. JURISDICTION AND VENUE ........................................................................................4 III. 4 I. INTRADISTRICT ASSIGNMENT .................................................................................5 IV. PARTIES ............................................................................................................................5 V. FACTUAL BACKGROUND ............................................................................................5 5 6 7 8 A. YAHOO PURPORTS TO TAKE CYBERSECURITY SERIOUSLY IN ORDER TO GAIN USERS’ TRUST .........................................................................................................5 B. YAHOO ENGAGES IN A COURSE AND CONDUCT OF SUB-PAR CYBERSECURITY INFRASTRUCTURE AND LAX INVESTIGATIVE REMEDIAL ACTION ........................7 C. YAHOO DISCLOSES A DATA BREACH AFFECTING OVER ONE BILLION USER ACCOUNTS MORE THAN THREE YEARS AFTER THE HACK ...................................8 D. 9 YAHOO INTENTIONALLY DELAYS DISCLOSING THE 2013 HACK IN ORDER TO PUSH THROUGH VERIZON’S ACQUISITION OF YAHOO’S CORE BUSINESS..........13 10 11 12 13 14 15 16 17 VI. CLASS ACTION ALLEGATIONS ...............................................................................14 COUNT ONE NEGLIGENCE .....................................................................................................................15 18 19 20 21 22 23 24 25 26 27 COUNT TWO NEGLIGENT MISREPRESENTATION ...................................................................................17 COUNT THREE ..............................................................................................................18 BREACH OF EXPRESS OR IMPLIED CONTRACT.................................................................18 COUNT FOUR VIOLATION OF CALIFORNIA CIVIL CODE § 1798.80, ET SEQ. ..........................................19 COUNT FIVE VIOLATION OF CALIFORNIA BUSINESS AND PROFESSIONS CODE § 17200, ET SEQ. .................................................................................................................20 COUNT SIX BAILMENT ..........................................................................................................................21 28 Law Offices COTCHETT, PITRE & MCCARTHY, LLP _______________________________________________________________________ COMPLAINT i 1 COUNT SEVEN UNJUST ENRICHMENT .......................................................................................................22 2 3 VII. PRAYER FOR RELIEF..................................................................................................23 4 JURY DEMAND ..........................................................................................................................24 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Law Offices COTCHETT, PITRE & MCCARTHY, LLP _______________________________________________________________________ COMPLAINT ii 1 2 I. INTRODUCTION 1. This class action arises from the largest known data breach in human history. 3 Preying on the lax online security barriers of Defendant Yahoo! Inc. (“Yahoo”), hackers stole 4 personal information associated with more than one billion Yahoo user accounts, including the 5 Yahoo user account of Plaintiff John Johnson (“Plaintiff”). 6 2. Plaintiff brings this action individually and on behalf of a Class of individuals 7 whose personal information was stolen due to Yahoo’s failure to create and implement the 8 proper security mechanisms to safeguard its customers’ personal information. 9 3. On December 14, 2016, in a filing with the Securities and Exchange 10 Commission, Yahoo disclosed for the first time that hackers had breached its past and current 11 users’ personal information: 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 1 1 2 3 4 5 6 7 8 9 10 (A complete copy of Yahoo’s December 14, 2016 Securities and Exchange Commission, Form 8-K filing is attached hereto as Exhibit A.) 11 4. Yahoo waited over three years from the August 2013 hack to advise affected 12 users numbering more than one billion that their private, personal information had been 13 compromised. Yahoo knew about the August 2013 hack months, if not years, before its 14 December 14, 2016 public disclosure but intentionally concealed the data breach, hoping to first 15 consummate the $4.8 billion sale of Yahoo’s core business to Verizon. 16 5. The hackers obtained the personal information of more than one billion user 17 accounts, including names, email addresses, telephone numbers, dates of birth, hashed 18 passwords1 and, in some cases, encrypted or unencrypted security questions and answers. 19 20 6. From 2013-2016, in addition to Yahoo, several large companies and government agencies faced significant cyber threats: 21 • 2013: Facebook (6 million users had e-mail addresses or telephone numbers 22 shared with others due to a software bug); Target Corporation (110 million 23 customer payment cards were compromised); Adobe (2.9 million customers had 24 25 26 27 28 1 Hashing is a one-way mathematical function that converts an original string of data into a seemingly random string of characters. As such, passwords that have been hashed cannot be reversed into the original plain text password. At the time of the August 2013 Hack, Yahoo used MD5 to hash passwords. Yahoo began upgrading its password protection to “bcrypt” in the summer of 2013. “Bcrypt” is a password hashing mechanism that incorporates security features, including salting and multiple rounds of computation, to provide additional protection against password cracking. Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 2 1 their user IDs, passwords and credit card information exposed); JP Morgan Chase 2 & Co. (almost half a million corporate and government clients who held prepaid 3 cash cards were compromised); Maricopa County Community College District 4 (2.5 million records on individuals were exposed); Schnucks (2.4 million 5 customer payment cards were exposed); and CorporateCarOnline (more than 6 850,000 customers had their personal and financial information exposed). 7 • 2014: Target Corporation (40 million individuals’ information stolen); Neiman 8 Marcus (350,000 customers were hacked); Sally Beauty (over 280,000 debit and 9 credit cards were stolen and sold); Michaels (2.6 million cards were exposed); 10 Community Health Services (4.5 million patients had their information stolen); 11 UPS (1% of their customers were exposed); Dairy Queen (nearly 600,000 debit 12 and credit cards were exposed); Home Depot (56 million credit and debit cards 13 were affected by the data breach); JP Morgan Chase (76 million households and 7 14 million small businesses were hacked); Staples (1.16 million customers had their 15 credit and debit cards compromised); and Sony (47,000 social security numbers 16 were exposed). 17 • 2015: Ashley Madison (37 million customer accounts were compromised); Office 18 of Personal Management (22 million current and former federal employees had 19 their personnel records exposed); Anthem (more than 80 million people had their 20 personal information exposed); Premera (11 million customers had their names, 21 dates of birth, addresses, telephone numbers, email addresses, social security 22 numbers, member identification numbers, medical claims information, and 23 financial information exposed); the IRS (tax records for 330,000 taxpayers was 24 compromised); and mSpy (400,000 users had their customer screenshots, 25 geolocation data, chat logs, and location records exposed). 26 • 2016: U.S. Department of Justice (30,000 employees had their data breached); 27 IRS (over 100,000 American taxpayers had their personal information 28 compromised); UC Berkeley (more than 80,000 students, alumni, employees, and Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 3 1 school officials were compromised); Snapchat (700 current and former employees 2 had their personal information stolen); 21st Century Oncology (2.2 million 3 patients had their personal information stolen); Premier Healthcare (more than 4 200,000 patients had their data compromised); Verizon Enterprise Solutions 5 (about 1.5 million customers were hit by hackers); LinkedIn (117 million email 6 and password combinations were stolen in 2012 which came into the public in 7 2016); Newkirk Products (3.3 million people had their data breached); and Oracle 8 (330,000 cash registers around the world were breached). 9 7. Despite the panoply of cyber-attacks and industry-wide warnings, including 10 specific warnings from U.S. Senator Mark Warner directly to Yahoo, that Yahoo must take 11 active steps to improve its cyber security and data breach detection protocol, Yahoo failed on 12 multiple fronts to properly secure the personal information of its users. Yahoo failed to create 13 and implement proper security protocols to prevent and detect unauthorized breaches of its 14 information security systems. Likewise, Yahoo failed to implement standard internet technology 15 safeguards, amongst other failures. According to computer security expert Brian Krebs: 16 19 For years I have been urging friends and family to migrate off of Yahoo email, mainly because the company appeared to fall far behind its peers in blocking spam and other email-based attacks. But also because of pseudo-security features (like secret questions) that tend to end up weakening the security of accounts. I stand by that recommendation. (See /12/yahoo-one-billion-more-accounts-hacked/ (accessed December 20, 2016).) 20 8. 17 18 As a direct result of Yahoo’s subpar cybersecurity, Plaintiff, individually and on 21 behalf of the Class, has been damaged. This class action lawsuit follows. 22 II. 23 JURISDICTION AND VENUE 9. This Court has jurisdiction under 28 U.S.C. § 1332(d) because: (a) this matter was 24 brought as a class action under Fed. R. Civ. P. 23; (b) the class (as defined below) has more than 25 100 members; (c) the amount at issue exceeds $5,000,000, exclusive of interest and costs; and 26 (d) at least one proposed Class member is a citizen of a state different from Yahoo. 27 28 10. This Court has personal jurisdiction over Yahoo because Yahoo transacts substantial business in this judicial district. Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 4 1 11. Venue is proper in this Court under 28 U.S.C. § 1391 because, inter alia, Yahoo 2 regularly conducts substantial business in this district and is therefore subject to personal 3 jurisdiction, and because a substantial part of the events giving rise to the Complaint arose in this 4 district. 5 III. 6 INTRADISTRICT ASSIGNMENT 12. Assignment to the San Jose Division is appropriate under Local Civil Rule 3-2 7 because the actions that gave rise to the claims in this Complaint arose, in large part, in Santa 8 Clara County. 9 IV. 10 PARTIES 13. Plaintiff John Johnson is a natural person and a resident and citizen of Oakland, 11 California. Mr. Johnson is one of the approximately one billion Yahoo users worldwide whose 12 personal information was compromised because Yahoo did not take reasonable steps to secure 13 such information. 14 14. Defendant Yahoo is a Delaware incorporated company headquartered at 701 First 15 Ave., Sunnyvale, CA 94089. Yahoo is a global internet media company that offers 16 communications, content, and a community platform that delivers consumer experiences and 17 advertising solutions across digital screens. Some of the services offered by Yahoo include, 18 Yahoo! Directory, Yahoo! Mail, Yahoo! News, Yahoo! Finance, Yahoo! Groups, and Yahoo! 19 Answers. Yahoo was founded by Jerry Yang and David Filo in January 1994 and was 20 incorporated on March 2, 1995. Yahoo was one of the pioneers of the early internet era in the 21 1990s. As of the filing of this Complaint, Marissa Mayer is the CEO and President of the 22 company. According to third-party web analytics providers, Alexa and SimilarWeb, as of 23 September 2016, Yahoo was the highest read news and media website, with over 7 billion views 24 per month, being the fifth most visited website globally. 25 V. 26 FACTUAL BACKGROUND A. YAHOO PURPORTS TO TAKE CYBERSECURITY SERIOUSLY IN ORDER TO GAIN USERS’ TRUST 15. According to Yahoo’s Privacy Policy, it “is committed to gaining [users’] trust.” 27 28 Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 5 1 Yahoo purports to take users’ privacy “seriously,” including “personal information that Yahoo 2 collects and receives.” (See Exhibit B.) Personal information is information about users that is 3 personally identifiable like users’ name, address, email address, or phone number, and that is not 4 otherwise publicly available. 5 16. Yahoo promises not to “share personal information” about users with other people 6 or non-affiliated companies except to provide products or services. To that end, Yahoo promises 7 to limit access to personal information about users to Yahoo employees who Yahoo believes 8 reasonably need to come into contact with that information to provide products or services to 9 users or to do their jobs. 10 17. Yahoo claims to “have physical, electronic, and procedural safeguards” that 11 comply with federal regulations to protect personal information about users. These security 12 measures are as follows: 13 • Transport Layer Security (TLS): Yahoo uses TLS encryption when 14 transmitting certain kinds of information, such as financial services information 15 or payment information. An icon resembling a padlock is displayed in most 16 browsers during TLS sessions. 17 • Second Sign-in Verification: Users may turn on a setting that requires a second 18 piece of information such as a code sent via SMS – in addition to the user’s 19 password – when signing in to the user’s account from a device or location 20 Yahoo does not recognize. 21 • On-Demand Passwords: Yahoo offers on-demand passwords. By linking the 22 user’s mobile device to their Yahoo account, the user enables Yahoo to provide 23 the user with an on-demand password sent to the user’s mobile phone. 24 • Secure Storage: Yahoo deploys industry standard physical, technical, and 25 procedural safeguards that comply with relevant regulations to users’ personal 26 information. 27 • Vendors and Partners: To protect the security and privacy of users’ information, 28 Yahoo may provide information to partners and vendors who work on Yahoo’s Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 6 1 behalf or with Yahoo under confidentiality agreements. These companies do not 2 have any independent right to use or share this information without user consent. 3 • Access to Information: Yahoo limits access to personal information about users 4 to those employees who Yahoo reasonably believes need to come into contact 5 with that information to provide products or services to users or in order to 6 process this information for Yahoo. 7 • Education and Training: Yahoo has implemented a company-wide education 8 and training program about security that is required of every Yahoo employee. 9 (See Exhibit C.) 10 18. In addition to its Privacy Policy, Yahoo’s Code of Ethics acknowledges that users, 11 including Plaintiff and the Class, “trust us to protect their information and use and maintain it 12 according to our published policies.” (See Exhibit D, p. 34.) Yahoo further acknowledges that 13 its Privacy Policy provides users with assurances that we take measures to protect the security of 14 their personal information.” (Id.) 15 19. Notwithstanding Yahoo’s lip service to cybersecurity, Yahoo has demonstrated a 16 pattern and practice of sub-par cybersecurity measures and a reticence to taking appropriate 17 investigative and remedial action when breaches are brought to its attention. 18 B. YAHOO ENGAGES IN A COURSE AND CONDUCT OF SUB-PAR CYBERSECURITY INFRASTRUCTURE AND LAX INVESTIGATIVE REMEDIAL ACTION 20. In July 2016, account names and passwords for about 200 million Yahoo user 19 20 21 22 23 24 25 26 27 28 accounts were presented for sale on the dark-net market site, “TheRealDeal.” The seller, known as “Peace_of_Mind” or simply “Peace,” stated in a confidential interviews with Wired, that he had possessed the stolen database for an extended period of time and had been selling it privately since about late 2015. Peace had previously been connected to sales of similar private information data from other hacks including that from the 2012 LinkedIn hack. Peace stated the data likely dates back to 2012, and security experts believed it may have been part of other data hacks at that time. Yahoo stated that it was aware of the data and was evaluating it, cautioning users about the situation. However, Yahoo did not reset account passwords at that time. Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 7 1 2 21. On September 22, 2016, Yahoo issued a press release disclosing a hack of 500 million user accounts, which occurred in 2014 (the “2014 Hack”): 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 (A true and correct copy of Yahoo’s September 22, 2016 press release is attached hereto as Exhibit E.) C. YAHOO DISCLOSES A DATA BREACH AFFECTING OVER ONE BILLION USER ACCOUNTS MORE THAN THREE YEARS AFTER THE HACK 22. In August 2013, hackers breached the email system of Yahoo, absconding with 23 the records of more than one billion users, including names, birth dates, phone numbers, and 24 passwords that were encrypted with an easily broken form of security (the “2013 Hack”). 25 According to Yahoo, the 2013 Hack is entirely distinct from the 2014 Hack. In the 2013 Hack, 26 the hackers also obtained the security questions and backup email addresses used to reset lost 27 passwords. For the next three years, the 2013 Hack – which is the largest data breach in history 28 – supposedly went uncovered. Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 8 1 23. In August 2016, Andrew Komarov, chief intelligence officer at InfoArmor, 2 discovered the 2013 Hack. InfoArmor is an Arizona cybersecurity firm that delivers identity, 3 financial, and privacy protection, as well as threat intelligence and investigative services to help 4 businesses fight evolving online threats. As the chief intelligence officer for InfoArmor, 5 Komarov’s job is to prowl the internet’s darkest corners, infiltrate cybercrime rings, and help law 6 enforcement and InfoArmor’s clients track down stolen data. 7 24. For the last three years, Komarov had been monitoring an Eastern European 8 hacker group when he saw them offering up a huge database for sale: the user accounts from the 9 2013 Hack. The group Komarov had been surveilling, which he calls Group E, was keeping the 10 11 sale off of public cybercrime forums. 25. Group E claimed to have possession of a database of logins for up to one billion 12 Yahoo accounts for sale for $300,000. Komarov watched Group E sell the database three times, 13 and he was able to intercept the database during the sales. Two buyers were large spamming 14 groups that are on the list for Spamhaus Register of Known Spam Operations, or ROKSO. The 15 other buyer had an unusual request before completing the purchase. This third buyer gave the 16 sellers a list of ten names of U.S. and foreign government officials and business executives, to 17 verify their logins were part of the database. That led Komarov to speculate the buyer was a 18 foreign intelligence agency. 19 26. Having intercepted potential sales of the database from the 2013 Hack, InfoArmor 20 approached Yahoo through an intermediary to work together to investigate and resolve this 21 massive theft. According to Komarov, instead of leaping into action, Yahoo was dismissive of 22 the intermediary. It appeared that Yahoo was not interested in investigating the 2013 Hack 23 until its sale to Verizon was complete. As a result, InfoArmor did not go to Yahoo directly, and 24 instead notified military and law enforcement authorities in the United States, Australia, Canada, 25 Britain and the European Union about the breach. After those parties verified the authenticity of 26 the stolen records, some of them went to Yahoo directly with their concerns. 27 28 Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 9 1 27. On December 14, 2016, months after rebuking InfoArmor’s alert about the 2013 2 Hack and only after federal authorities again brought the 2013 Hack to Yahoo’s attention, Yahoo 3 finally announced that it had been hacked. The following notice, which is representative of the 4 notice sent to each member of the Class, was sent electronically to Plaintiff: 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 10 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 11 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 12 1 28. In addition to the foregoing, on the Yahoo website, Yahoo finally provided 2 additional details about the 2013 Hack, including remedial steps affected users could take to 3 lessen their damages. (See Exhibit F.) Yahoo clarified that the 2013 Hack was distinct from the 4 2014 Hack. (Id.) However, as of the filing of this class action Complaint, Yahoo still does not 5 know who broke into its systems in 2013, how they got in, or what they did with the data. 6 D. YAHOO INTENTIONALLY DELAYS DISCLOSING THE 2013 HACK IN ORDER TO PUSH THROUGH VERIZON’S ACQUISITION OF YAHOO’S CORE BUSINESS 29. Despite knowing about the 2013 Hack months before December 14, 2016, Yahoo 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 was not interested in investigating the 2013 Hack until its sale to Verizon was complete. Equally troubling is the fact that, whereas the Hack occurred in August 2013, Yahoo took no independent measures to discover the hack, and only supposedly learned about it through InfoArmor and government authorities. In fact, powerful circumstantial evidence indicates Yahoo knew about the 2013 Hack years before it disclosed the data breach on December 14, 2016. (See, e.g., (accessed on December 21, 2016).) 30. Senator Mark Warner of Virginia stated: “This most recent revelation warrants a separate follow-up and I plan to press the company on why its cyber defenses have been so weak as to have compromised over a billion users.” (See (accessed on December 21, 2016).) Warner, who will become the top Democrat on the Senate Intelligence Committee next year, described the hacks as “deeply troubling . . . If a breach occurs, consumers should not be first learning of it three years later . . . Prompt notification enables users to potentially limit the harm of a breach of this kind, particularly when it may have exposed authentication information such as security question answers they may have used on other sites.” 31. Commenting on the 2013 Hack, InfoArmor’s Andrew Komarov said the Yahoo data breach is different than other hacks: “The Yahoo hack makes cyber espionage extremely efficient . . . Personal information and contacts, e-mail messages, objects of interest, calendars and travel plans are key elements for intelligence-gathering in the right hands. The difference of Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 13 1 the Yahoo hack between any other hack is in that it may really destroy your privacy, and 2 potentially have already destroyed it several years ago without your knowledge.” (See 3 4 employee-information (accessed on December 21, 2016).) 5 VI. 6 CLASS ACTION ALLEGATIONS 32. Pursuant to Federal Rules of Civil Procedure 23(a), (b)(2) and (b)(3), Plaintiff 7 brings this action individually and on behalf of a class defined as follows: All persons whose 8 personal information may have been compromised by the 2013 Hack disclosed by Yahoo on 9 December 14, 2016. 10 36. Plaintiff is a members of the proposed Class he seeks to represent. 11 37. This action is brought and may properly be maintained as a class action pursuant 12 to 28 U.S.C. § 1332(d). This action satisfies the procedural requirements set forth in FED. R. 13 CIV. P. 23. 14 38. 15 16 17 18 19 20 21 22 Plaintiff’s claims are typical of the claims of the Class Members. Plaintiff and all Class Members were damaged by the same wrongful practices of Defendant. 39. Plaintiff will fairly and adequately protect and represent the interests of the Class. The interests of Plaintiff are coincident with, and not antagonistic to, those of the Class. 40. Plaintiff has retained counsel competent and experienced in complex class action litigation. 41. Members of the Class are so numerous that joinder is impracticable. Plaintiff believes that there is in excess of one billion Class Members. 42. Questions of law and fact common to the members of the Class predominate over 23 questions that may affect only individual Class Members, because Defendant has acted on 24 grounds generally applicable to the entire Class. Thus, determining damages with respect to the 25 Class as a whole is appropriate. 26 27 43. There are substantial questions of law and fact common to the Class. The questions include, but are not limited to, the following: 28 Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 14 1 a. 2 3 to secure and safeguard its users’ personal information; b. 4 5 Whether Defendant failed to employ reasonable and industry-standard measures Whether Defendant properly implemented and maintained security measures to protect its users’ personal information; c. Whether Defendant’s cybersecurity failures resulted in harm to the personal 6 information of Defendant’s users being accessed and disseminated by criminals or 7 third parties who sought to gain financially from its improper use; 8 d. 9 10 personal information of its users; e. 11 12 Whether Plaintiff and other members of the Class are entitled to injunctive relief; and f. 13 14 Whether Defendant was negligent in failing to properly secure and protect the Whether Plaintiff and other members of the Class are entitled to damages and the measure of such damages. 33. Class action treatment is a superior method for the fair and efficient adjudication 15 of the controversy. Such treatment will permit a large number of similarly situated individuals to 16 prosecute their common claims in a single forum simultaneously, efficiently, and without the 17 unnecessary duplication of evidence, effort, or expense that numerous individual actions would 18 engender. Plaintiff knows of no special difficulty maintaining this action that would preclude its 19 maintenance as a class action 20 COUNT ONE 21 Negligence 22 (Plaintiff individually and All Class Members) 23 24 25 34. Plaintiff incorporates by reference each of the preceding paragraphs as if fully set forth herein. 35. Yahoo had an affirmative duty to exercise reasonable care in safeguarding and 26 protecting the personal information of its users. By maintaining their personal information in a 27 database that was accessible through the Internet, Yahoo owed Plaintiff and Class Members a 28 duty of care to employ reasonable Internet security measures to protect this information. Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 15 1 36. Yahoo, with reckless disregard for the safety and security of users’ personal 2 information it was entrusted with, breached the duty of care owed to Plaintiff and the Class by 3 failing to implement reasonable security measures to protect its users’ sensitive personal 4 information. In failing to employ these basic and well-known Internet security measures, Yahoo 5 departed from the reasonable standard of care and violated its duty to protect the personal 6 information of Plaintiff and all Class Members. Yahoo further breached its duty of care by 7 allowing the breach to continue undetected and unimpeded for over three years after the hackers 8 first gained access to Defendant’s systems. 9 37. The unauthorized access to the personal information of Plaintiff and all Class 10 Members was reasonably foreseeable to Yahoo, particularly considering that the method of 11 access is widely known in the computer and data security industry, and that it has long been 12 standard practice in the Internet technology sector to encrypt personal information, including 13 critical login credentials. 14 38. Neither Plaintiff nor other Class Members contributed to the security breach or 15 Yahoo’s employment of insufficient and below-industry security measures to safeguard personal 16 information. 17 39. It was foreseeable that Yahoo’s failure to exercise reasonable care in protecting 18 personal information of its users would result in Plaintiff and the other Class Members suffering 19 damages related to the loss of their personal information. 20 40. As a direct and proximate result of Yahoo’s reckless conduct, Plaintiff and Class 21 Members were damaged. Plaintiff and Class members suffered injury through the public 22 disclosure of their personal information, the unauthorized access to Internet accounts containing 23 additional personal information, and through the heightened risk of unauthorized persons stealing 24 additional personal information. Plaintiff and Class Members have also incurred the cost of 25 taking measures to identify and safeguard accounts put at risk by disclosure of the personal 26 information stolen from Yahoo. 27 WHEREFORE, Plaintiff and the Class pray for relief as set forth below. 28 Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 16 1 COUNT TWO 2 NEGLIGENT MISREPRESENTATION 3 (Plaintiff individually and All Class Members) 4 5 6 41. Plaintiff incorporates by reference each of the preceding paragraphs as if fully set forth herein. 42. Yahoo represented to Plaintiff and the other Class Members that it would 7 safeguard and protect the personal information of its users from harm. Indeed, Defendant 8 represented to Plaintiff and the other Class Members that Yahoo “is committed to gaining 9 [users’] trust” and take users’ privacy “seriously,” including “personal information that Yahoo 10 collects and receives.” (See Exhibit B.) Yahoo promised not to “share personal information” 11 about users with other people or non-affiliated companies except to provide products or services. 12 To that end, Yahoo promised to limit access to personal information about users to Yahoo 13 employees who Yahoo believed reasonably needed to come into contact with that information to 14 provide products or services to users or to do their jobs. Yahoo promised to deploy industry 15 standard physical, technical, and procedural safeguards that comply with relevant regulations 16 to protect and safeguard the personal information of its users. 17 18 19 20 21 22 23 24 25 43. Yahoo’s promises to safeguard and protect the personal information of its users were material facts upon which Plaintiff and other Class Members relied. 44. Yahoo was not properly safeguarding user data at the time of the subject breach, despite using the same user data to enhance Yahoo’s revenues. 45. Plaintiff and the other Class Members reasonably relied on the representations by Yahoo that it would safeguard user data. 46. Plaintiff and the other Class Members suffered actual damages as a result of Yahoo’s negligent misrepresentations. WHEREFORE, Plaintiff and the Class pray for relief as set forth below. 26 27 28 Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 17 1 COUNT THREE 2 BREACH OF EXPRESS OR IMPLIED CONTRACT 3 (Plaintiff individually and All Class Members) 4 5 6 7 8 9 47. Plaintiff incorporates by reference each of the preceding paragraphs as if fully set forth herein. 48. Plaintiff and the other Class Members provided their non-public, financial and personal information to Yahoo in exchange for, and in order to receive, Yahoo’s services. 49. Plaintiff and the other Class Members allowed their financial and personal information to be used as described in Yahoo’s Privacy Policy and Code of Ethics, with the 10 understanding that Yahoo would implement security measures to protect the non-public, 11 financial, and personal information of Plaintiff and the other Class Members. 12 50. Yahoo expressly or impliedly agreed to safeguard, protect and maintain the non- 13 public, financial, and personal information from being accessed, taken, or misused by 14 unauthorized persons. 15 51. Each opening of a Yahoo user account by Plaintiff and the other Class Members 16 was made pursuant to the mutually agreed upon express or implied contract with Yahoo to 17 safeguard, protect, and maintain the non-public, financial, and personal information of Plaintiff 18 and the other Class Members from being accessed, taken, or misused by unauthorized persons. 19 52. Plaintiff and the other Class Members would not have provided their non-public, 20 personal information to Yahoo, or entrusted Yahoo with such information, absent the express or 21 implied agreement by Yahoo to safeguard, protect, and maintain the non-public, financial, and 22 personal information of Plaintiff and the other Class Members from being accessed, taken, or 23 misused by unauthorized persons. 24 25 26 53. Plaintiff and the other Class Members fully performed their obligations under the express or implied contracts with Yahoo. 54. Yahoo breached its express or implied promises to safeguard, protect, and 27 maintain the non-public, financial, and personal information of Plaintiff and the other Class 28 Members from being accessed, taken, or misused by unauthorized persons. Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 18 1 2 3 55. As a result of Yahoo’s breach of its express or implied promises, Plaintiff and the other Class Members have been proximately harmed and injured in the ways described herein. WHEREFORE, Plaintiff and the Class pray for relief as set forth below. 4 COUNT FOUR 5 VIOLATION OF CALIFORNIA CIVIL CODE § 1798.80, ET SEQ. 6 (Plaintiff individually and All Class Members) 7 8 9 56. Plaintiff incorporates by reference each of the preceding paragraphs as if fully set forth herein. 57. California Civil Code § 1798.80 et seq. (the “Customer Records Act”) requires 10 any person conducting business in California and that owns computerized data to disclose data 11 breaches to affected users if the breach exposed unencrypted personal information. 12 13 14 15 16 17 18 58. The Customer Records Act also requires that the notice be made in the most expedient time possible without any unreasonable delay. 59. Yahoo failed to notify users of the 2013 Hack in an expedient fashion because of the pending sale of Yahoo’s core business to Verizon. 60. The 2013 Hack qualifies as a “breach of security system” of Yahoo within the meaning of Civil Code § 1798.82(g). 61. Yahoo is liable to Plaintiff and the Class Members for $500.00 pursuant to Civil 19 Code § 1798.84(c), or up to $3,000.00 per class member if Yahoo’s actions are deemed willful, 20 intentional, and/or reckless. 21 22 23 62. Yahoo is also liable for Plaintiff’s reasonable attorneys’ fees and costs pursuant to Civil Code § 1798.84(g). WHEREFORE, Plaintiff and the Class pray for relief as set forth below. 24 25 26 27 28 Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 19 1 COUNT FIVE 2 VIOLATION OF CALIFORNIA BUSINESS AND PROFESSIONS CODE § 17200, ET 3 SEQ. 4 (Plaintiff individually and All Class Members) 5 6 7 8 9 63. Plaintiff incorporates by reference each of the preceding paragraphs as if fully set forth herein. 64. California’s Unfair Competition Law (“UCL”) is designed to protect consumers from illegal, fraudulent, and unfair business practices. 65. Yahoo’s practice of representing that it adequately protected users’ financial and 10 personal information, while Yahoo in fact employed sub-par and ineffective security measures in 11 order to cut costs, is a deceptive business practice within the meaning of the UCL. In fact, 12 Yahoo continues to employ sub-par and ineffective security measures as to the non-public, 13 financial and personal information of users both to keep costs low and to facilitate closing of its 14 sale to Verizon. Thus, Yahoo continues to engage in deceptive business practices. 15 66. Yahoo’s practice of withholding information about the 2013 Hack from its users 16 is also a deceptive business practice within the meaning of the UCL, because users reasonably 17 expect to be notified if their non-public, financial and personal information is compromised. 18 67. Yahoo’s practices are unfair because they allowed Yahoo to profit while 19 simultaneously exposing Yahoo users, such as Plaintiff, to harm in the form of an increased risk 20 of having their personal information stolen, which in fact occurred: the 2013 Hack. Such harm 21 was not foreseeable to Yahoo’s users, who expected Yahoo to employ industry-standard security 22 measures, including cybersecurity firewalls to prevent a hack and investigative tools to timely 23 discover one, and to promptly disclose any data breach. 24 25 26 27 28 68. Yahoo’s deceptive business practices induced Plaintiff and the Class to use Yahoo’s services and provide personal information to Yahoo. 69. As a direct result of Yahoo’s deceptive business practices, Plaintiff and the Class have been and are being damaged. WHEREFORE, Plaintiff and the Class pray for relief as set forth below. Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 20 1 COUNT SIX 2 BAILMENT 3 (Plaintiff individually and All Class Members) 4 5 6 7 8 9 10 11 12 13 70. Plaintiff incorporates by reference each of the preceding paragraphs as if fully set forth herein. 71. Plaintiff and Class Members delivered their non-public, financial and personal information to Yahoo for the exclusive purpose of creating a Yahoo account. 72. In delivering their personal information to Yahoo, Plaintiff and Class Members intended and understood that Yahoo would adequately safeguard their non-public, financial and personal information. 73. Yahoo accepted possession of the non-public, financial and personal information of Plaintiff and Class Members for the purpose of creating a Yahoo user account. 74. By accepting possession of their non-public, financial and personal information, 14 Yahoo understood that Plaintiff and the other Class Members expected Yahoo to adequately 15 safeguard their non-public, financial and personal information. Accordingly, a bailment was 16 established for the mutual benefit of the parties. 17 75. During the bailment, Yahoo owed a duty to Plaintiff and Class Members to 18 exercise reasonable care, diligence and prudence in protecting their non-public, financial and 19 personal information. 20 76. Yahoo breached its duty of care by failing to take appropriate measures to 21 safeguard and protect the non-public, financial and personal information of Plaintiff and the 22 other Class Members, resulting in the unlawful and unauthorized access to and misuse of their 23 non-public, financial and personal information: the 2013 Hack. 24 77. Yahoo further breached its duty to safeguard the non-public, financial and 25 personal information of Plaintiff and the other Class Members by failing to timely and accurately 26 notify them that their information had been compromised as a result of the 2013 Hack. 27 28 Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 21 1 78. As a direct and proximate result of Yahoo’s breach of its duty, Plaintiff and Class 2 Members suffered and continue to suffer consequential damages that were reasonably 3 foreseeable to Yahoo, including, but not limited to, the damages set forth herein. 4 79. As a direct and proximate result of Yahoo’s breach of its duty, the non-public, 5 financial and personal information of Plaintiff and the other Class Members entrusted to Yahoo 6 during the bailment was damaged and its value diminished. 7 WHEREFORE, Plaintiff and the Class pray for relief as set forth below. 8 COUNT SEVEN 9 UNJUST ENRICHMENT 10 (Plaintiff individually and All Class Members) 11 12 13 80. Plaintiff incorporates by reference each of the preceding paragraphs as if fully set forth herein. 81. As a result of Yahoo’s misleading representations and omissions concerning the 14 adequacy of its data security practices, Plaintiff and Class Members were induced to use Yahoo 15 services, and to provide Yahoo with their non-public, financial and personal information. 16 82. Yahoo derived substantial revenues due to Plaintiff and the Class Members using 17 Yahoo’s services and providing Yahoo with their non-public, financial and personal information, 18 including through the sale of advertising directed at Plaintiff and the Class Members. 19 83. In addition, Yahoo saved on the substantial cost of providing adequate data 20 security to Plaintiff and the Class. Yahoo’s cost savings came at the direct expense of the 21 privacy and confidentiality of the non-public, financial and personal information belonging to 22 Plaintiff and the Class Members. 23 24 25 84. Plaintiff and the Class have been damaged and continue to be damaged by Yahoo’s actions, and Yahoo has been unjustly enriched thereby. 85. Plaintiff and the Class are therefore entitled to damages as a result of Yahoo’s 26 unjust enrichment, including the disgorgement of all revenue received and costs saved by Yahoo 27 as a result of the 2013 Hack. 28 WHEREFORE, Plaintiff and the Class pray for relief as set forth below. Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 22 1 2 3 4 VII. PRAYER FOR RELIEF WHEREFORE, Plaintiff, individually and on behalf of the Class, respectfully requests that the Court: A. Determine that this action may be maintained as a class action pursuant to Federal 5 6 Rule of Civil Procedure 23(a), (b)(2) and (b)(3); B. Direct that reasonable notice of this action, as provided by Federal Rule of Civil 7 Procedure 23(c)(2), be given to the Class; 8 C. Appoint Plaintiff as Class Representative; 9 D. Appoint Plaintiff’s counsel as Class Counsel; 10 E. Enter judgment against Defendant and in favor of Plaintiff and the Class; 11 F. Adjudge and decree that the acts alleged herein by Plaintiff and the Class against 12 Defendant constitute negligence, negligent misrepresentation, breaches of express 13 and implied contracts, violation of California Civil Code § 1798.80, et seq., violation 14 of California’s Unfair Competition Law, bailment, and unjust enrichment; 15 G. Award all compensatory and statutory damages to Plaintiff and the Class in an 16 amount to be determined at trial; 17 H. Award restitution, including the disgorgement of all revenue received and costs 18 saved by Yahoo as a result of the 2013 Hack, payable to Plaintiff and the Class; 19 I. 20 21 Award punitive damages, including treble and/or exemplary damages, in an appropriate amount; J. Enter an injunction permanently barring continuation of the conduct complained of 22 herein, and mandating that Defendant and any successors in interest, e.g., Verizon, 23 be required to adopt and implement appropriate systems, controls, policies and 24 procedures to protect the non-public, financial and personal information of Plaintiff 25 and the Class; 26 K. Award Plaintiff and the Class the costs incurred in this action together with 27 reasonable attorneys’ fees and expenses, including any necessary expert fees as well 28 as pre-judgment and post-judgment interest; and Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 23 1 2 L. Grant such other and further relief as is necessary to correct for the effects of Defendant’s unlawful conduct and as the Court deems just and proper. 3 4 Dated: December 22, 2016 COTCHETT, PITRE & McCARTHY, LLP 5 /s/ Joseph W. Cotchett_________________ JOSEPH W. COTCHETT Attorneys for Plaintiffs 6 7 8 9 10 JURY DEMAND Plaintiff respectfully demands trial by jury on all issues so triable. 11 12 Dated: December 22, 2016 COTCHETT, PITRE & McCARTHY, LLP 13 /s/ Joseph W. Cotchett_________________ JOSEPH W. COTCHETT Attorneys for Plaintiffs 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Law Offices COTCHETT, PITRE & MCCARTHY, LLP COMPLAINT 24 EXHIBIT A 12/20/2016 8­K 8­K 1 d305610d8k.htm 8­K   UNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C. 20549     FORM 8­K     CURRENT REPORT Pursuant to Section 13 or 15(d) of The Securities Exchange Act of 1934 Date of Report (Date of earliest event reported): December 14, 2016     Yahoo! Inc. (Exact name of registrant as specified in its charter)       Delaware   000­28018   77­0398689 (State or other jurisdiction of incorporation)     (Commission File Number)     (I.R.S. Employer Identification No.) 701 First Avenue Sunnyvale, California     94089 (Address of principal executive offices)   (Zip Code) Registrant’s telephone number, including area code: (408) 349­3300 Not Applicable   (Former name or former address, if changed since last report.)   Check the appropriate box below if the Form 8­K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:   ☐ Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)   ☐ Soliciting material pursuant to Rule 14a­12 under the Exchange Act (17 CFR 240.14a­12)   ☐ Pre­commencement communications pursuant to Rule 14d­2(b) under the Exchange Act (17 CFR 240.14d­2(b))   ☐ Pre­commencement communications pursuant to Rule 13e­4(c) under the Exchange Act (17 CFR 240.13e­4(c)) 1/4 12/20/2016 8­K Item 8.01. Other Events. On December 14, 2016, Yahoo! Inc. (“Yahoo”) issued a press release providing important information to users regarding data security issues concerning certain Yahoo user accounts. A copy of the press release is attached hereto as Exhibit 99.1 and is incorporated herein by reference.   Item 9.01. Financial Statements and Exhibits.   (d) Exhibits.   Exhibit No.    Description 99.1 Yahoo! Inc. press release dated December 14, 2016. 2/4 12/20/2016 8­K SIGNATURE Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.   YAHOO! INC. (Registrant) By: /s/ Ronald S. Bell  Name: Ronald S. Bell  Title:  General Counsel and Secretary Date: December 14, 2016 3/4 12/20/2016 8­K EXHIBIT INDEX   Exhibit No.    Description 99.1 Yahoo! Inc. press release dated December 14, 2016. 4/4 12/20/2016 EX­99.1 EX­99.1 2 d305610dex991.htm EX­99.1 Exhibit 99.1 Important Security Information for Yahoo Users SUNNYVALE, Calif., December 14, 2016— Yahoo! Inc. (NASDAQ:YHOO) has identified data security issues concerning certain Yahoo user accounts. Yahoo has taken steps to secure user accounts and is working closely with law enforcement. As Yahoo previously disclosed in November, law enforcement provided the company with data files that a third party claimed was Yahoo user data. The company analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. The company has not been able to identify the intrusion associated with this theft. Yahoo believes this incident is likely distinct from the incident the company disclosed on September 22, 2016. For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected. Yahoo is notifying potentially affected users and has taken steps to secure their accounts, including requiring users to change their passwords. Yahoo has also invalidated unencrypted security questions and answers so that they cannot be used to access an account. Separately, Yahoo previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, the company believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. Yahoo is notifying the affected account holders, and has invalidated the forged cookies. The company has connected some of this activity to the same state­sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016. 1/3 12/20/2016 EX­99.1 Yahoo encourages users to review all of their online accounts for suspicious activity and to change their passwords and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account. The company further recommends that users avoid clicking links or downloading attachments from suspicious emails and that they be cautious of unsolicited communications that ask for personal information. Additionally, Yahoo recommends using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether. Additional information will be available on the Yahoo Account Security Issues FAQs page,­update. About Yahoo Yahoo is a guide to digital information discovery, focused on informing, connecting, and entertaining through its search, communications, and digital content products. By creating highly personalized experiences, Yahoo helps users discover the information that matters most to them around the world — on mobile or desktop. Yahoo connects advertisers with target audiences through a streamlined advertising technology stack that combines the power of Yahoo’s data, content, and technology. Yahoo is headquartered in Sunnyvale, California, and has offices located throughout the Americas, Asia Pacific (APAC) and the Europe, Middle East and Africa (EMEA) regions. For more information, visit the pressroom ( or the Company’s blog ( Statements in this press release regarding the findings of Yahoo’s ongoing investigations involve potential risks and uncertainties. The final conclusions of the investigations may differ from the findings to date due to various factors including, but not limited to, the discovery of new or additional information and other developments that may arise during the course of the investigation. More information about potential risks and uncertainties of security breaches that could affect the Company’s business and financial results is included under the caption “Risk Factors” in the Company’s Quarterly Report on Form 10­Q for the quarter ended September 30, 2016, which is on file with the SEC and available on the SEC’s website at Yahoo!, the Yahoo family of marks, and the associated logos are trademarks and/or registered trademarks of Yahoo! Inc. Other names are trademarks and/or registered trademarks of their respective owners. 2/3 12/20/2016 EX­99.1 Yahoo Suzanne Philion sphilion@yahoo­ +1 (408) 349­4040 3/3 EXHIBIT B 12/20/2016 ⌂ Home Yahoo Privacy Center Mail Search News Sports Finance Celebrity Weather Answers Search Terms Privacy Center Topics Products Controls Intellectual Property Permissions Closed Captioning Guidelines Flickr Mobile 👤 Install the new Firefox » More ⋁   ign in S   ✉   ail M   ⚙ Yahoo Privacy Center Welcome to the Yahoo Privacy Center ­­ take a look around. You'll learn how Yahoo treats your personal information, along with ways to control your preferences and settings. As always, Yahoo is committed to gaining your trust. What This Privacy Policy Covers Yahoo takes your privacy seriously. Please read the following to learn more about our privacy policy. The federal government and technology industry have developed practical tips to help you guard against Internet fraud, secure your computer and protect your personal information. How Yahoo Uses Your Personal Information This policy covers how Yahoo treats personal information that Yahoo collects and receives, including information related to your past use of Yahoo products and services. Personal information is information about you that is personally identifiable like your name, address, email address, or phone number, and that is not otherwise publicly available. This privacy policy only applies to Yahoo This policy does not apply to the practices of companies that Yahoo does not own or control, or to people that Yahoo does not employ or manage. In addition, some companies that Yahoo has acquired have their own, preexisting privacy policies which may be viewed on our affiliates page. Data Transfer Your personal information may be transferred to countries other than your own to process and store data in accordance with our Privacy Policy and to provide you with products and services. Some of these countries may not have the same data protection safeguards as the country where you reside. Yahoo may process personal information related to individuals in the EU and may transfer that information from the EU through various compliance mechanisms, including data processing agreements based on the EU Standard Contractual Clauses. By using our products and services, you consent to us transferring your data to these countries. We are committed to ensuring your information is protected and apply safeguards in accordance with applicable law. For more information, please visit our Data Transfer page. Information Collection & Use General Yahoo collects personal information when you register with Yahoo, when you use Yahoo products or services, when you visit Yahoo pages or the pages of certain Yahoo partners, and when you enter promotions or sweepstakes. Yahoo may combine information about you that we have with information we obtain from business partners or other companies. When you register we ask for information such as your name, email address, birth date, gender, ZIP code, occupation, industry, and personal interests. For some financial products and services we might also ask for your address, Social Security number, and information about your assets. When you register with Yahoo and sign in to our services, you are not anonymous to us. Yahoo collects information about your transactions with us and with some of our business partners, including information about your use of financial products and services that we offer. Yahoo analyzes and stores all communications content, including email content from incoming and outgoing email. Yahoo automatically receives and records information from your computer and browser, including your IP address, Yahoo cookie information, software and hardware attributes, and the page you request. Yahoo uses information for the following general purposes: to customize the advertising and content you see, fulfill your requests for products and services, improve our services, contact you, conduct research, and provide anonymous reporting for internal and external clients. Children With parental permission, a child under age 13 might have a Yahoo Family Account. Visit Children's Privacy & Family Accounts to learn more about children’s privacy on Yahoo. Information Sharing & Disclosure Yahoo does not rent, sell, or share personal information about you with other people or non­affiliated companies except to provide products or services you've requested, when we have your permission, or under the following circumstances: We provide the information to trusted partners who work on behalf of or with Yahoo under confidentiality agreements. These companies may use your personal information to help Yahoo communicate with you about offers from Yahoo and our marketing 1/3 12/20/2016 ⌂ Home Yahoo Privacy Center Mail Search partners. However, these companies do not have any independent right to share this information. News Sports Finance Celebrity Weather Answers Flickr Mobile Install the new Firefox » More ⋁ We have a parent's permission to share the information if the user is a child under age 13. See Children's Privacy & Family       ign in   ail S M Accounts for more information about our privacy practices for children under 13 . Search 👤 ✉ ⚙ We respond to subpoenas, court orders, or legal process (such as law enforcement requests), or to establish or exercise our legal rights or defend against legal claims. We believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Yahoo's terms of use, or as otherwise required by law. We transfer information about you if Yahoo is acquired by or merged with another company. In this event, Yahoo will notify you before information about you is transferred and becomes subject to a different privacy policy. Yahoo displays targeted advertisements based on personal information. Advertisers (including ad serving companies) may assume that people who interact with, view, or click targeted ads meet the targeting criteria—for example, women ages 18­24 from a particular geographic area. Yahoo does not provide any personal information to the advertiser when you interact with or view a targeted ad. However, by interacting with or viewing an ad you are consenting to the possibility that the advertiser will make the assumption that you meet the targeting criteria used to display the ad. Yahoo advertisers include financial service providers (such as banks, insurance agents, stock brokers and mortgage lenders) and non­financial companies (such as stores, airlines, and software companies). Yahoo works with vendors, partners, advertisers, and other service providers in different industries and categories of business. For more information regarding providers of products or services that you've requested please read our detailed reference links. Cookies & Similar Technologies Yahoo may set and access Yahoo cookies on your computer. We may also set and access device identifiers which could include IP address, user agent information (browser version, OS type and version), and device provided identifiers. Once you log into Yahoo on your device, Yahoo may recognize your device to provide you with a personalized experience, independent of your device settings. You can control your personalized experience across Yahoo through our Ad Interest Manager. Learn more. Yahoo lets other companies that show advertisements on some of our pages set and access their cookies on your computer. Other companies' use of their cookies and device identifiers is subject to their own privacy policies, not this one. Advertisers or other companies do not have access to Yahoo's cookies. Yahoo uses web beacons to access Yahoo cookies inside and outside our network of web sites and in connection with Yahoo products and services. Your Ability to Edit and Delete Your Account Information and Preferences You can edit your Yahoo Account Information, including your marketing preferences, at any time. You can also modify information you have provided to Yahoo through the Yahoo products or services you may use. New categories of marketing communications might be added to the Marketing Preferences page from time to time. Users who visit this page can opt out of receiving future marketing communications from these new categories or they can unsubscribe by following instructions contained in the messages they receive. We reserve the right to send you certain communications relating to the Yahoo service, such as service announcements, administrative messages and the Yahoo Newsletter, that are considered part of your Yahoo account, without offering you the opportunity to opt out of receiving them. You can delete your Yahoo account by visiting our Account Deletion page. Please click here to read about information that might possibly remain in our archived records after your account has been deleted. Confidentiality & Security We limit access to personal information about you to employees who we believe reasonably need to come into contact with that information to provide products or services to you or in order to do their jobs. We have physical, electronic, and procedural safeguards that comply with federal regulations to protect personal information about you. To learn more about security, including the security steps we have taken and security steps you can take, please read Security at Yahoo. Changes to This Policy Yahoo may update this policy. We will notify you about significant changes in the way we treat personal information by sending a notice to the primary email address specified in your Yahoo account or by placing a prominent notice on our site. Questions & Suggestions If you have questions, suggestions, or wish to make a complaint, please complete a feedback form or you can contact us at: 2/3 12/20/2016 ⌂ Home Yahoo Privacy Center Mail Search Yahoo! Inc.  News Sports Finance Customer Care ­ Privacy Policy Issues 701 First Avenue  Sunnyvale, CA 94089 (408) 349­5070 Celebrity Weather Answers Search Flickr Mobile 👤 Install the new Firefox » More ⋁   ign in S   ✉   ail M   ⚙ If you feel that your inquiry has not been satisfactorily addressed, please click here for information on consumer agencies that may be able to provide you with additional assistance. Last Updated: November 23, 2016 Personalized Experience By bringing content and advertising to you that is relevant and tailored to your interests, Yahoo provides a more compelling online experience. Update your content or search preferences, manage your advertising choices, or learn more about relevant advertising. Links Yahoo Global Public Policy Blog Register for a Yahoo Account Manage Your Yahoo Account Learn About Account Security Learn About Your Online Safety Learn About Accessibility @ Yahoo 3/3 EXHIBIT C 12/21/2016 ⌂ Home Security at Yahoo Mail Search News Sports Finance Celebrity Weather Answers Search Terms Privacy Center Topics Products Controls Intellectual Property Permissions Closed Captioning Guidelines Flickr Mobile 👤 Install the new Firefox » More ⋁   ign in S   ✉   ail M   ⚙ Security at Yahoo Protecting our systems and our users’ information is paramount to ensuring Yahoo users enjoy a secure user experience and maintaining our users’ trust. We have taken the following measures to protect your information: Transport Layer Security (TLS) We use TLS encryption when transmitting certain kinds of information, such as financial services information or payment information. An icon resembling a padlock is displayed in most browsers during TLS sessions. Second Sign­in Verification You may turn on a setting that requires a second piece of information such as a code sent via SMS ­ in addition to your password ­ when signing in to your account from a device or location we don’t recognize. Learn more about second sign­in verification. On­Demand Passwords Yahoo also offers on­demand passwords. By linking your mobile device to your account, you enable Yahoo to provide you with an on­demand password sent to your mobile phone, so you don't have to remember passwords anymore. Learn more about on­ demand passwords. Secure Storage We deploy industry standard physical, technical, and procedural safeguards that comply with relevant regulations to protect your personal information. Vendors and Partners To protect the security and privacy of your information, we may provide information to partners and vendors who work on our behalf or with us under confidentiality agreements. These companies do not have any independent right to use or share this information without your consent. Access to Information We limit access to personal information about you to those employees who we reasonably believe need to come into contact with that information to provide products or services to you or in order to process this information for us. Education and Training We have implemented a company­wide education and training program about security that is required of every Yahoo employee. Please note that no data transmission over the Internet or information storage technology can be guaranteed to be 100% secure. We continue to evaluate and implement enhancements in security technology and practices. Security Takes Teamwork You also need to take your security seriously. Please visit our Safety Center for tools and tips about ways to remain vigilant and steps you can take on your own to help protect your information and reduce the risks of unauthorized access. How to Report Security Incidents Information about reporting security incidents is found in our Safety Center. Yahoo Privacy To find out how Yahoo treats your personal information, please visit our Privacy Policy. This page describes current Yahoo practices with respect to this product or topic. Information on this page may change as Yahoo adds or removes features. Personalized Experience By bringing content and advertising to you that is relevant and tailored to your interests, Yahoo provides a more compelling online experience. Update your content or search preferences, manage your advertising choices, or learn more about relevant advertising. 1/1 EXHIBIT D Yahoo’s Code of Ethics Winning with Integrity Winning with Integrity Yahoos, Yahoo is the place where millions of people go to see what is happening with the people and the things that matter to them most. We must do everything possible to continue to earn and keep their trust. Our conduct must always reflect Yahoo’s values, demonstrate ethical leadership and uphold Yahoo’s reputation for integrity. letter of this Code of Ethics and always maintain the highest standards of integrity when conducting Yahoo business. If you are ever unsure of what to do – please ask! Yahoo’s Ethics and Compliance Office (ECO) is responsible for overseeing compliance with this Code of Ethics and is available to answer your questions and receive reports of suspected ethics and compliance issues. You may contact the ECO utilizing any of the methods below: We are committed to the highest standards of business conduct in our relationships with each other, our users, our stockholders and our customers, suppliers and partners. This Code of Ethics applies to all Yahoos and provides the information necessary to fulfill our obligations to act with integrity and in compliance with the laws and regulations that affect our business. Phone: 408-349-3059 Email: IntegrityLine: 1-888-47-Yahoo (1-888-479-2466) Website: All Yahoos are expected to conduct themselves in accordance with the spirit as well as the Let’s make sure we continue to Win with Integrity! 1 Contents 4 Our Values 6 Our Code 21 Our Business Relationships 42 Our Responsibility Fair Competition 8 Reporting Violations Business Courtesies Tools and Resources Export, Import, and Anti-Boycott Laws Our Company Seeking Guidance Insider Trading Waivers of the Code Respect for Our Fellow Yahoos Money Laundering A Safe and Secure Workplace Gathering Information About Conflicts of Interest Competitors Accurate Business Communications, Anticorruption Laws Records, and Contracts Q&A External Communications Confidential Information and 33 Our Community Intellectual Property User Privacy Copyrights Protecting the Environment Use of Yahoo Resources Political Activities and Contributions Q&A Representations Regarding Yahoo’s Business, Products, Services, and Competitors Human Rights Child Protection Q&A 2 48 A Message from Yahoo’s Board of Directors Our values shape the culture and define the character of our company. They are at the heart of who we are and what we do. 3 Our Values Excellence: Teamwork: ••We are committed to winning with integrity. •• e treat one another with respect and communicate openly. W •• e know leadership is hard won and should never be taken for W granted. •• e foster collaboration while maintaining individual W accountability. •• e aspire to flawless execution and don’t take shortcuts W on quality. •• e encourage the best ideas to surface from anywhere within W the organization. ••We seek the best talent and promote its development.  •• e appreciate the value of multiple perspectives and diverse W expertise. ••We are flexible and learn from our mistakes. Community: Innovation: •• e share an infectious sense of mission to make an impact on W society and empower consumers in ways never before possible. ••We thrive on creativity and ingenuity. •• e seek the innovations and ideas that can change the world. W •• e are committed to serving both the Internet community and W our own communities. •• e anticipate market trends and move quickly to embrace W them. Fun: ••We are not afraid to take informed, responsible risk. •• e believe humor is essential to success. W Customer Fixation: •• e applaud irreverence and don’t take ourselves too seriously. W •• e respect our customers above all else and never forget that W they come to us by choice. ••We celebrate achievement. ••We yodel. •• e share a personal responsibility to maintain our customers’ W loyalty and trust. •• e listen and respond to our customers and seek W to exceed their expectations. 4 Together, we share a commitment to safeguard Yahoo’s reputation for integrity. Our continued success depends on your ability to make decisions that are consistent with our values. Do your part to understand and comply with the letter and the spirit of Yahoo’s Code of Ethics. Conduct business with honesty and integrity and refrain from doing anything that would harm our reputation. 5 Our Code “What Should I Do If…” from the ECO or the Legal Department. Changes to and waivers of this Code of Ethics will be publicly disclosed as required by applicable law and regulations. Yahoo’s Code of Ethics is a resource designed to help you navigate your way through ethical situations you may encounter on the job. It defines what Yahoo expects of its businesses and people, and provides the information necessary to help each of us act with integrity and in compliance with the laws and regulations applicable to our worldwide operations. For purposes of this Code of Ethics, the term “Yahoos” refers to employees of Yahoo. Third-party contractors, agents, outsourced service providers, consultants, and interns performing services for Yahoo must also comply with this Code of Ethics in their performance of such services and have the same obligations and responsibilities as Yahoos under this Code. The Code Applies to Everyone at Yahoo This Code of Ethics applies to all Yahoo employees (including officers, senior financial officers, and employees of our international subsidiaries and affiliates), directors, and all contractors assigned at Yahoo, regardless of position, location, or level of responsibility. As a global business, Yahoo employees are subject to the laws and regulations of different countries and organizations, such as the European Union. Each of us is responsible for knowing and following the laws that apply to us where we work. Yahoos outside the United States should refer to local Yahoo policies and guidelines. In some cases, local country law may establish requirements that differ from our Code. In these cases or when in doubt, seek guidance Exercise Good Judgment You won’t find the answer to every question here, but you will find the guidance you need to help you use good judgment in your decision-making, and you’ll find a list of resources you can tap regarding any questions or concerns. When faced with a situation that is not covered in the Code, consider your action in light of the following questions: • Is it ethical? • Is it legal? 6 Our Code • Is it consistent with Yahoo’s values? KNOW THE CODE •  oes it comply with our Code of Ethics or other D company policy? •  ake decisions that are consistent with our values. M •  ould you feel okay about it if it was reported in the W media or communicated to management? Your peers? Your family? •  ead, understand, and follow the Code. R •  now and comply with the laws and regulations of K each country where we do business. • Does it protect both Yahoos short-term and long-term interests? • Work to ensure that third-party contractors, agents, or consultants who work on Yahoo’s behalf or are assigned to Yahoo are aware of our Code and act consistent with it. •  ould you be able to look your manager or CEO in the W eye and say you did the right thing? If you can answer “yes” to all of these questions, then the decision to move forward is probably appropriate. If you’re not sure, consult with your manager, the Legal Department, or the ECO for guidance. • f you are a supervisor, promote compliance and I ethics by example – show what it means to act with integrity. •  eport any violations of our Code and seek advice if R you are ever unsure about what to do. Speak up if you see or suspect activity that violates our Code. It may seem easier to say nothing or to look the other way, but taking no action can have serious consequences. 7 Our Company Our people are our most important asset. We respect each other. We work together as One Yahoo. 8 Respect for Our Fellow Yahoos The experiences, skills, and insights of employees from a variety of backgrounds and cultures enrich our corporate environment, improve our employees’ effectiveness and satisfaction, and ultimately contribute to the success of Yahoo. KNOW THE CODE •  reat others with respect and dignity. T •  peak up if you see or suspect that others are being S harassed or discriminated against. Yahoo is an equal opportunity employer and believes every employee is entitled to fair treatment, courtesy, and respect. We do not tolerate illegal employment discrimination or unlawful workplace harassment. We maintain a diverse and inclusive work environment where the cultural differences of employees are embraced. • f you’re a manager, make sure employment I decisions comply with company policy and are based on lawful business reasons. • Follow Yahoo’s privacy and data protection policy. Each of us has a responsibility to protect personal data from unauthorized access, loss, misuse, or unauthorized disclosure. For further guidance on respect for our fellow Yahoos, U.S. employees may consult the “Our Standards” policies on Working @ Yahoo on Backyard. Yahoos outside the U.S. should refer to local policies and guidelines. 9 A Safe and Secure Workplace Yahoo is committed to providing a safe, healthy, secure, and drug-free work environment for all employees. As a Yahoo, you are prohibited from using, possessing, selling, or being under the influence of any illegal substance on Yahoo property or when conducting Yahoo business. To further ensure a safe workplace, Yahoos are also prohibited from making threats, committing acts of violence or intimidation, or possessing or selling firearms or weapons on Yahoo property or when conducting Yahoo business. KNOW THE CODE • Know and abide by Yahoo policies regarding drugs and alcohol. •  eport any unsafe conditions, violent acts, or threats. R For further guidance on a safe and secure workplace, U.S. employees can refer to the security, health, and safety policies on Working @ Yahoo on Backyard. Yahoos outside the U.S. should refer to local policies and guidelines. 10 Conflicts of Interest potential for a conflict of interest and determine how it can be resolved. And remember, you may not use other people to do indirectly what you are prohibited from doing yourself. We all must dedicate our best efforts to Yahoo’s success and ensure that our efforts are not compromised by potential conflicts of interest. Each of us must avoid any situation that may create or appear to create a conflict between our personal interests and the interests of Yahoo. You are required to disclose all potential conflicts of interest and to promptly take action to eliminate a conflict if Yahoo requests that you do so. KNOW THE CODE • Always ask yourself: Am I doing what’s right for Yahoo? Conflicts of interest can arise in many ways, including: •  utside board memberships (including technical O advisory boards) • f a conflict of interest (or even the appearance of I one) develops, seek guidance from the ECO. • Outside business activities • Don’t accept employment or serve as a member on the board (including a technical advisory board) of a Yahoo competitor. • Outside employment • Outside investments • Get written approval from the ECO before accepting employment or assignment if (1) employment is with a Yahoo customer, supplier, or other business partner, or (2) the employment will interfere with your responsibilities at Yahoo (this includes excessive time commitments, pay, etc.). • Business relationships with friends or relatives • Using your position or assignment at Yahoo for personal gain • Outside relationships with Yahoo suppliers, customers, competitors, or partners •  et written approval from the ECO before serving G on the board (including a technical advisory board) of any for-profit organization. Transparency is the key to avoiding conflicts of interest. When in doubt, ask the ECO for guidance to assess the 11 Conflicts of Interest • You don’t need to seek approval from the ECO to serve on the board of a not-for-profit organization unless the organization has a business relationship with Yahoo. • Always obtain written approval from the ECO before directing or recommending that Yahoo business be referred to an outside company in which you or a related person has a financial interest or before conducting any Yahoo business with such a company. • You may not own an interest in any nonpublic company that competes with Yahoo or an interest in excess of 1% in any public company that competes with Yahoo. • Don’t accept from a third party any stocks, discounted stocks, “friends and family stock,” or stock options that are offered by virtue of your being a Yahoo or because of the work you do for Yahoo. • Obtain written approval from the ECO before securing an interest in any nonpublic company that does business with Yahoo or securing an interest in excess of 1% of any public company that does business with Yahoo. • n any situation in which ECO approval is required by I this policy, members of the Board of Directors and executive officers must also obtain written approval by the Audit Committee of the Board of Directors. •  on’t hire or conduct business with a related person D unless you obtain approval in writing from the ECO. Related person means any family member including current spouse, children, parents, in-laws, grandparents, grandchildren, brothers, sisters, aunts, uncles, cousins, nephews, nieces, domestic partners, and anyone else whose relationship to you, in the judgment of the Compliance Officer, could impair or be perceived to impair objective judgment and/or good working relationships. For further guidance on conflicts of interest, refer to the Conflict of Interest Policy on Backyard. 12 Accurate Business Communications, Records, and Contracts Accurate and reliable business records are critical to meeting our financial, legal, and business obligations. If you are responsible for creating and maintaining Yahoo’s financial records, you must do so in accordance with applicable legal requirements and generally accepted accounting practices. Disclosure in reports and documents filed with or submitted to the U.S. Securities and Exchange Commission and in other public communications made by Yahoo must be full, fair, accurate, timely, and understandable. In order to make sure our contractual commitments are properly reviewed and approved, Yahoos must comply with all signature authority policies. •  void exaggerating, making derogatory A characterizations of people or companies, or drawing legal conclusions in business records and communications (including email, IMs, voicemail, blogs, twikis, and informal memos, regardless of intended distribution). •  nsure that written agreements accurately and E completely reflect the terms of the business deal they describe. • Don’t make any unauthorized extra-contractual promises, commitments, or side letters on behalf of Yahoo without obtaining the approval of the Legal Department. •  btain approval from the appropriate business, legal, O or financial approver for any nonstandard terms and agreements or for any proposed modifications to existing agreements. KNOW THE CODE •  ake sure information we disclose about our M company is clear, truthful, and accurate. • Don’t enter into any contracts or commit Yahoo to any obligations with an outside party unless you’re authorized to do so. • If you become aware of any omission, inaccuracy, or falsification in Yahoo’s business records (or its supporting information), contact the ECO or Legal Department. 13 External Communications Communicating consistent and accurate information to the public is vital to our image and is required to meet regulatory and legal obligations. Only people authorized by our Corporate Communications Department may speak as a Yahoo representative or about Yahoo’s business with the press or at external events, conferences, industry tradeshows, or forums. And only Yahoos authorized by the Chief Financial Officer or the Investor Relations Department may speak on behalf of Yahoo to members of the financial community, such as securities analysts, stockholders, or fund managers. KNOW THE CODE • Don’t speak on behalf of Yahoo unless you’re authorized to do so. •  irect any inquiries from the media, analysts, D and other organizations to either Corporate Communications or Investor Relations. •  onsult with the Legal Department before C responding to requests for information from government agencies and regulators, including subpoenas. • f the Legal Department advises you to respond to I requests for information, make sure that what you provide is complete, current, and accurate. 14 Confidential Information and Intellectual Property By protecting our knowledge base and our information systems, we protect our competitive advantage. If you are employed by Yahoo or providing services to Yahoo, you may have access to confidential and/or proprietary information regarding our business, users, advertisers, content providers, vendors, partners, candidates for employment, or perhaps even fellow Yahoos. Protecting this information is vital to our success. We are also committed to respecting the intellectual property and protected information of others. Examples of confidential information include product information, plans, specifications, designs, and pricing; nonpublic financial information, including forecasts, budgets, and data; acquisition or merger prospects or arrangements; marketing or advertising plans or strategies; business strategies; contract terms; credit procedures; customer preferences; research and development plans; technical information and data; customer lists or files; employment and personnel information, and; compensation data, including information relating to employee stock ownership or entitlement. We have a responsibility to protect our trademarks too, including the Yahoo name and logos, slogans – even our yodel. 15 Confidential Information and Intellectual Property KNOW THE CODE • Safeguard confidential information and abide by the terms of the proprietary information agreement you signed when you started working at Yahoo. • f you become aware of others using our logos, I names, or other trademarks in a way that’s unauthorized, contact the trademark group. • Don’t disclose any confidential information outside of Yahoo or to anyone who does not have a need to know, unless you’re authorized by appropriate management or the Legal Department to do so. • Don’t bring confidential or proprietary information of a prior employer or another third party into Yahoo. •Remember, your obligation to protect confidential information applies even if you stop working at Yahoo. For further guidance on confidential information and intellectual property, U.S. employees can refer to the security, health, and safety policies on Working @ Yahoo on Backyard. •  ny unsolicited, third-party proprietary information A should be refused. If you inadvertently receive it, notify the Legal Department immediately. Yahoos outside the U.S. should refer to local policies and guidelines. • Always use Yahoo trademarks in accordance with our trademarks policies – if you have questions, contact the Brand Team ( and the trademark group within the Legal Department ( 16 Copyrights Articles, images, audio and video recordings, lyrics, TV shows, movies, computer software, and other authored materials may be covered by copyright laws. The absence of a copyright notice does not necessarily mean the materials are not copyrighted. Likewise, you should not rely solely on a user’s representation that he or she owns the copyright to uploaded material for any repurposing of that material by Yahoo. When in doubt, always check with the Legal Department. KNOW THE CODE •  rotect copyrighted information. P •  o not make unauthorized copies of copyrighted D materials or incorporate someone else’s work into your own. It’s also illegal to distribute, display, or publicly perform copyright work without authorization. • Yahoo licenses the use of computer software from outside companies and, in most cases, this software is protected by copyright – don’t make, acquire, or use unauthorized copies of it. •  ontact the Legal Department if you become aware C of any apparent unauthorized use of copyrighted materials or have questions regarding how to determine whether a work is copyrighted. For further guidance on copyright, please refer to the Copyright Policy at: copyright/us/yahoo/en-us/details.html. Yahoos outside the U.S. should refer to local policies and guidelines. 17 Use of Yahoo Resources • Remember, all of the computing and communications resources at Yahoo are the property of Yahoo and data from those resources may be inspected, monitored, collected, or disclosed by Yahoo in accordance with applicable law. Yahoo’s computer and communication resources, including computers, cell phones, voicemail, and email, provide substantial benefits but also present significant security and liability risks to you and Yahoo. We each have a responsibility to use and maintain these assets with care and to guard against waste and abuse. Remember, when you use Yahoo computer or communications resources to access Internet services or to send email, IMs, text messages, voicemail, or other communication, you are acting as a representative of Yahoo. Any improper use of these resources may reflect poorly on Yahoo, damage its reputation, and expose you and Yahoo to legal liability. For further guidance on the use of Yahoo resources, U.S. employees may consult Data Security, Using Company Property, and Using Electronic Communications. WebHome KNOW THE CODE Yahoos outside the U.S. should refer to local policies and guidelines. • Use computer and communication resources in accordance with all Yahoo policies, including those that relate to harassment, privacy, copyrights, trademarks, trade secrets, and data security. • Don’t use Yahoo resources in a way that’s unlawful, disruptive, or offensive to others. 18 Q&A Q: I overheard a co-worker threaten another Yahoo, who Q: My wife’s company is bidding on a contract with was afraid to report the situation. What should I do? another business unit of Yahoo where I have no decision-making authority. Do I need to report this as a conflict of interest? A: Tell your manager, your Human Resources Business Partner or contact the ECO immediately. Yahoo will not tolerate acts or threats of violence and will investigate all reports as appropriate. You have a responsibility to act when you see or suspect a threat or risk to anyone at Yahoo. A: Yes. Even though you might not have direct control over the outcome of the bid, the fact that your wife has connections to the company might give the appearance of a conflict of interest and should be reported. You must also avoid any attempts to influence decisions or decision-makers at Yahoo with respect to your wife’s company. If  you observe violence or other emergency in progress, do not intervene if doing so puts you or others in danger. Instead contact security or local law enforcement immediately. Q: What if my manager is exerting pressure on me to “make the numbers work”? A: You have a responsibility to be honest and accurate. If you feel pressured to do otherwise, speak with someone in the ECO or consult with the Legal Department or your HR Business Partner. You may also contact the Audit Committee of the Board of Directors. If you feel uncomfortable going through internal channels, you can contact the IntegrityLine anytime, night or day. 19 Q&A Q: A former member of my team called to ask me for Q:  hat if you have a personal blog, where you talk W about your life and your work – should you be concerned about what you discuss?  some copies of materials we worked on together when she was at Yahoo. As we talked, I realized that she still had some data we used on the project. I told her I’d call her back – now what? A: A: First, don’t provide copies of the materials she requested. You may be in violation of the Code by doing so. She may have violated the Code by taking Yahoo confidential and/or proprietary information, and there could be other issues if she shared this information with others. Contact your manager, the ECO, or the Legal Department for guidance. 20 Yes. Yahoo believes in fostering a thriving online community and supports blogging as a valuable component of shared media. But, you need to be careful not to disclose confidential and/or proprietary information of Yahoo, our clients, or third parties to anyone (including family and friends) without a specific and legitimate need for the information. Make sure you know and follow Yahoo’s Personal Blog Guidelines and always be careful about discussing business matters with anyone outside of Yahoo, on the Internet, or even in physical spaces, within hearing distance of outsiders (for example, at lunch, on the Yahoo shuttle, or in elevators). Our Business Relationships The business relationships we forge, founded on trust and mutual advantage, are vital to our success. 21 Fair Competition   Yahoo believes in a free and open marketplace. We compete vigorously in all of our business activities, and we comply with laws that support this kind of market, wherever we do business. Antitrust and competition laws differ by country, are complex, and are not always intuitive. Generally, they prohibit any activities that may limit a business’s independent judgment or restrain free trade. These laws touch upon and affect almost every aspect of our operations, so it’s important that you are familiar with them and that you contact the Legal Department or the ECO for help in understanding how they affect your day-to-day work. –  gree to contracts that provide for “exclusive A rights” –  nter into any joint ventures E •  on’t agree with competitors to allocate or restrict D customers, suppliers, markets, products, purchases, services, or sales territories – don’t even discuss these kinds of matters with a competitor. •  on’t agree with competitors to set prices or priceD related terms or conditions – again, even discussions with competitors about any aspect of pricing is prohibited. •  ever discriminate in the prices, terms, and services N you offer to similarly situated customers. KNOW THE CODE •  ever enter into “tying arrangements,” in which a N customer is required – as a condition of purchasing one product – to have to purchase a second, distinct product. •  lways consult with the Legal Department before you: A –  oin any trade associations or standards-setting J bodies –C   ommunicate with a competitor regarding business issues –  ttend meetings where competitively sensitive A topics may be discussed with people who are not Yahoos 22 Insider Trading Applicable laws and Yahoo policy prohibit us from trading in Yahoo securities while possessing material nonpublic (sometimes referred to as “inside”) information. Material, nonpublic information is information that has not yet become publicly available that a reasonable investor would consider important in making a decision to buy, sell, or hold Yahoo stock. The same restrictions apply to trading in the stock of other companies, if you have knowledge of material, nonpublic information about them. Remember, even a “tip” is unlawful – passing along material nonpublic information to friends or family is also considered a form of insider trading. KNOW THE CODE • Make sure you read and understand Yahoos Insider Trading Policy. • Don’t trade in Yahoo securities or the securities of any other company (including Yahoo business partners or customers) when you possess material, nonpublic information. • Remember that some Yahoos, because of their  position in the company and the potential access they have to material nonpublic information, are also not allowed to trade during specified “blackout periods.” Examples of nonpublic material information may include: financial results; projections of future earnings or losses; proposed mergers and acquisitions; a sale of significant assets; the gain or loss of a substantial customer or supplier; execution or termination of significant contracts; unanticipated changes in level of sales, orders, or expenses; an extraordinary item for accounting purposes; major financings or restructurings; creation of a material financial obligation; new equity or debt offerings; stock splits or dividend information; major product announcements; significant developments in litigation, senior management, or organizational changes, such as layoffs. •  e aware that insider trading can result in criminal B penalties, civil penalties and/or disciplinary action, including dismissal. For further guidance on insider trading, consult the Insider Trading Policy on Backyard. If you have a question about your proposed transactions in our stock, contact a stock administrator at 23 Business Courtesies It is sometimes customary to exchange with third parties business courtesies, such as gifts, meals, drinks, entertainment, recreation, honoraria, transportation, discounts, promotional items, facilities, and equipment. The appropriateness of offering or accepting business courtesies depends on the circumstances and parties involved. In every case, a business courtesy should never be offered or accepted if it might create a sense of obligation, compromise your professional judgment, or create the appearance that it might. And gifts of cash or cash equivalents (such as gift certificates, securities, or below-market loans) in any amount are always prohibited. Also remember, it’s never acceptable to solicit a business courtesy. If you are in doubt about whether a business courtesy is appropriate, contact the ECO for guidance. KNOW THE CODE • t is generally permissible to offer or accept a I business courtesy with a commercial customer, supplier, vendor, or business partner when the business courtesy: – Is of customary value, as determined by Yahoo and industry practices – s for the purpose of promoting goodwill and is I not intended to influence a particular decision or create a reciprocal obligation – Is customary in the country where the exchange  takes place and is not in violation of any laws, regulations, or policies – Would not reflect adversely on Yahoo if publicly disclosed, and – Has been approved by your manager  •  tricter and more specific rules apply when we do S business with U.S. state, local, and federal government personnel and contractors acting on their behalf – business courtesies extended to these individuals must be approved in advance and in writing by the 24 ECO or the Legal Department. Business Courtesies •  he specific rules and regulations that govern business T courtesies for non-U.S. government entities differs from country to country, and violations can result in criminal liability under the U.S. Foreign Corrupt Practices Act. Business courtesies to government officials or representatives of non-U.S. countries or regional entities must be approved in advance and in writing by the Legal Department. For further guidance on business courtesies, refer to the Accepting Business Courtesy Policy and the Providing Business Courtesy Policy on Backyard. 25 Export, Import, and Anti-Boycott Laws The U.S. export and import laws regulate where and with whom Yahoo can do business and where we may transfer services, software, and other technologies. These laws also regulate the disclosure of technical information to nonU.S. nationals, including non-U.S. national Yahoo employees, agents, and contractors located in the United States. All Yahoo employees, agents, and contractors must also adhere to the applicable customs and laws for importing products or technology. All commercial items arriving in a foreign country are subject to customs declarations whether the item is in your baggage, hand-carried, or shipped as freight. Yahoo is prohibited from participating in boycotts that are not sanctioned by the U.S. government – this includes (but is not limited to) agreements to discriminate, refusals to do business with certain countries or companies blacklisted by other governments, or letters of credit that require boycottrelated acts. To ensure compliance with anti-boycott laws, always have the Legal Department review agreements, transactions, and letters of credit that contain potential boycott-related language. The U.S. export laws apply to exports delivered electronically via the Internet, email, or download, as well as to physical products. Remember, our ability to export products, services, and technologies is a privilege, not a right, and the U.S. government can revoke that privilege in the event of a violation. Failure to comply with the law can lead to a range of severe civil and criminal penalties for Yahoo and individual employees, agents, and contractors, including fines, imprisonment, and revocation of the company’s export privileges. 26 Export, Import, and Anti-Boycott Laws KNOW THE CODE •  oordinate early with the Legal Department in the C product planning and development process in order to comply with export and import laws as they relate to physical or electronic international transfer of controlled goods, services, software, or technology outside the United States. •  o not engage in transactions with parties engaged in D proliferation of weapons of mass destruction, including nuclear, missile, chemical, and biological weaponry activities. •  emember that transactions with countries subject R to U.S. trade embargo (currently Iran, Sudan, North Korea, Syria, and Cuba) are prohibited. •  on’t participate in or promote boycotts that the D United States does not support. • Comply with required declarations and customs regulations when you are engaged in Yahoo business. •  otify the Legal Department of any boycott-related N requests so that they may be reported to the U.S. government. •  o not conduct business with parties listed on D governmental trade exclusion lists, including (but not limited to) the U.S. Denied Persons, Entity, and Specially Designated Nationals List. •  ever release or disclose export-restricted software N or technology to certain non-U.S. nationals without an export license. For further guidance on export, import, and antiboycott laws consult Export Compliance on Backyard or email 27 Money Laundering Money laundering is an attempt by individuals or organizations to hide or disguise the proceeds of criminal activity through a series of otherwise legitimate business transactions. We review Yahoo products and services before release to determine if any features could be susceptible to money laundering. Yahoo forbids knowingly engaging in transactions that facilitate money laundering or result in unlawful diversion. KNOW THE CODE • If you become aware of potential money laundering  activities, immediately report your concerns to the Legal Department or to the ECO. 28 Gathering Information About Competitors It is entirely proper for us to gather information about our marketplace, including information about our competitors and their products and services. But we must always do it appropriately and in a manner that will not reflect adversely on Yahoo. We should never use illegal or unethical means (such as by theft, spying, bribery, or in breach of a nondisclosure agreement) to obtain information. Remember, the improper gathering or use of competitive information could subject you and Yahoo to criminal and civil liability. When in doubt as to whether your receipt or collection of information is proper, contact the Legal Department or KNOW THE CODE •  eview public sources, such as websites, analyst R reports, and business and marketing literature for information about competitors. • Never attempt to obtain confidential information from competitors’ current or former employees or from Yahoo business partners, customers, or suppliers that do business with them. • f there is any indication that competitive information I you obtained was not lawfully received, refuse to accept it. • f you receive any competitive information I anonymously or marked “confidential,” don’t open or review it – contact the Legal Department immediately. 29 Anticorruption Laws As Yahoos, we conduct business honestly and fairly, and we don’t provide or offer anything of value to anyone in exchange for a favorable decision or to secure favorable treatment. Remember, you could be subject to criminal and civil penalties (including fines and imprisonment) for violating anticorruption laws. Also, remember that Yahoo can be held responsible for the conduct of our agents, contractors, and anyone else who is working on our behalf. Before hiring any third parties, make sure they are adequately screened for a prior history of – or a propensity to engage in – any corrupt activities. Once hired, make sure they comply with the law and with Yahoo’s anticorruption policies while engaged in activities on our behalf. Anticorruption laws, such as the U.S. Foreign Corrupt Practices Act (FCPA), prohibit the offering or payment of anything of value (including, but not limited to, money, stock, services, products, travel expenses, employment of related persons, and entertainment) to a foreign government official, political party, party official, or a candidate for political office in order to influence official acts, obtain or retain business, or secure any improper advantage. The FCPA also prohibits creating inaccurate or false books and records, and requires companies to have adequate controls regarding accounting and corporate assets. Before making any kind of payment or offering anything of value to a government official or official of any company or entity that may be directly or indirectly owned by the government, for any reason, you must consult with the ECO and obtain approval in advance, in writing. 30 Q: In a conversation with a competitor, you agree that Anticorruption Laws you will not engage in a price war. Is that okay? A: No. Any agreement between competitors that directly relates to the prices they charge violates antitrust law, regardless of whether prices or price levels are part of the agreement. KNOW THE CODE • Comply with anticorruption laws and consult with the ECO or the Legal Department if you ever have questions or concerns. Q: I’m working on a large joint venture which will • f you have any knowledge or suspicion of corrupt I activity or have been asked to make an improper payment, report it immediately to the ECO or the Legal Department. probably be publicly announced in two weeks. Can I buy stock in our joint venture partner?  A: • If you are responsible for hiring or managing partners, agents, or other third parties to act on Yahoo’s behalf, exercise due diligence to ensure they: –  ave no history of or propensity for engaging in H corrupt activities – Are conducting Yahoo business in accordance with our anticorruption policies For further guidance on anticorruption laws consult Anticorruption on Backyard. 31 No. You must never trade in Yahoo securities or the securities of any other company, including Yahoo business partners when you possess material, nonpublic information. If you have any questions about whether you may trade, consult the Insider Trading Policy or contact the Legal Department.  Q&A Q: A: Q: In working with one of Yahoo’s joint venture partners, the partner offers you a bonus for going “above and beyond.” Can you accept the bonus?  No. In situations like this, only Yahoo should provide incentives to employees if the company feels they are due. Incentives to Yahoo employees or contractors could create the perception of a conflict of interest and should not be provided by or accepted from third parties, even if they are close partners.  An opportunity arises for Yahoo to do business in another country, but a local official expects special fees and other compensation for the business. What do I do? A:  ertain payments, even if normal under local custom, C could violate the U.S. FCPA. Before making any kind of payment or offering anything of value to a government official, for any reason, you must consult with the ECO and obtain approval in advance, in writing. 32 Our Community We strive to make our communities better places to live and work, everywhere we do business. 33 User Privacy Many of Yahoo’s features and services require that we collect, process, and store personal information about our users. They trust us to protect their information and use and maintain it according to our published policies. Our Privacy Policy gives our users notice of what we collect, how it will be used, and with whom we will share it. It gives them choices about how we use their information and the opportunity to opt out of certain uses of their data, such as for commercial communications. It also gives them the ability to update and correct some of their registration information. Finally, it provides them with assurances that we take measures to protect the security of their personal information. KNOW THE CODE • Respect our users’ privacy and handle user data  according to our Privacy Policy. • Don’t share Yahoo user information with parties outside of Yahoo unless approved by the Legal Department. • Be aware that international properties may have  additional privacy policy requirements – if you have a situation involving non-U.S. users, consult with the Legal Department. • Personal information about Yahoo users under the age of 13 is subject to special handling requirements – if you have a situation involving users under the age of 13, again, consult with the Legal Department. For further guidance on user privacy consult the Privacy Policy on Backyard. 34 Protecting the Environment Yahoo has a strong commitment to corporate citizenship, and we strive to conduct business in an environmentally responsible manner. To this end, it is our policy to comply with all environmental laws and regulations. Decisions about environmentally sensitive actions, such as disposal of electronic equipment, must comply with applicable laws and environmentally responsible practices. KNOW THE CODE •  onduct business in an environmentally responsible C manner. • Make the proper inquiries into the background, integrity, and financial responsibility of all companies or people performing disposal or other environmentally sensitive services for Yahoo. • Direct any actual or potential environmental, health, or safety problems, or questions about your responsibilities or Yahoo policies about environmental protection to your manager or to the Department of Real Estate & Workplace (REW). 35 Political Activities and Contributions Various laws restrict us from using Yahoo funds, assets, services, or facilities on behalf of a political party or candidate. You may not engage in any political activity (such as running for public office, serving as an elected official, or campaigning for a political candidate) using company time or resources. Also, you may not make any payments of corporate funds to any political party, candidate, or campaign unless permitted under applicable law and approved in writing and in advance by the Global Public Policy Office. Of course, you may participate in political activities on an individual basis, with your own money and on your own time. KNOW THE CODE • Yahoo will not compensate or reimburse you, in any form, for political contributions. • Before engaging in any activity on behalf of Yahoo that might be considered a political contribution or lobbying, obtain written approval from the Yahoo Global Public Policy Office. •  e aware that laws of some jurisdictions require B registration and reporting by anyone who engages in a lobbying activity. Generally, lobbying includes: –  ommunicating with any member or employee C of a legislative branch of government for the purpose of influencing legislation –  ommunicating with government officials for the C purpose of influencing government action –  ngaging in research or other activities E to support or prepare for these kinds of communications 36 Representations Regarding Yahoo’s Business, Products, Services, and Competitors To maintain our high standards of credibility and avoid creating unintended contractual liability, all representations made by Yahoo employees and agents concerning Yahoo’s products and services must be current, accurate, complete, and not misleading. This standard is particularly important to follow when engaging in any communication made outside Yahoo, including, but not limited to, press releases, marketing materials, blogs, Internet posts, customer meetings, and sales presentations. KNOW THE CODE • Make sure any communications about our products  and services are current, accurate, complete, and honest. 37 Human Rights Yahoo supports the idea that our users, wherever located, should enjoy fundamental rights to free expression and that those rights are essential to human dignity. We are committed to doing our utmost to help protect those rights through thoughtful, responsible business decisions and processes, and rigorous application of the laws that protect those rights. If you become aware of government actions that you believe may conflict with our support of these fundamental rights, email the Business & Human Rights Program at KNOW THE CODE • Speak up if you become aware of government  actions that may conflict with our fundamental right to free expression. • If you are asked by any government official to provide information about a Yahoo user or subscriber, please contact the Legal Department ( WebHome), Mission Control, or the ECO immediately and before taking action. 38 Child Protection Yahoo’s commitment to fostering a safe online environment for users of all ages begins with our own products and services. Yahoo works to prevent people from misusing our services to harm children. We have demonstrated our commitment to child safety by focusing our efforts on four key areas: KNOW THE CODE • Immediately escalate any incidents involving  suspected child pornography or child sexual exploitation to Customer Care and the Legal Department. (1)  uilding safer online spaces by educating users and B providing user empowerment tools; (2)  eveloping tools and policies for reporting child D protection issues; (3)  eveloping processes for detecting and deterring child D pornography; and (4)  artnering with law enforcement, child advocacy P groups, and our industry peers. In addition to our proactive efforts, in many jurisdictions we also have legal requirements to report instances of child pornography to designated government or child protection agencies. 39 Q&A Q: I’ve seen some activities in my office that may be Q: A friend of mine is running for political office, and A: No. Every Yahoo is responsible for taking action when A: No. Your personal support is your personal business. creating an environmental hazard, but I don’t want to get involved. Is that okay? I would like to help her out with her campaign. Is there a problem with this? aware of potential violations of our Code of Ethics. This includes reporting environmental hazards or any unsafe working conditions. Just make sure you do not use Yahoo assets – including Yahoo company time or the Yahoo name – to advance the campaign. If  you’re located in a country that does not permit your employer to require you to report concerns, you are encouraged – but not required – to speak up. Anyone who reports a violation will be treated with dignity and respect and will not be subjected to any form of discipline or retaliation for reporting truthfully and in good faith. 40 Q&A Q: What should I do if I think I see a violation of a Q: I got assigned to fix a bug related to a user’s account, and in the course of trying to fix the problem, I came across some troubling pictures in the user’s account. The pictures were pornographic, and the people in the images looked like young teenagers. Do I need to do anything about this? Yahoo user’s online rights to privacy or freedom of expression?  A: Yahoo has established its Business & Human Rights Program ( business-and-human-rights/) to address issues regarding freedom of expression and privacy around the world. If you think you see a violation of a Yahoo user’s rights to privacy or freedom of expression resulting from an action or demand by a government on Yahoo, or a Yahoo partner or vendor, send an email describing your concern to HumanRights@ In particular, please contact this address if the issue appears to involve improper disclosure by Yahoo (or a partner or vendor) of Yahoo user data to a government, or restrictions by Yahoo (or a partner or vendor) on political or religious speech resulting from government action or demand on Yahoo (or a partner or vendor). A: Yes. The images described may be illegal child pornography images. Federal law prohibits the possession, solicitation, or distribution of such child pornography images, which are defined as images of minors (under the age of 18) engaged in sexually explicit conduct or posing in a lewd and lascivious manner. Yahoo is required by law to take action on apparent instances of child pornography on our network, so you should immediately report the Yahoo user to In your email, please provide the Yahoo user ID as well as the property in which you discovered the offending images (e.g., Mail, Flickr, Groups). DO NOT attach the offending images to the email, however. If you have additional questions or concerns, you should contact the Legal Department and/or your HR Business Partner. 41 Our Responsibility Our work environment encourages people to raise concerns without fear. 42 Seeking Guidance Reporting Violations Yahoo’s Code of Ethics provides an overview of Yahoo’s commitment to acting with integrity and high standards in all business practices. It does not provide definitive answers to all questions. Even in the absence of a specific company policy or law to guide you in a particular situation, you are expected to act with the highest degree of integrity applicable to the situation. If you have questions regarding any of the content discussed in this Code or if you are in doubt about the best course of action in a particular situation, please seek guidance from the ECO. If you know of or suspect a violation of applicable laws or regulations, this Code of Ethics, or Yahoo’s related policies, you have an obligation to immediately report it to your manager, the Legal Department, or the ECO. Yahoo employees located in countries that prohibit requiring employees to make such reports are encouraged to report such violations but are not required to. Any Yahoo who reports a violation will be treated with dignity and respect and will not be subjected to any form of discipline or retaliation for reporting truthfully and in good faith. The ECO administers and oversees the Code and is dedicated to providing Yahoos the support and advice they need to act according to our ethical principles. Its staff acts as a resource, providing training materials, communications, and guidance on matters related to our Code and the integrity of our company. They are always available to listen to your concerns and suggest approaches for resolving ethical issues you may face on the job. Retaliation against anyone who provides information or otherwise assists in an investigation or proceeding regarding any conduct that the individual believes in good faith constitutes a violation of applicable laws or regulations, this Code of Ethics, or Yahoo’s related policies is prohibited and will, in itself, be treated as a violation of this Code of Ethics. 43 Tools and Resources IntegrityLine It is important that you do not attempt to investigate a known or suspected violation on your own. You may use the 24-hour IntegrityLine or the Online Ethics Reporting Tool to seek guidance anonymously or to report violations of applicable laws and regulations, this Code of Ethics, or Yahoo’s related policies.* Yahoo has a variety of tools that allow you to seek guidance and report known or suspected violations. Use the one you are most comfortable with: Phone: 1-888-47-Yahoo (1-888-479-2466) ECO Website: To ask questions or to report suspected violations, you may contact the ECO. *Note: Certain countries in which Yahoo does business prohibit any requirement to speak up and many do not allow concerns to be reported anonymously – for more information about reporting procedures in the country where you work, check the ECO website on Backyard. Phone: 408-349-3059 Email: Website: Mail: Yahoo Inc. Attention: Compliance Officer 701 First Avenue Sunnyvale, California 94089 44 Tools and Resources The Legal Department Investigations of Suspected Violations and Data Protection Yahoos are encouraged to refer to the following website for contact information about the Legal Department that has jurisdiction over your office: view/LegalDepartment/WebHome. All reported violations of company policy will be promptly investigated and treated confidentially to the extent reasonably possible. All Yahoos have a duty to cooperate fully with investigations and to promptly, completely, and truthfully comply with all requests for information, interviews, or documents. In the case of an investigation by people or agencies outside Yahoo, such compliance must be under the direction of the ECO or the Legal Department. Audit Committee You have the right to contact the Audit Committee of the Board of Directors about concerns regarding financial impropriety within the company. The Audit Committee has procedures to receive and address such information. Due to certain requirements under data protection laws in Europe, Yahoo may be obligated to inform the subject of a reported violation that the report was filed, and how the subject may exercise his or her right to access and correct the information regarding the allegation. But this right to access information does not entitle the subject of the allegation to information identifying the person who reported the allegation. Email: Mail: Yahoo Board of Directors Audit Committee c/o Corporate Secretary 701 First Avenue Sunnyvale, California 94089 You must not alter or destroy documents or records in response to an internal or external investigation or other legal request. Yahoo records and documents 45 Tools and Resources Discipline for Violations are to be retained and destroyed only in accordance with Yahoo record-retention policies, and never when they are the subject of an investigation or legal request or process. When in doubt about the appropriateness of destroying a record or document, contact the Legal Department. Collection of personal data by the ECO or its outside service providers may involve transferring data outside an employee’s country of origin. Such collection and transfer of the data will be done in compliance with Yahoo’s Privacy Policy and security policies and relevant data protection laws. Our Code will be enforced fairly and without prejudice at all levels. Subject to applicable law, Yahoos who violate the Code and/or other Yahoo policies and procedures may be subject to disciplinary action up to and including termination of employment and, if warranted, civil legal action or referral for criminal prosecution. In addition, subject to applicable law, disciplinary action up to and including termination of employment may be taken against anyone who directs or approves infractions or has knowledge of them and does not promptly report them in accordance with our policies. 46 Tools and Resources Waivers of the Code Treatment of Complaints and Retention of Records Regarding Accounting Issues Yahoo will waive application of the policies set forth in this Code only where circumstances warrant granting a waiver based on the best interests of Yahoo and its stockholders. Other than board members, any waiver must be approved by the Chief Compliance Officer and by the Chief Executive Officer. Waivers of the Code for directors and executive officers may be made only by those members of the Board of Directors not involved in the possible waiver and must be promptly disclosed as required by law or regulation. The Chief Compliance Officer, in conjunction with the company’s Vice President of Internal Audit, will forward, as appropriate, complaints and concerns regarding accounting issues to the Audit Committee of the Board of Directors. These concerns and complaints will be promptly investigated. The Chief Compliance Officer will provide periodic reports, as appropriate, to the Audit Committee regarding concerns or complaints relating to accounting issues. Yahoo will retain, in accordance with its records-retention policy and applicable law, copies of all reports, investigative reports, summaries of reports, and other documents relating to complaints and concerns regarding accounting issues. 47 A Message from Yahoo’s Board of Directors Dear Fellow Yahoos, We are proud of Yahoo’s heritage of integrity and its insistence on high ethical standards. We are committed to preserving this legacy by ensuring that the company is governed according to this Code of Ethics. We support Yahoo’s Code of Ethics and comply with the Code in our actions on Yahoo’s behalf. In addition: •  ny review and disposition of a possible conflict of interest involving a board member or executive officer will be A determined by the Audit Committee. Prior to accepting any invitation to serve as a director or trustee of any outside entity, executive officers and board members must advise the ECO and the Audit Committee in writing so that they may evaluate any potential conflicts of interest. • Any review and disposition of a possible waiver of the Code of Ethics involving a board member or an executive officer of Yahoo will be determined by those board members who are not involved in the possible waiver. Waivers will be granted only upon a written determination of the Board of Directors that the waiver is in the best interests of Yahoo and its stockholders and will be disclosed as required by applicable law. We are proud that Yahoo has consistently maintained a strong focus on integrity throughout its history and we are committed to ensuring that it continues to do so. This focus is an integral element of our strategy to meet the challenges facing the company and make certain that we meet the high expectations of our stockholders, employees, business partners, and other stakeholders in Yahoo’s success. The Board of Directors 48 09.11 701 First Avenue Sunnyvale, California 94089 EXHIBIT E An Important Message to Yahoo Users on Security September 22, 2016 02:28 PM Eastern Daylight Time SUNNYVALE, Calif.­­(BUSINESS WIRE)­­A recent investigation by Yahoo! Inc. (NASDAQ:YHOO) has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state­sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state­sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter. Yahoo is notifying potentially affected users and has taken steps to secure their accounts. These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven’t changed their passwords since 2014 do so. Yahoo encourages users to review their online accounts for suspicious activity and to change their password and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account. The company further recommends that users avoid clicking on links or downloading attachments from suspicious emails and that they be cautious of unsolicited communications that ask for personal information. Additionally, Yahoo asks users to consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether. Online intrusions and thefts by state­sponsored actors have become increasingly common across the technology industry. Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state­sponsored actor has targeted an account. Since the inception of Yahoo’s program in December 2015, independent of the recent investigation, approximately 10,000 users have received such a notice. Additional information will be available on the Yahoo Security Issue FAQs page,­update, beginning at 11:30 am Pacific Daylight Time (PDT) on September 22, 2016. About Yahoo Yahoo is a guide to digital information discovery, focused on informing, connecting, and entertaining through its search, communications, and digital content products. By creating highly personalized experiences, Yahoo helps users discover the information that matters most to them around the world ­­ on mobile or desktop. Yahoo connects advertisers with target audiences through a streamlined advertising technology stack that combines the power of Yahoo's data, content, and technology. Yahoo is headquartered in Sunnyvale, California, and has offices located throughout the Americas, Asia Pacific (APAC) and the Europe, Middle East and Africa (EMEA) regions. For more information, visit the pressroom ( or the Company's blog ( Statements in this press release regarding the findings of Yahoo’s ongoing investigation involve potential risks and uncertainties. The final conclusions of the investigation may differ from the findings to date due to various factors including, but not limited to, the discovery of new or additional information and other developments that may arise during the course of the investigation. More information about potential risks and uncertainties of security breaches that could affect the Company's business and financial results is included under the caption “Risk Factors” in the Company’s Quarterly Report on Form 10­Q for the quarter ended June 30, 2016, which is on file with the SEC and available on the SEC's website at Yahoo!, the Yahoo family of marks, and the associated logos are trademarks and/or registered trademarks of Yahoo! Inc. Other names are trademarks and/or registered trademarks of their respective owners. Contacts Yahoo Suzanne Philion, +1 408­349­4040  sphilion@yahoo­ EXHIBIT F 12/21/2016 ⌂ Home Yahoo Security Notice December 14, 2016 | Yahoo Help ­ SLN27925 Mail Search News Sports Finance Celebrity Weather Search Help Answers Flickr Search Web Mobile More ⋁ 👤   ign in S   ✉   ail M Back to Help Central Yahoo Security Notice December 14, 2016 Yahoo has identified data security issues concerning certain Yahoo user accounts. Yahoo has taken steps to secure user accounts and is working closely with law enforcement. Below are FAQs containing details about these issues and steps users can take to help protect their accounts. For information about the data security issue the company disclosed on September 22, 2016, click here. What happened? Law enforcement provided Yahoo in November 2016 with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. Yahoo has not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016. We are notifying potentially affected users and have taken steps to secure their accounts, including requiring users to change their passwords. Yahoo has also invalidated unencrypted security questions and answers so that they cannot be used to access an account. Separately, our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, the outside forensic experts have identified user accounts for which they believe forged cookies were taken or used in 2015 or 2016. The company is notifying the affected account holders, and has invalidated the forged cookies. We have connected some of this activity to the same state­sponsored actor believed to be responsible for the data theft we disclosed on September 22, 2016. Was my account affected by the August 2013 incident? We are notifying potentially affected users and posting additional information on our website. Additionally, we are taking steps to secure users’ accounts, including requiring users to change their passwords. Yahoo has also invalidated unencrypted security questions and answers so that they cannot be used to access an account. 1/6 12/21/2016 ⌂ Home Yahoo Security Notice December 14, 2016 | Yahoo Help ­ SLN27925 Mail Search News Sports Finance Celebrity Was my account affected by the cookie forging activity? Weather Search Help Based on the ongoing investigation, the outside forensic experts have identified user accounts for which they believe forged cookies were taken or used in 2015 or 2016. The company is notifying the affected account holders, and has invalidated the forged cookies. Answers Flickr Search Web Mobile More ⋁ 👤   ign in S   ✉   ail M What information was taken in the August 2013 incident? For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected. What is a "hashed" password? Hashing is a one­way mathematical function that converts an original string of data into a seemingly random string of characters. As such, passwords that have been hashed can’t be reversed into the original plain text password. At the time of the August 2013 incident, we used MD5 to hash passwords. We began upgrading our password protection to bcrypt in the summer of 2013. Bcrypt is a password hashing mechanism that incorporates security features, including salting and multiple rounds of computation, to provide advanced protection against password cracking. What information was affected by the cookie forging activity? Forged cookies could allow an intruder to access users’ accounts without a password. Based on an ongoing Yahoo investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. The company is notifying the affected account holders, and has invalidated the forged cookies. What is a “cookie”? A cookie is a small piece of information stored on a computer for the purpose of identifying a web browser during interaction on websites. Websites use cookies to remember and recognize details about visitors, such as website preferences. Click here for more information on Yahoo practices regarding cookies and similar technologies. Are these incidents related to the data theft that Yahoo announced on September 22, 2016? We believe that the August 2013 incident is likely distinct from the incident we disclosed on September 22, 2016. We have connected some of the cookie forging activity to the same state­ sponsored actor believed to be responsible for the data theft we disclosed on 2/6 12/21/2016 Yahoo Security Notice December 14, 2016 | Yahoo Help ­ SLN27925 ⌂ Home Mail Search News Sports Finance Celebrity Weather September 22, 2016. Those users targeted by the state­sponsored actor were sent an additional notification like the one found here. Search Help Answers Flickr Search Web Mobile More ⋁ 👤   ign in S   ✉   ail M I think I received one or more emails about this issue. How do I know they're really from Yahoo? Click here to view the content of our notice to affected users. Please note that the emails from Yahoo about this issue will display the Yahoo   icon when viewed through the Yahoo website or Yahoo Mail app. Importantly, the emails do not ask you to click on any links or contain attachments and does not request your personal information. If an email you received about these issues prompts you to click on any links, download an attachment, or asks you for information, the email was not sent by Yahoo and may be an attempt to steal your personal information. Avoid clicking on links or downloading attachments from such suspicious emails. What is Yahoo doing to protect my account? We have taken action to protect our users, including: We are requiring potentially affected users to change their passwords. We invalidated unencrypted security questions and answers so that they cannot be used to access an account. We invalidated the forged cookies and hardened our systems to secure them against similar attacks. We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts. How do I change my password or disable security questions and answers? You can change your Yahoo password or security questions and answers by clicking here. We are requiring potentially affected users to change their passwords, and we have invalidated unencrypted security questions and answers so that they cannot be used to access an account. Is there anything I can do to protect myself? We encourage all of our users to follow these security recommendations: Change your password and security questions and answers for any other accounts on which you use the same or similar information used for your Yahoo Account. Review all of your accounts for suspicious activity. Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information. Avoid clicking on links or downloading attachments from suspicious emails. Additionally, please consider using Yahoo’s Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether. What additional steps can I take to protect my information? 3/6 12/21/2016 Yahoo Security Notice December 14, 2016 | Yahoo Help ­ SLN27925 ⌂ Home Mail Search News Sports Finance Celebrity Weather Although the affected account information did not include passwords in clear text, payment card data, or bank account information, we encourage you to Search Help remain vigilant by reviewing your account statements and monitoring your credit reports. Below is contact information for the three nationwide consumer reporting agencies from which you can obtain a credit report. Equifax Equifax Credit Information Services, Inc.  P.O. Box 740241  Atlanta, GA 30374 1­800­ 525­ 6285 Experian Inc.  P.O. Box 9554  Allen, TX 75013 1­888­ 397­ 3742 TransUnion 1­800­ 680­ 7289 Search Web Mobile More ⋁ 👤   ign in S   ✉   ail M TransUnion LLC  P.O. Box 2000  Chester, PA 19022­2000 Flickr Experian Answers To protect yourself from possible identity theft, consider placing a fraud alert on your credit file. You also may wish to place a “security freeze” (also known as a “credit freeze”) on your credit file. A security freeze is designed to prevent potential creditors from accessing your credit file at the consumer reporting agencies without your consent. There may be fees for placing, lifting, and/or removing a security freeze, which generally range from $5­$20 per action. Unlike a fraud alert, you must place a security freeze on your credit file at each consumer reporting agency individually. For more information on security freezes, you may contact the three nationwide consumer reporting agencies or the FTC as described above. As the instructions for establishing a security freeze differ from state to state, please contact the three consumer reporting agencies to find out more information. The consumer reporting agencies may require proper identification prior to honoring your request. For example, you may be asked to provide: Your full name with middle initial and generation (such as Jr., Sr., II, III) Your Social Security number Your date of birth Addresses where you have lived over the past five years A legible copy of a government­issued identification card (such as a state driver’s license or military ID card) Proof of your current residential address (such as a current utility bill or account statement) You have the right to obtain a police report and request a security freeze as described above. The consumer reporting agencies may charge you a fee of up to $10 to place a security freeze on your account, and may require that you provide certain personal information (such as your name, Social Security number, date of birth, and address) and proper identification (such as a copy of a government­issued ID card and a bill or statement) prior to honoring your request for a security freeze. There is no charge, however, to place, lift or remove a security freeze if you have been a victim of identity theft and you provide the consumer reporting agencies with a valid police report. 4/6 12/21/2016 Yahoo Security Notice December 14, 2016 | Yahoo Help ­ SLN27925 ⌂ Home Mail Search News Sports Finance Celebrity Weather For U.S. residents, you can contact the FTC to learn more about protecting your personal information. The contact information for the FTC is below: Search Help   Federal Trade Commission Consumer Response Center 600 Pennsylvania Avenue, NW Washington, DC 20580 1­877­IDTHEFT (438­4338)   For Rhode Island residents, you may obtain information about protecting your personal information from the Rhode Island Office of the Attorney General at:   Rhode Island Office of the Attorney General Consumer Protection Unit 150 South Main Street Providence, RI 02903 (401)­274­4400 Answers Flickr Search Web Mobile More ⋁ 👤   ign in S   ✉   ail M Are Tumblr accounts affected? No. The systems from which the data was stolen in August 2013 contained no Tumblr user data at the time of the theft. Additionally, Yahoo has no indication that the forged cookies were used to access Tumblr accounts. How can I get help with my account? If you need further information or assistance with your account, please visit, where you will find the latest information and may be able to access direct customer support. DO NOT ENGAGE with any support service other than those provided by Yahoo, particularly support service providers that charge a fee for their service. Yahoo does not charge for support service for its accounts. Please note that Yahoo channels all support through Was this article helpful?   Yes   No Privacy   Terms 5/6

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.

Why Is My Information Online?