Johnson v. Yahoo! Inc.
Filing
1
COMPLAINT against All Defendants ( Filing fee $ 400, receipt number 0971-11027805.). Filed byJohn Johnson. (Attachments: # 1 Civil Cover Sheet, # 2 Certificate of Interested Entities or Parties)(Cotchett, Joseph) (Filed on 12/22/2016)
1
2
3
4
5
6
7
JOSEPH W. COTCHETT (SBN 36324)
(jcotchett@cpmlegal.com)
NANCI E. NISHIMURA (SBN 152621)
(nnishimura@cpmlegal.com)
ADAM J. ZAPALA (SBN 245748)
(azapala@cpmlegal.com)
CAMILO ARTIGA-PURCELL (SBN 273229)
(cartigapurcell@cpmlegal.com)
COTCHETT, PITRE & McCARTHY, LLP
San Francisco Airport Office Center
840 Malcolm Road, Suite 200
Burlingame, CA 94010
Telephone: (650) 697-6000
Facsimile: (650) 697-0577
8
Attorneys for Plaintiffs
9
IN THE UNITED STATES DISTRICT COURT
10
FOR THE NORTHERN DISTRICT OF CALIFORNIA
11
SAN JOSE DIVISION
12
13
14
15
JOHN JOHNSON, Individually and on
behalf of all others similarly situated,
Case No.
CLASS ACTION COMPLAINT FOR:
Plaintiffs,
1.
NEGLIGENCE;
2.
NEGLIGENT
MISREPRESENTATION;
3.
BREACH OF EXPRESS OR
IMPLIED CONTRACT;
4.
VIOLATION OF CALIFORNIA
CIVIL CODE § 1798.80, et seq.;
5.
VIOLATION OF CALIFORNIA’S
UNFAIR COMPETITION LAW;
24
6.
BAILMENT; and
25
7.
UNJUST ENRICHMENT.
16
v.
17
18
19
YAHOO! INC.,
Defendant.
20
21
22
23
26
DEMAND FOR JURY TRIAL
27
28
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
______________________________________________________________________________
COMPLAINT
1
TABLE OF CONTENTS
Page
2
3
INTRODUCTION..............................................................................................................1
II.
JURISDICTION AND VENUE ........................................................................................4
III.
4
I.
INTRADISTRICT ASSIGNMENT .................................................................................5
IV.
PARTIES ............................................................................................................................5
V.
FACTUAL BACKGROUND ............................................................................................5
5
6
7
8
A.
YAHOO PURPORTS TO TAKE CYBERSECURITY SERIOUSLY IN ORDER TO GAIN
USERS’ TRUST .........................................................................................................5
B.
YAHOO ENGAGES IN A COURSE AND CONDUCT OF SUB-PAR CYBERSECURITY
INFRASTRUCTURE AND LAX INVESTIGATIVE REMEDIAL ACTION ........................7
C.
YAHOO DISCLOSES A DATA BREACH AFFECTING OVER ONE BILLION USER
ACCOUNTS MORE THAN THREE YEARS AFTER THE HACK ...................................8
D.
9
YAHOO INTENTIONALLY DELAYS DISCLOSING THE 2013 HACK IN ORDER TO
PUSH THROUGH VERIZON’S ACQUISITION OF YAHOO’S CORE BUSINESS..........13
10
11
12
13
14
15
16
17
VI.
CLASS ACTION ALLEGATIONS ...............................................................................14
COUNT ONE
NEGLIGENCE .....................................................................................................................15
18
19
20
21
22
23
24
25
26
27
COUNT TWO
NEGLIGENT MISREPRESENTATION ...................................................................................17
COUNT THREE ..............................................................................................................18
BREACH OF EXPRESS OR IMPLIED CONTRACT.................................................................18
COUNT FOUR
VIOLATION OF CALIFORNIA CIVIL CODE § 1798.80, ET SEQ. ..........................................19
COUNT FIVE
VIOLATION OF CALIFORNIA BUSINESS AND PROFESSIONS CODE
§ 17200, ET SEQ. .................................................................................................................20
COUNT SIX
BAILMENT ..........................................................................................................................21
28
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
_______________________________________________________________________
COMPLAINT
i
1
COUNT SEVEN
UNJUST ENRICHMENT .......................................................................................................22
2
3
VII.
PRAYER FOR RELIEF..................................................................................................23
4
JURY DEMAND ..........................................................................................................................24
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
_______________________________________________________________________
COMPLAINT
ii
1
2
I.
INTRODUCTION
1.
This class action arises from the largest known data breach in human history.
3
Preying on the lax online security barriers of Defendant Yahoo! Inc. (“Yahoo”), hackers stole
4
personal information associated with more than one billion Yahoo user accounts, including the
5
Yahoo user account of Plaintiff John Johnson (“Plaintiff”).
6
2.
Plaintiff brings this action individually and on behalf of a Class of individuals
7
whose personal information was stolen due to Yahoo’s failure to create and implement the
8
proper security mechanisms to safeguard its customers’ personal information.
9
3.
On December 14, 2016, in a filing with the Securities and Exchange
10
Commission, Yahoo disclosed for the first time that hackers had breached its past and current
11
users’ personal information:
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
1
1
2
3
4
5
6
7
8
9
10
(A complete copy of Yahoo’s December 14, 2016 Securities and Exchange Commission, Form
8-K filing is attached hereto as Exhibit A.)
11
4.
Yahoo waited over three years from the August 2013 hack to advise affected
12
users numbering more than one billion that their private, personal information had been
13
compromised. Yahoo knew about the August 2013 hack months, if not years, before its
14
December 14, 2016 public disclosure but intentionally concealed the data breach, hoping to first
15
consummate the $4.8 billion sale of Yahoo’s core business to Verizon.
16
5.
The hackers obtained the personal information of more than one billion user
17
accounts, including names, email addresses, telephone numbers, dates of birth, hashed
18
passwords1 and, in some cases, encrypted or unencrypted security questions and answers.
19
20
6.
From 2013-2016, in addition to Yahoo, several large companies and government
agencies faced significant cyber threats:
21
•
2013: Facebook (6 million users had e-mail addresses or telephone numbers
22
shared with others due to a software bug); Target Corporation (110 million
23
customer payment cards were compromised); Adobe (2.9 million customers had
24
25
26
27
28
1
Hashing is a one-way mathematical function that converts an original string of data into a
seemingly random string of characters. As such, passwords that have been hashed cannot be
reversed into the original plain text password. At the time of the August 2013 Hack, Yahoo used
MD5 to hash passwords. Yahoo began upgrading its password protection to “bcrypt” in the
summer of 2013. “Bcrypt” is a password hashing mechanism that incorporates security features,
including salting and multiple rounds of computation, to provide additional protection against
password cracking.
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
2
1
their user IDs, passwords and credit card information exposed); JP Morgan Chase
2
& Co. (almost half a million corporate and government clients who held prepaid
3
cash cards were compromised); Maricopa County Community College District
4
(2.5 million records on individuals were exposed); Schnucks (2.4 million
5
customer payment cards were exposed); and CorporateCarOnline (more than
6
850,000 customers had their personal and financial information exposed).
7
•
2014: Target Corporation (40 million individuals’ information stolen); Neiman
8
Marcus (350,000 customers were hacked); Sally Beauty (over 280,000 debit and
9
credit cards were stolen and sold); Michaels (2.6 million cards were exposed);
10
Community Health Services (4.5 million patients had their information stolen);
11
UPS (1% of their customers were exposed); Dairy Queen (nearly 600,000 debit
12
and credit cards were exposed); Home Depot (56 million credit and debit cards
13
were affected by the data breach); JP Morgan Chase (76 million households and 7
14
million small businesses were hacked); Staples (1.16 million customers had their
15
credit and debit cards compromised); and Sony (47,000 social security numbers
16
were exposed).
17
•
2015: Ashley Madison (37 million customer accounts were compromised); Office
18
of Personal Management (22 million current and former federal employees had
19
their personnel records exposed); Anthem (more than 80 million people had their
20
personal information exposed); Premera (11 million customers had their names,
21
dates of birth, addresses, telephone numbers, email addresses, social security
22
numbers, member identification numbers, medical claims information, and
23
financial information exposed); the IRS (tax records for 330,000 taxpayers was
24
compromised); and mSpy (400,000 users had their customer screenshots,
25
geolocation data, chat logs, and location records exposed).
26
•
2016: U.S. Department of Justice (30,000 employees had their data breached);
27
IRS (over 100,000 American taxpayers had their personal information
28
compromised); UC Berkeley (more than 80,000 students, alumni, employees, and
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
3
1
school officials were compromised); Snapchat (700 current and former employees
2
had their personal information stolen); 21st Century Oncology (2.2 million
3
patients had their personal information stolen); Premier Healthcare (more than
4
200,000 patients had their data compromised); Verizon Enterprise Solutions
5
(about 1.5 million customers were hit by hackers); LinkedIn (117 million email
6
and password combinations were stolen in 2012 which came into the public in
7
2016); Newkirk Products (3.3 million people had their data breached); and Oracle
8
(330,000 cash registers around the world were breached).
9
7.
Despite the panoply of cyber-attacks and industry-wide warnings, including
10
specific warnings from U.S. Senator Mark Warner directly to Yahoo, that Yahoo must take
11
active steps to improve its cyber security and data breach detection protocol, Yahoo failed on
12
multiple fronts to properly secure the personal information of its users. Yahoo failed to create
13
and implement proper security protocols to prevent and detect unauthorized breaches of its
14
information security systems. Likewise, Yahoo failed to implement standard internet technology
15
safeguards, amongst other failures. According to computer security expert Brian Krebs:
16
19
For years I have been urging friends and family to migrate off of Yahoo email,
mainly because the company appeared to fall far behind its peers in blocking
spam and other email-based attacks. But also because of pseudo-security
features (like secret questions) that tend to end up weakening the security of
accounts. I stand by that recommendation. (See https://krebsonsecurity.com/2016
/12/yahoo-one-billion-more-accounts-hacked/ (accessed December 20, 2016).)
20
8.
17
18
As a direct result of Yahoo’s subpar cybersecurity, Plaintiff, individually and on
21
behalf of the Class, has been damaged. This class action lawsuit follows.
22
II.
23
JURISDICTION AND VENUE
9.
This Court has jurisdiction under 28 U.S.C. § 1332(d) because: (a) this matter was
24
brought as a class action under Fed. R. Civ. P. 23; (b) the class (as defined below) has more than
25
100 members; (c) the amount at issue exceeds $5,000,000, exclusive of interest and costs; and
26
(d) at least one proposed Class member is a citizen of a state different from Yahoo.
27
28
10.
This Court has personal jurisdiction over Yahoo because Yahoo transacts
substantial business in this judicial district.
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
4
1
11.
Venue is proper in this Court under 28 U.S.C. § 1391 because, inter alia, Yahoo
2
regularly conducts substantial business in this district and is therefore subject to personal
3
jurisdiction, and because a substantial part of the events giving rise to the Complaint arose in this
4
district.
5
III.
6
INTRADISTRICT ASSIGNMENT
12.
Assignment to the San Jose Division is appropriate under Local Civil Rule 3-2
7
because the actions that gave rise to the claims in this Complaint arose, in large part, in Santa
8
Clara County.
9
IV.
10
PARTIES
13.
Plaintiff John Johnson is a natural person and a resident and citizen of Oakland,
11
California. Mr. Johnson is one of the approximately one billion Yahoo users worldwide whose
12
personal information was compromised because Yahoo did not take reasonable steps to secure
13
such information.
14
14.
Defendant Yahoo is a Delaware incorporated company headquartered at 701 First
15
Ave., Sunnyvale, CA 94089. Yahoo is a global internet media company that offers
16
communications, content, and a community platform that delivers consumer experiences and
17
advertising solutions across digital screens. Some of the services offered by Yahoo include,
18
Yahoo! Directory, Yahoo! Mail, Yahoo! News, Yahoo! Finance, Yahoo! Groups, and Yahoo!
19
Answers. Yahoo was founded by Jerry Yang and David Filo in January 1994 and was
20
incorporated on March 2, 1995. Yahoo was one of the pioneers of the early internet era in the
21
1990s. As of the filing of this Complaint, Marissa Mayer is the CEO and President of the
22
company. According to third-party web analytics providers, Alexa and SimilarWeb, as of
23
September 2016, Yahoo was the highest read news and media website, with over 7 billion views
24
per month, being the fifth most visited website globally.
25
V.
26
FACTUAL BACKGROUND
A.
YAHOO PURPORTS TO TAKE CYBERSECURITY SERIOUSLY IN ORDER TO GAIN
USERS’ TRUST
15.
According to Yahoo’s Privacy Policy, it “is committed to gaining [users’] trust.”
27
28
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
5
1
Yahoo purports to take users’ privacy “seriously,” including “personal information that Yahoo
2
collects and receives.” (See Exhibit B.) Personal information is information about users that is
3
personally identifiable like users’ name, address, email address, or phone number, and that is not
4
otherwise publicly available.
5
16.
Yahoo promises not to “share personal information” about users with other people
6
or non-affiliated companies except to provide products or services. To that end, Yahoo promises
7
to limit access to personal information about users to Yahoo employees who Yahoo believes
8
reasonably need to come into contact with that information to provide products or services to
9
users or to do their jobs.
10
17.
Yahoo claims to “have physical, electronic, and procedural safeguards” that
11
comply with federal regulations to protect personal information about users. These security
12
measures are as follows:
13
• Transport Layer Security (TLS): Yahoo uses TLS encryption when
14
transmitting certain kinds of information, such as financial services information
15
or payment information. An icon resembling a padlock is displayed in most
16
browsers during TLS sessions.
17
• Second Sign-in Verification: Users may turn on a setting that requires a second
18
piece of information such as a code sent via SMS – in addition to the user’s
19
password – when signing in to the user’s account from a device or location
20
Yahoo does not recognize.
21
• On-Demand Passwords: Yahoo offers on-demand passwords. By linking the
22
user’s mobile device to their Yahoo account, the user enables Yahoo to provide
23
the user with an on-demand password sent to the user’s mobile phone.
24
• Secure Storage: Yahoo deploys industry standard physical, technical, and
25
procedural safeguards that comply with relevant regulations to users’ personal
26
information.
27
• Vendors and Partners: To protect the security and privacy of users’ information,
28
Yahoo may provide information to partners and vendors who work on Yahoo’s
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
6
1
behalf or with Yahoo under confidentiality agreements. These companies do not
2
have any independent right to use or share this information without user consent.
3
• Access to Information: Yahoo limits access to personal information about users
4
to those employees who Yahoo reasonably believes need to come into contact
5
with that information to provide products or services to users or in order to
6
process this information for Yahoo.
7
• Education and Training: Yahoo has implemented a company-wide education
8
and training program about security that is required of every Yahoo employee.
9
(See Exhibit C.)
10
18.
In addition to its Privacy Policy, Yahoo’s Code of Ethics acknowledges that users,
11
including Plaintiff and the Class, “trust us to protect their information and use and maintain it
12
according to our published policies.” (See Exhibit D, p. 34.) Yahoo further acknowledges that
13
its Privacy Policy provides users with assurances that we take measures to protect the security of
14
their personal information.” (Id.)
15
19.
Notwithstanding Yahoo’s lip service to cybersecurity, Yahoo has demonstrated a
16
pattern and practice of sub-par cybersecurity measures and a reticence to taking appropriate
17
investigative and remedial action when breaches are brought to its attention.
18
B.
YAHOO ENGAGES IN A COURSE AND CONDUCT OF SUB-PAR CYBERSECURITY
INFRASTRUCTURE AND LAX INVESTIGATIVE REMEDIAL ACTION
20.
In July 2016, account names and passwords for about 200 million Yahoo user
19
20
21
22
23
24
25
26
27
28
accounts were presented for sale on the dark-net market site, “TheRealDeal.” The seller, known
as “Peace_of_Mind” or simply “Peace,” stated in a confidential interviews with Wired, that he
had possessed the stolen database for an extended period of time and had been selling it privately
since about late 2015. Peace had previously been connected to sales of similar private
information data from other hacks including that from the 2012 LinkedIn hack. Peace stated the
data likely dates back to 2012, and security experts believed it may have been part of other data
hacks at that time. Yahoo stated that it was aware of the data and was evaluating it, cautioning
users about the situation. However, Yahoo did not reset account passwords at that time.
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
7
1
2
21.
On September 22, 2016, Yahoo issued a press release disclosing a hack of 500
million user accounts, which occurred in 2014 (the “2014 Hack”):
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
(A true and correct copy of Yahoo’s September 22, 2016 press release is attached hereto as
Exhibit E.)
C.
YAHOO DISCLOSES A DATA BREACH AFFECTING OVER ONE BILLION USER
ACCOUNTS MORE THAN THREE YEARS AFTER THE HACK
22.
In August 2013, hackers breached the email system of Yahoo, absconding with
23
the records of more than one billion users, including names, birth dates, phone numbers, and
24
passwords that were encrypted with an easily broken form of security (the “2013 Hack”).
25
According to Yahoo, the 2013 Hack is entirely distinct from the 2014 Hack. In the 2013 Hack,
26
the hackers also obtained the security questions and backup email addresses used to reset lost
27
passwords. For the next three years, the 2013 Hack – which is the largest data breach in history
28
– supposedly went uncovered.
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
8
1
23.
In August 2016, Andrew Komarov, chief intelligence officer at InfoArmor,
2
discovered the 2013 Hack. InfoArmor is an Arizona cybersecurity firm that delivers identity,
3
financial, and privacy protection, as well as threat intelligence and investigative services to help
4
businesses fight evolving online threats. As the chief intelligence officer for InfoArmor,
5
Komarov’s job is to prowl the internet’s darkest corners, infiltrate cybercrime rings, and help law
6
enforcement and InfoArmor’s clients track down stolen data.
7
24.
For the last three years, Komarov had been monitoring an Eastern European
8
hacker group when he saw them offering up a huge database for sale: the user accounts from the
9
2013 Hack. The group Komarov had been surveilling, which he calls Group E, was keeping the
10
11
sale off of public cybercrime forums.
25.
Group E claimed to have possession of a database of logins for up to one billion
12
Yahoo accounts for sale for $300,000. Komarov watched Group E sell the database three times,
13
and he was able to intercept the database during the sales. Two buyers were large spamming
14
groups that are on the list for Spamhaus Register of Known Spam Operations, or ROKSO. The
15
other buyer had an unusual request before completing the purchase. This third buyer gave the
16
sellers a list of ten names of U.S. and foreign government officials and business executives, to
17
verify their logins were part of the database. That led Komarov to speculate the buyer was a
18
foreign intelligence agency.
19
26.
Having intercepted potential sales of the database from the 2013 Hack, InfoArmor
20
approached Yahoo through an intermediary to work together to investigate and resolve this
21
massive theft. According to Komarov, instead of leaping into action, Yahoo was dismissive of
22
the intermediary. It appeared that Yahoo was not interested in investigating the 2013 Hack
23
until its sale to Verizon was complete. As a result, InfoArmor did not go to Yahoo directly, and
24
instead notified military and law enforcement authorities in the United States, Australia, Canada,
25
Britain and the European Union about the breach. After those parties verified the authenticity of
26
the stolen records, some of them went to Yahoo directly with their concerns.
27
28
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
9
1
27.
On December 14, 2016, months after rebuking InfoArmor’s alert about the 2013
2
Hack and only after federal authorities again brought the 2013 Hack to Yahoo’s attention, Yahoo
3
finally announced that it had been hacked. The following notice, which is representative of the
4
notice sent to each member of the Class, was sent electronically to Plaintiff:
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
10
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
11
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
12
1
28.
In addition to the foregoing, on the Yahoo website, Yahoo finally provided
2
additional details about the 2013 Hack, including remedial steps affected users could take to
3
lessen their damages. (See Exhibit F.) Yahoo clarified that the 2013 Hack was distinct from the
4
2014 Hack. (Id.) However, as of the filing of this class action Complaint, Yahoo still does not
5
know who broke into its systems in 2013, how they got in, or what they did with the data.
6
D.
YAHOO INTENTIONALLY DELAYS DISCLOSING THE 2013 HACK IN ORDER TO
PUSH THROUGH VERIZON’S ACQUISITION OF YAHOO’S CORE BUSINESS
29.
Despite knowing about the 2013 Hack months before December 14, 2016, Yahoo
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
was not interested in investigating the 2013 Hack until its sale to Verizon was complete. Equally
troubling is the fact that, whereas the Hack occurred in August 2013, Yahoo took no independent
measures to discover the hack, and only supposedly learned about it through InfoArmor and
government authorities. In fact, powerful circumstantial evidence indicates Yahoo knew about
the 2013 Hack years before it disclosed the data breach on December 14, 2016. (See, e.g.,
http://www.mercurynews.com/2016/12/14/yahoo-hit-with-new-data-breach-of-a-billion-useraccounts/ (accessed on December 21, 2016).)
30.
Senator Mark Warner of Virginia stated: “This most recent revelation warrants a
separate follow-up and I plan to press the company on why its cyber defenses have been so weak
as to have compromised over a billion users.” (See http://fortune.com/2016/12/15/yahoo-hacksenator/ (accessed on December 21, 2016).) Warner, who will become the top Democrat on the
Senate Intelligence Committee next year, described the hacks as “deeply troubling . . . If a breach
occurs, consumers should not be first learning of it three years later . . . Prompt notification
enables users to potentially limit the harm of a breach of this kind, particularly when it may have
exposed authentication information such as security question answers they may have used on
other sites.”
31.
Commenting on the 2013 Hack, InfoArmor’s Andrew Komarov said the Yahoo
data breach is different than other hacks: “The Yahoo hack makes cyber espionage extremely
efficient . . . Personal information and contacts, e-mail messages, objects of interest, calendars
and travel plans are key elements for intelligence-gathering in the right hands. The difference of
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
13
1
the Yahoo hack between any other hack is in that it may really destroy your privacy, and
2
potentially have already destroyed it several years ago without your knowledge.” (See
3
https://www.bloomberg.com/news/articles/2016-12-15/stolen-yahoo-data-includes-government-
4
employee-information (accessed on December 21, 2016).)
5
VI.
6
CLASS ACTION ALLEGATIONS
32.
Pursuant to Federal Rules of Civil Procedure 23(a), (b)(2) and (b)(3), Plaintiff
7
brings this action individually and on behalf of a class defined as follows: All persons whose
8
personal information may have been compromised by the 2013 Hack disclosed by Yahoo on
9
December 14, 2016.
10
36.
Plaintiff is a members of the proposed Class he seeks to represent.
11
37.
This action is brought and may properly be maintained as a class action pursuant
12
to 28 U.S.C. § 1332(d). This action satisfies the procedural requirements set forth in FED. R.
13
CIV. P. 23.
14
38.
15
16
17
18
19
20
21
22
Plaintiff’s claims are typical of the claims of the Class Members. Plaintiff and all
Class Members were damaged by the same wrongful practices of Defendant.
39.
Plaintiff will fairly and adequately protect and represent the interests of the Class.
The interests of Plaintiff are coincident with, and not antagonistic to, those of the Class.
40.
Plaintiff has retained counsel competent and experienced in complex class action
litigation.
41.
Members of the Class are so numerous that joinder is impracticable. Plaintiff
believes that there is in excess of one billion Class Members.
42.
Questions of law and fact common to the members of the Class predominate over
23
questions that may affect only individual Class Members, because Defendant has acted on
24
grounds generally applicable to the entire Class. Thus, determining damages with respect to the
25
Class as a whole is appropriate.
26
27
43.
There are substantial questions of law and fact common to the Class. The
questions include, but are not limited to, the following:
28
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
14
1
a.
2
3
to secure and safeguard its users’ personal information;
b.
4
5
Whether Defendant failed to employ reasonable and industry-standard measures
Whether Defendant properly implemented and maintained security measures to
protect its users’ personal information;
c.
Whether Defendant’s cybersecurity failures resulted in harm to the personal
6
information of Defendant’s users being accessed and disseminated by criminals or
7
third parties who sought to gain financially from its improper use;
8
d.
9
10
personal information of its users;
e.
11
12
Whether Plaintiff and other members of the Class are entitled to injunctive relief;
and
f.
13
14
Whether Defendant was negligent in failing to properly secure and protect the
Whether Plaintiff and other members of the Class are entitled to damages and the
measure of such damages.
33.
Class action treatment is a superior method for the fair and efficient adjudication
15
of the controversy. Such treatment will permit a large number of similarly situated individuals to
16
prosecute their common claims in a single forum simultaneously, efficiently, and without the
17
unnecessary duplication of evidence, effort, or expense that numerous individual actions would
18
engender. Plaintiff knows of no special difficulty maintaining this action that would preclude its
19
maintenance as a class action
20
COUNT ONE
21
Negligence
22
(Plaintiff individually and All Class Members)
23
24
25
34.
Plaintiff incorporates by reference each of the preceding paragraphs as if fully set
forth herein.
35.
Yahoo had an affirmative duty to exercise reasonable care in safeguarding and
26
protecting the personal information of its users. By maintaining their personal information in a
27
database that was accessible through the Internet, Yahoo owed Plaintiff and Class Members a
28
duty of care to employ reasonable Internet security measures to protect this information.
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
15
1
36.
Yahoo, with reckless disregard for the safety and security of users’ personal
2
information it was entrusted with, breached the duty of care owed to Plaintiff and the Class by
3
failing to implement reasonable security measures to protect its users’ sensitive personal
4
information. In failing to employ these basic and well-known Internet security measures, Yahoo
5
departed from the reasonable standard of care and violated its duty to protect the personal
6
information of Plaintiff and all Class Members. Yahoo further breached its duty of care by
7
allowing the breach to continue undetected and unimpeded for over three years after the hackers
8
first gained access to Defendant’s systems.
9
37.
The unauthorized access to the personal information of Plaintiff and all Class
10
Members was reasonably foreseeable to Yahoo, particularly considering that the method of
11
access is widely known in the computer and data security industry, and that it has long been
12
standard practice in the Internet technology sector to encrypt personal information, including
13
critical login credentials.
14
38.
Neither Plaintiff nor other Class Members contributed to the security breach or
15
Yahoo’s employment of insufficient and below-industry security measures to safeguard personal
16
information.
17
39.
It was foreseeable that Yahoo’s failure to exercise reasonable care in protecting
18
personal information of its users would result in Plaintiff and the other Class Members suffering
19
damages related to the loss of their personal information.
20
40.
As a direct and proximate result of Yahoo’s reckless conduct, Plaintiff and Class
21
Members were damaged. Plaintiff and Class members suffered injury through the public
22
disclosure of their personal information, the unauthorized access to Internet accounts containing
23
additional personal information, and through the heightened risk of unauthorized persons stealing
24
additional personal information. Plaintiff and Class Members have also incurred the cost of
25
taking measures to identify and safeguard accounts put at risk by disclosure of the personal
26
information stolen from Yahoo.
27
WHEREFORE, Plaintiff and the Class pray for relief as set forth below.
28
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
16
1
COUNT TWO
2
NEGLIGENT MISREPRESENTATION
3
(Plaintiff individually and All Class Members)
4
5
6
41.
Plaintiff incorporates by reference each of the preceding paragraphs as if fully set
forth herein.
42.
Yahoo represented to Plaintiff and the other Class Members that it would
7
safeguard and protect the personal information of its users from harm. Indeed, Defendant
8
represented to Plaintiff and the other Class Members that Yahoo “is committed to gaining
9
[users’] trust” and take users’ privacy “seriously,” including “personal information that Yahoo
10
collects and receives.” (See Exhibit B.) Yahoo promised not to “share personal information”
11
about users with other people or non-affiliated companies except to provide products or services.
12
To that end, Yahoo promised to limit access to personal information about users to Yahoo
13
employees who Yahoo believed reasonably needed to come into contact with that information to
14
provide products or services to users or to do their jobs. Yahoo promised to deploy industry
15
standard physical, technical, and procedural safeguards that comply with relevant regulations
16
to protect and safeguard the personal information of its users.
17
18
19
20
21
22
23
24
25
43.
Yahoo’s promises to safeguard and protect the personal information of its users
were material facts upon which Plaintiff and other Class Members relied.
44.
Yahoo was not properly safeguarding user data at the time of the subject breach,
despite using the same user data to enhance Yahoo’s revenues.
45.
Plaintiff and the other Class Members reasonably relied on the representations by
Yahoo that it would safeguard user data.
46.
Plaintiff and the other Class Members suffered actual damages as a result of
Yahoo’s negligent misrepresentations.
WHEREFORE, Plaintiff and the Class pray for relief as set forth below.
26
27
28
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
17
1
COUNT THREE
2
BREACH OF EXPRESS OR IMPLIED CONTRACT
3
(Plaintiff individually and All Class Members)
4
5
6
7
8
9
47.
Plaintiff incorporates by reference each of the preceding paragraphs as if fully set
forth herein.
48.
Plaintiff and the other Class Members provided their non-public, financial and
personal information to Yahoo in exchange for, and in order to receive, Yahoo’s services.
49.
Plaintiff and the other Class Members allowed their financial and personal
information to be used as described in Yahoo’s Privacy Policy and Code of Ethics, with the
10
understanding that Yahoo would implement security measures to protect the non-public,
11
financial, and personal information of Plaintiff and the other Class Members.
12
50.
Yahoo expressly or impliedly agreed to safeguard, protect and maintain the non-
13
public, financial, and personal information from being accessed, taken, or misused by
14
unauthorized persons.
15
51.
Each opening of a Yahoo user account by Plaintiff and the other Class Members
16
was made pursuant to the mutually agreed upon express or implied contract with Yahoo to
17
safeguard, protect, and maintain the non-public, financial, and personal information of Plaintiff
18
and the other Class Members from being accessed, taken, or misused by unauthorized persons.
19
52.
Plaintiff and the other Class Members would not have provided their non-public,
20
personal information to Yahoo, or entrusted Yahoo with such information, absent the express or
21
implied agreement by Yahoo to safeguard, protect, and maintain the non-public, financial, and
22
personal information of Plaintiff and the other Class Members from being accessed, taken, or
23
misused by unauthorized persons.
24
25
26
53.
Plaintiff and the other Class Members fully performed their obligations under the
express or implied contracts with Yahoo.
54.
Yahoo breached its express or implied promises to safeguard, protect, and
27
maintain the non-public, financial, and personal information of Plaintiff and the other Class
28
Members from being accessed, taken, or misused by unauthorized persons.
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
18
1
2
3
55.
As a result of Yahoo’s breach of its express or implied promises, Plaintiff and the
other Class Members have been proximately harmed and injured in the ways described herein.
WHEREFORE, Plaintiff and the Class pray for relief as set forth below.
4
COUNT FOUR
5
VIOLATION OF CALIFORNIA CIVIL CODE § 1798.80, ET SEQ.
6
(Plaintiff individually and All Class Members)
7
8
9
56.
Plaintiff incorporates by reference each of the preceding paragraphs as if fully set
forth herein.
57.
California Civil Code § 1798.80 et seq. (the “Customer Records Act”) requires
10
any person conducting business in California and that owns computerized data to disclose data
11
breaches to affected users if the breach exposed unencrypted personal information.
12
13
14
15
16
17
18
58.
The Customer Records Act also requires that the notice be made in the most
expedient time possible without any unreasonable delay.
59.
Yahoo failed to notify users of the 2013 Hack in an expedient fashion because of
the pending sale of Yahoo’s core business to Verizon.
60.
The 2013 Hack qualifies as a “breach of security system” of Yahoo within the
meaning of Civil Code § 1798.82(g).
61.
Yahoo is liable to Plaintiff and the Class Members for $500.00 pursuant to Civil
19
Code § 1798.84(c), or up to $3,000.00 per class member if Yahoo’s actions are deemed willful,
20
intentional, and/or reckless.
21
22
23
62.
Yahoo is also liable for Plaintiff’s reasonable attorneys’ fees and costs pursuant to
Civil Code § 1798.84(g).
WHEREFORE, Plaintiff and the Class pray for relief as set forth below.
24
25
26
27
28
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
19
1
COUNT FIVE
2
VIOLATION OF CALIFORNIA BUSINESS AND PROFESSIONS CODE § 17200, ET
3
SEQ.
4
(Plaintiff individually and All Class Members)
5
6
7
8
9
63.
Plaintiff incorporates by reference each of the preceding paragraphs as if fully set
forth herein.
64.
California’s Unfair Competition Law (“UCL”) is designed to protect consumers
from illegal, fraudulent, and unfair business practices.
65.
Yahoo’s practice of representing that it adequately protected users’ financial and
10
personal information, while Yahoo in fact employed sub-par and ineffective security measures in
11
order to cut costs, is a deceptive business practice within the meaning of the UCL. In fact,
12
Yahoo continues to employ sub-par and ineffective security measures as to the non-public,
13
financial and personal information of users both to keep costs low and to facilitate closing of its
14
sale to Verizon. Thus, Yahoo continues to engage in deceptive business practices.
15
66.
Yahoo’s practice of withholding information about the 2013 Hack from its users
16
is also a deceptive business practice within the meaning of the UCL, because users reasonably
17
expect to be notified if their non-public, financial and personal information is compromised.
18
67.
Yahoo’s practices are unfair because they allowed Yahoo to profit while
19
simultaneously exposing Yahoo users, such as Plaintiff, to harm in the form of an increased risk
20
of having their personal information stolen, which in fact occurred: the 2013 Hack. Such harm
21
was not foreseeable to Yahoo’s users, who expected Yahoo to employ industry-standard security
22
measures, including cybersecurity firewalls to prevent a hack and investigative tools to timely
23
discover one, and to promptly disclose any data breach.
24
25
26
27
28
68.
Yahoo’s deceptive business practices induced Plaintiff and the Class to use
Yahoo’s services and provide personal information to Yahoo.
69.
As a direct result of Yahoo’s deceptive business practices, Plaintiff and the Class
have been and are being damaged.
WHEREFORE, Plaintiff and the Class pray for relief as set forth below.
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
20
1
COUNT SIX
2
BAILMENT
3
(Plaintiff individually and All Class Members)
4
5
6
7
8
9
10
11
12
13
70.
Plaintiff incorporates by reference each of the preceding paragraphs as if fully set
forth herein.
71.
Plaintiff and Class Members delivered their non-public, financial and personal
information to Yahoo for the exclusive purpose of creating a Yahoo account.
72.
In delivering their personal information to Yahoo, Plaintiff and Class Members
intended and understood that Yahoo would adequately safeguard their non-public, financial and
personal information.
73.
Yahoo accepted possession of the non-public, financial and personal information
of Plaintiff and Class Members for the purpose of creating a Yahoo user account.
74.
By accepting possession of their non-public, financial and personal information,
14
Yahoo understood that Plaintiff and the other Class Members expected Yahoo to adequately
15
safeguard their non-public, financial and personal information. Accordingly, a bailment was
16
established for the mutual benefit of the parties.
17
75.
During the bailment, Yahoo owed a duty to Plaintiff and Class Members to
18
exercise reasonable care, diligence and prudence in protecting their non-public, financial and
19
personal information.
20
76.
Yahoo breached its duty of care by failing to take appropriate measures to
21
safeguard and protect the non-public, financial and personal information of Plaintiff and the
22
other Class Members, resulting in the unlawful and unauthorized access to and misuse of their
23
non-public, financial and personal information: the 2013 Hack.
24
77.
Yahoo further breached its duty to safeguard the non-public, financial and
25
personal information of Plaintiff and the other Class Members by failing to timely and accurately
26
notify them that their information had been compromised as a result of the 2013 Hack.
27
28
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
21
1
78.
As a direct and proximate result of Yahoo’s breach of its duty, Plaintiff and Class
2
Members suffered and continue to suffer consequential damages that were reasonably
3
foreseeable to Yahoo, including, but not limited to, the damages set forth herein.
4
79.
As a direct and proximate result of Yahoo’s breach of its duty, the non-public,
5
financial and personal information of Plaintiff and the other Class Members entrusted to Yahoo
6
during the bailment was damaged and its value diminished.
7
WHEREFORE, Plaintiff and the Class pray for relief as set forth below.
8
COUNT SEVEN
9
UNJUST ENRICHMENT
10
(Plaintiff individually and All Class Members)
11
12
13
80.
Plaintiff incorporates by reference each of the preceding paragraphs as if fully set
forth herein.
81.
As a result of Yahoo’s misleading representations and omissions concerning the
14
adequacy of its data security practices, Plaintiff and Class Members were induced to use Yahoo
15
services, and to provide Yahoo with their non-public, financial and personal information.
16
82.
Yahoo derived substantial revenues due to Plaintiff and the Class Members using
17
Yahoo’s services and providing Yahoo with their non-public, financial and personal information,
18
including through the sale of advertising directed at Plaintiff and the Class Members.
19
83.
In addition, Yahoo saved on the substantial cost of providing adequate data
20
security to Plaintiff and the Class. Yahoo’s cost savings came at the direct expense of the
21
privacy and confidentiality of the non-public, financial and personal information belonging to
22
Plaintiff and the Class Members.
23
24
25
84.
Plaintiff and the Class have been damaged and continue to be damaged by
Yahoo’s actions, and Yahoo has been unjustly enriched thereby.
85.
Plaintiff and the Class are therefore entitled to damages as a result of Yahoo’s
26
unjust enrichment, including the disgorgement of all revenue received and costs saved by Yahoo
27
as a result of the 2013 Hack.
28
WHEREFORE, Plaintiff and the Class pray for relief as set forth below.
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
22
1
2
3
4
VII.
PRAYER FOR RELIEF
WHEREFORE, Plaintiff, individually and on behalf of the Class, respectfully requests
that the Court:
A. Determine that this action may be maintained as a class action pursuant to Federal
5
6
Rule of Civil Procedure 23(a), (b)(2) and (b)(3);
B. Direct that reasonable notice of this action, as provided by Federal Rule of Civil
7
Procedure 23(c)(2), be given to the Class;
8
C. Appoint Plaintiff as Class Representative;
9
D. Appoint Plaintiff’s counsel as Class Counsel;
10
E.
Enter judgment against Defendant and in favor of Plaintiff and the Class;
11
F.
Adjudge and decree that the acts alleged herein by Plaintiff and the Class against
12
Defendant constitute negligence, negligent misrepresentation, breaches of express
13
and implied contracts, violation of California Civil Code § 1798.80, et seq., violation
14
of California’s Unfair Competition Law, bailment, and unjust enrichment;
15
G. Award all compensatory and statutory damages to Plaintiff and the Class in an
16
amount to be determined at trial;
17
H. Award restitution, including the disgorgement of all revenue received and costs
18
saved by Yahoo as a result of the 2013 Hack, payable to Plaintiff and the Class;
19
I.
20
21
Award punitive damages, including treble and/or exemplary damages, in an
appropriate amount;
J.
Enter an injunction permanently barring continuation of the conduct complained of
22
herein, and mandating that Defendant and any successors in interest, e.g., Verizon,
23
be required to adopt and implement appropriate systems, controls, policies and
24
procedures to protect the non-public, financial and personal information of Plaintiff
25
and the Class;
26
K. Award Plaintiff and the Class the costs incurred in this action together with
27
reasonable attorneys’ fees and expenses, including any necessary expert fees as well
28
as pre-judgment and post-judgment interest; and
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
23
1
2
L.
Grant such other and further relief as is necessary to correct for the effects of
Defendant’s unlawful conduct and as the Court deems just and proper.
3
4
Dated: December 22, 2016
COTCHETT, PITRE & McCARTHY, LLP
5
/s/ Joseph W. Cotchett_________________
JOSEPH W. COTCHETT
Attorneys for Plaintiffs
6
7
8
9
10
JURY DEMAND
Plaintiff respectfully demands trial by jury on all issues so triable.
11
12
Dated: December 22, 2016
COTCHETT, PITRE & McCARTHY, LLP
13
/s/ Joseph W. Cotchett_________________
JOSEPH W. COTCHETT
Attorneys for Plaintiffs
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Law Offices
COTCHETT, PITRE &
MCCARTHY, LLP
COMPLAINT
24
EXHIBIT A
12/20/2016
8K
8K 1 d305610d8k.htm 8K
UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
FORM 8K
CURRENT REPORT
Pursuant to Section 13 or 15(d) of
The Securities Exchange Act of 1934
Date of Report (Date of earliest event reported): December 14, 2016
Yahoo! Inc.
(Exact name of registrant as specified in its charter)
Delaware
00028018
770398689
(State or other jurisdiction
of incorporation)
(Commission
File Number)
(I.R.S. Employer
Identification No.)
701 First Avenue
Sunnyvale, California
94089
(Address of principal executive offices)
(Zip Code)
Registrant’s telephone number, including area code: (408) 3493300
Not Applicable
(Former name or former address, if changed since last report.)
Check the appropriate box below if the Form 8K filing is intended to simultaneously satisfy the filing obligation of the registrant
under any of the following provisions:
☐
Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)
☐
Soliciting material pursuant to Rule 14a12 under the Exchange Act (17 CFR 240.14a12)
☐
Precommencement communications pursuant to Rule 14d2(b) under the Exchange Act (17 CFR 240.14d2(b))
☐
Precommencement communications pursuant to Rule 13e4(c) under the Exchange Act (17 CFR 240.13e4(c))
https://www.sec.gov/Archives/edgar/data/1011006/000119312516793106/d305610d8k.htm
1/4
12/20/2016
8K
Item 8.01. Other Events.
On December 14, 2016, Yahoo! Inc. (“Yahoo”) issued a press release providing important information to users regarding data
security issues concerning certain Yahoo user accounts. A copy of the press release is attached hereto as Exhibit 99.1 and is
incorporated herein by reference.
Item 9.01. Financial Statements and Exhibits.
(d) Exhibits.
Exhibit No.
Description
99.1
Yahoo! Inc. press release dated December 14, 2016.
https://www.sec.gov/Archives/edgar/data/1011006/000119312516793106/d305610d8k.htm
2/4
12/20/2016
8K
SIGNATURE
Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on
its behalf by the undersigned hereunto duly authorized.
YAHOO! INC.
(Registrant)
By: /s/ Ronald S. Bell
Name: Ronald S. Bell
Title: General Counsel and Secretary
Date: December 14, 2016
https://www.sec.gov/Archives/edgar/data/1011006/000119312516793106/d305610d8k.htm
3/4
12/20/2016
8K
EXHIBIT INDEX
Exhibit No.
Description
99.1
Yahoo! Inc. press release dated December 14, 2016.
https://www.sec.gov/Archives/edgar/data/1011006/000119312516793106/d305610d8k.htm
4/4
12/20/2016
EX99.1
EX99.1 2 d305610dex991.htm EX99.1
Exhibit 99.1
Important Security Information for Yahoo Users
SUNNYVALE, Calif., December 14, 2016— Yahoo! Inc. (NASDAQ:YHOO) has identified data security issues concerning certain
Yahoo user accounts. Yahoo has taken steps to secure user accounts and is working closely with law enforcement.
As Yahoo previously disclosed in November, law enforcement provided the company with data files that a third party claimed was
Yahoo user data. The company analyzed this data with the assistance of outside forensic experts and found that it appears to be
Yahoo user data. Based on further analysis of this data by the forensic experts, Yahoo believes an unauthorized third party, in August
2013, stole data associated with more than one billion user accounts. The company has not been able to identify the intrusion
associated with this theft. Yahoo believes this incident is likely distinct from the incident the company disclosed on September 22,
2016.
For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers,
dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The
investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account
information. Payment card data and bank account information are not stored in the system the company believes was affected.
Yahoo is notifying potentially affected users and has taken steps to secure their accounts, including requiring users to change their
passwords. Yahoo has also invalidated unencrypted security questions and answers so that they cannot be used to access an account.
Separately, Yahoo previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could
allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, the company believes an
unauthorized third party accessed the company’s proprietary code to learn how to forge cookies. The outside forensic experts have
identified user accounts for which they believe forged cookies were taken or used. Yahoo is notifying the affected account holders,
and has invalidated the forged cookies. The company has connected some of this activity to the same statesponsored actor believed
to be responsible for the data theft the company disclosed on September 22, 2016.
https://www.sec.gov/Archives/edgar/data/1011006/000119312516793106/d305610dex991.htm
1/3
12/20/2016
EX99.1
Yahoo encourages users to review all of their online accounts for suspicious activity and to change their passwords and security
questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account. The
company further recommends that users avoid clicking links or downloading attachments from suspicious emails and that they be
cautious of unsolicited communications that ask for personal information. Additionally, Yahoo recommends using Yahoo Account
Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.
Additional information will be available on the Yahoo Account Security Issues FAQs page, https://yahoo.com/securityupdate.
About Yahoo
Yahoo is a guide to digital information discovery, focused on informing, connecting, and entertaining through its search,
communications, and digital content products. By creating highly personalized experiences, Yahoo helps users discover the
information that matters most to them around the world — on mobile or desktop. Yahoo connects advertisers with target audiences
through a streamlined advertising technology stack that combines the power of Yahoo’s data, content, and technology. Yahoo is
headquartered in Sunnyvale, California, and has offices located throughout the Americas, Asia Pacific (APAC) and the Europe,
Middle East and Africa (EMEA) regions. For more information, visit the pressroom (pressroom.yahoo.net) or the Company’s blog
(yahoo.tumblr.com).
Statements in this press release regarding the findings of Yahoo’s ongoing investigations involve potential risks and uncertainties.
The final conclusions of the investigations may differ from the findings to date due to various factors including, but not limited to,
the discovery of new or additional information and other developments that may arise during the course of the investigation. More
information about potential risks and uncertainties of security breaches that could affect the Company’s business and financial results
is included under the caption “Risk Factors” in the Company’s Quarterly Report on Form 10Q for the quarter ended September 30,
2016, which is on file with the SEC and available on the SEC’s website at www.sec.gov.
Yahoo!, the Yahoo family of marks, and the associated logos are trademarks and/or registered trademarks of Yahoo! Inc. Other names
are trademarks and/or registered trademarks of their respective owners.
https://www.sec.gov/Archives/edgar/data/1011006/000119312516793106/d305610dex991.htm
2/3
12/20/2016
EX99.1
Yahoo
Suzanne Philion
sphilion@yahooinc.com
+1 (408) 3494040
https://www.sec.gov/Archives/edgar/data/1011006/000119312516793106/d305610dex991.htm
3/3
EXHIBIT B
12/20/2016
⌂ Home
Yahoo Privacy Center
Mail
Search
News
Sports
Finance
Celebrity
Weather
Answers
Search
Terms
Privacy Center
Topics
Products
Controls
Intellectual Property
Permissions
Closed Captioning
Guidelines
Flickr
Mobile
👤
Install the new Firefox »
More ⋁
ign in
S
✉
ail
M
⚙
Yahoo Privacy Center
Welcome to the Yahoo Privacy Center take a look around. You'll learn how Yahoo treats your personal information, along with
ways to control your preferences and settings. As always, Yahoo is committed to gaining your trust.
What This Privacy Policy Covers
Yahoo takes your privacy seriously. Please read the following to learn more about our privacy policy.
The federal government and technology industry have developed practical tips to help you guard against Internet fraud, secure your
computer and protect your personal information.
How Yahoo Uses Your Personal Information
This policy covers how Yahoo treats personal information that Yahoo collects and receives, including information related to your
past use of Yahoo products and services. Personal information is information about you that is personally identifiable like your
name, address, email address, or phone number, and that is not otherwise publicly available.
This privacy policy only applies to Yahoo
This policy does not apply to the practices of companies that Yahoo does not own or control, or to people that Yahoo does not
employ or manage. In addition, some companies that Yahoo has acquired have their own, preexisting privacy policies which may
be viewed on our affiliates page.
Data Transfer
Your personal information may be transferred to countries other than your own to process and store data in accordance with our
Privacy Policy and to provide you with products and services. Some of these countries may not have the same data protection
safeguards as the country where you reside. Yahoo may process personal information related to individuals in the EU and may
transfer that information from the EU through various compliance mechanisms, including data processing agreements based on the
EU Standard Contractual Clauses. By using our products and services, you consent to us transferring your data to these countries.
We are committed to ensuring your information is protected and apply safeguards in accordance with applicable law.
For more information, please visit our Data Transfer page.
Information Collection & Use
General
Yahoo collects personal information when you register with Yahoo, when you use Yahoo products or services, when you visit
Yahoo pages or the pages of certain Yahoo partners, and when you enter promotions or sweepstakes. Yahoo may combine
information about you that we have with information we obtain from business partners or other companies.
When you register we ask for information such as your name, email address, birth date, gender, ZIP code, occupation, industry,
and personal interests. For some financial products and services we might also ask for your address, Social Security number, and
information about your assets. When you register with Yahoo and sign in to our services, you are not anonymous to us.
Yahoo collects information about your transactions with us and with some of our business partners, including information about
your use of financial products and services that we offer.
Yahoo analyzes and stores all communications content, including email content from incoming and outgoing email.
Yahoo automatically receives and records information from your computer and browser, including your IP address, Yahoo cookie
information, software and hardware attributes, and the page you request.
Yahoo uses information for the following general purposes: to customize the advertising and content you see, fulfill your requests
for products and services, improve our services, contact you, conduct research, and provide anonymous reporting for internal and
external clients.
Children
With parental permission, a child under age 13 might have a Yahoo Family Account. Visit Children's Privacy & Family Accounts to
learn more about children’s privacy on Yahoo.
Information Sharing & Disclosure
Yahoo does not rent, sell, or share personal information about you with other people or nonaffiliated companies except to provide
products or services you've requested, when we have your permission, or under the following circumstances:
We provide the information to trusted partners who work on behalf of or with Yahoo under confidentiality agreements. These
companies may use your personal information to help Yahoo communicate with you about offers from Yahoo and our marketing
https://policies.yahoo.com/us/en/yahoo/privacy/
1/3
12/20/2016
⌂ Home
Yahoo Privacy Center
Mail
Search
partners. However, these companies do not have any independent right to share this information.
News
Sports
Finance
Celebrity
Weather
Answers
Flickr
Mobile
Install the new Firefox »
More ⋁
We have a parent's permission to share the information if the user is a child under age 13. See Children's Privacy & Family
ign in
ail
S
M
Accounts for more information about our privacy practices for children under 13 .
Search
👤
✉
⚙
We respond to subpoenas, court orders, or legal process (such as law enforcement requests), or to establish or exercise our
legal rights or defend against legal claims.
We believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities,
suspected fraud, situations involving potential threats to the physical safety of any person, violations of Yahoo's terms of use,
or as otherwise required by law.
We transfer information about you if Yahoo is acquired by or merged with another company. In this event, Yahoo will notify you
before information about you is transferred and becomes subject to a different privacy policy.
Yahoo displays targeted advertisements based on personal information. Advertisers (including ad serving companies) may assume
that people who interact with, view, or click targeted ads meet the targeting criteria—for example, women ages 1824 from a
particular geographic area.
Yahoo does not provide any personal information to the advertiser when you interact with or view a targeted ad. However, by
interacting with or viewing an ad you are consenting to the possibility that the advertiser will make the assumption that you
meet the targeting criteria used to display the ad.
Yahoo advertisers include financial service providers (such as banks, insurance agents, stock brokers and mortgage lenders)
and nonfinancial companies (such as stores, airlines, and software companies).
Yahoo works with vendors, partners, advertisers, and other service providers in different industries and categories of business. For
more information regarding providers of products or services that you've requested please read our detailed reference links.
Cookies & Similar Technologies
Yahoo may set and access Yahoo cookies on your computer. We may also set and access device identifiers which could include
IP address, user agent information (browser version, OS type and version), and device provided identifiers. Once you log into
Yahoo on your device, Yahoo may recognize your device to provide you with a personalized experience, independent of your
device settings. You can control your personalized experience across Yahoo through our Ad Interest Manager. Learn more.
Yahoo lets other companies that show advertisements on some of our pages set and access their cookies on your computer. Other
companies' use of their cookies and device identifiers is subject to their own privacy policies, not this one. Advertisers or other
companies do not have access to Yahoo's cookies.
Yahoo uses web beacons to access Yahoo cookies inside and outside our network of web sites and in connection with Yahoo
products and services.
Your Ability to Edit and Delete Your Account Information and Preferences
You can edit your Yahoo Account Information, including your marketing preferences, at any time. You can also modify information
you have provided to Yahoo through the Yahoo products or services you may use.
New categories of marketing communications might be added to the Marketing Preferences page from time to time. Users who
visit this page can opt out of receiving future marketing communications from these new categories or they can unsubscribe by
following instructions contained in the messages they receive.
We reserve the right to send you certain communications relating to the Yahoo service, such as service announcements,
administrative messages and the Yahoo Newsletter, that are considered part of your Yahoo account, without offering you the
opportunity to opt out of receiving them.
You can delete your Yahoo account by visiting our Account Deletion page. Please click here to read about information that might
possibly remain in our archived records after your account has been deleted.
Confidentiality & Security
We limit access to personal information about you to employees who we believe reasonably need to come into contact with that
information to provide products or services to you or in order to do their jobs.
We have physical, electronic, and procedural safeguards that comply with federal regulations to protect personal information about
you.
To learn more about security, including the security steps we have taken and security steps you can take, please read Security at
Yahoo.
Changes to This Policy
Yahoo may update this policy. We will notify you about significant changes in the way we treat personal information by sending a
notice to the primary email address specified in your Yahoo account or by placing a prominent notice on our site.
Questions & Suggestions
If you have questions, suggestions, or wish to make a complaint, please complete a feedback form or you can contact us at:
https://policies.yahoo.com/us/en/yahoo/privacy/
2/3
12/20/2016
⌂ Home
Yahoo Privacy Center
Mail
Search Yahoo! Inc.
News
Sports
Finance
Customer Care Privacy Policy Issues
701 First Avenue
Sunnyvale, CA 94089
(408) 3495070
Celebrity
Weather
Answers
Search
Flickr
Mobile
👤
Install the new Firefox »
More ⋁
ign in
S
✉
ail
M
⚙
If you feel that your inquiry has not been satisfactorily addressed, please click here for information on consumer agencies that may
be able to provide you with additional assistance.
Last Updated: November 23, 2016
Personalized Experience
By bringing content and advertising to you that is relevant and tailored to your interests, Yahoo provides a more compelling
online experience. Update your content or search preferences, manage your advertising choices, or learn more about
relevant advertising.
Links
Yahoo Global Public Policy Blog
Register for a Yahoo Account
Manage Your Yahoo Account
Learn About Account Security
Learn About Your Online Safety
Learn About Accessibility @ Yahoo
https://policies.yahoo.com/us/en/yahoo/privacy/
3/3
EXHIBIT C
12/21/2016
⌂ Home
Security at Yahoo
Mail
Search
News
Sports
Finance
Celebrity
Weather
Answers
Search
Terms
Privacy Center
Topics
Products
Controls
Intellectual Property
Permissions
Closed Captioning
Guidelines
Flickr
Mobile
👤
Install the new Firefox »
More ⋁
ign in
S
✉
ail
M
⚙
Security at Yahoo
Protecting our systems and our users’ information is paramount to ensuring Yahoo users enjoy a secure user experience and
maintaining our users’ trust. We have taken the following measures to protect your information:
Transport Layer Security (TLS)
We use TLS encryption when transmitting certain kinds of information, such as financial services information or payment
information. An icon resembling a padlock is displayed in most browsers during TLS sessions.
Second Signin Verification
You may turn on a setting that requires a second piece of information such as a code sent via SMS in addition to your
password when signing in to your account from a device or location we don’t recognize. Learn more about second signin
verification.
OnDemand Passwords
Yahoo also offers ondemand passwords. By linking your mobile device to your account, you enable Yahoo to provide you with
an ondemand password sent to your mobile phone, so you don't have to remember passwords anymore. Learn more about on
demand passwords.
Secure Storage
We deploy industry standard physical, technical, and procedural safeguards that comply with relevant regulations to protect
your personal information.
Vendors and Partners
To protect the security and privacy of your information, we may provide information to partners and vendors who work on our
behalf or with us under confidentiality agreements. These companies do not have any independent right to use or share this
information without your consent.
Access to Information
We limit access to personal information about you to those employees who we reasonably believe need to come into contact
with that information to provide products or services to you or in order to process this information for us.
Education and Training
We have implemented a companywide education and training program about security that is required of every Yahoo employee.
Please note that no data transmission over the Internet or information storage technology can be guaranteed to be 100% secure.
We continue to evaluate and implement enhancements in security technology and practices.
Security Takes Teamwork
You also need to take your security seriously. Please visit our Safety Center for tools and tips about ways to remain vigilant and
steps you can take on your own to help protect your information and reduce the risks of unauthorized access.
How to Report Security Incidents
Information about reporting security incidents is found in our Safety Center.
Yahoo Privacy
To find out how Yahoo treats your personal information, please visit our Privacy Policy. This page describes current Yahoo
practices with respect to this product or topic. Information on this page may change as Yahoo adds or removes features.
Personalized Experience
By bringing content and advertising to you that is relevant and tailored to your interests, Yahoo provides a more compelling
online experience. Update your content or search preferences, manage your advertising choices, or learn more about
relevant advertising.
https://policies.yahoo.com/us/en/yahoo/privacy/topics/security/index.htm
1/1
EXHIBIT D
Yahoo’s Code of Ethics
Winning with Integrity
Winning with Integrity
Yahoos,
Yahoo is the place where millions of people go to see what
is happening with the people and the things that matter to
them most. We must do everything possible to continue to
earn and keep their trust. Our conduct must always reflect
Yahoo’s values, demonstrate ethical leadership and uphold
Yahoo’s reputation for integrity.
letter of this Code of Ethics and always maintain the
highest standards of integrity when conducting Yahoo
business. If you are ever unsure of what to do – please ask!
Yahoo’s Ethics and Compliance Office (ECO) is responsible
for overseeing compliance with this Code of Ethics and is
available to answer your questions and receive reports of
suspected ethics and compliance issues. You may contact
the ECO utilizing any of the methods below:
We are committed to the highest standards of business
conduct in our relationships with each other, our users, our
stockholders and our customers, suppliers and partners.
This Code of Ethics applies to all Yahoos and provides the
information necessary to fulfill our obligations to act with
integrity and in compliance with the laws and regulations
that affect our business.
Phone: 408-349-3059
Email: eco@yahoo-inc.com
IntegrityLine: 1-888-47-Yahoo (1-888-479-2466)
Website: integrityline.yahoo.com
All Yahoos are expected to conduct themselves in
accordance with the spirit as well as the
Let’s make sure we continue to Win with Integrity!
1
Contents
4
Our Values
6
Our Code
21
Our Business Relationships
42
Our Responsibility
Fair Competition
8
Reporting Violations
Business Courtesies
Tools and Resources
Export, Import, and Anti-Boycott Laws
Our Company
Seeking Guidance
Insider Trading
Waivers of the Code
Respect for Our Fellow Yahoos
Money Laundering
A Safe and Secure Workplace
Gathering Information About
Conflicts of Interest
Competitors
Accurate Business Communications,
Anticorruption Laws
Records, and Contracts
Q&A
External Communications
Confidential Information and
33
Our Community
Intellectual Property
User Privacy
Copyrights
Protecting the Environment
Use of Yahoo Resources
Political Activities and Contributions
Q&A
Representations Regarding Yahoo’s
Business, Products, Services, and
Competitors
Human Rights
Child Protection
Q&A
2
48
A Message from Yahoo’s
Board of Directors
Our values shape the culture and define the
character of our company. They are at the heart
of who we are and what we do.
3
Our Values
Excellence:
Teamwork:
••We are committed to winning with integrity.
•• e treat one another with respect and communicate openly.
W
•• e know leadership is hard won and should never be taken for
W
granted.
•• e foster collaboration while maintaining individual
W
accountability.
•• e aspire to flawless execution and don’t take shortcuts
W
on quality.
•• e encourage the best ideas to surface from anywhere within
W
the organization.
••We seek the best talent and promote its development.
•• e appreciate the value of multiple perspectives and diverse
W
expertise.
••We are flexible and learn from our mistakes.
Community:
Innovation:
•• e share an infectious sense of mission to make an impact on
W
society and empower consumers in ways never before possible.
••We thrive on creativity and ingenuity.
•• e seek the innovations and ideas that can change the world.
W
•• e are committed to serving both the Internet community and
W
our own communities.
•• e anticipate market trends and move quickly to embrace
W
them.
Fun:
••We are not afraid to take informed, responsible risk.
•• e believe humor is essential to success.
W
Customer Fixation:
•• e applaud irreverence and don’t take ourselves too seriously.
W
•• e respect our customers above all else and never forget that
W
they come to us by choice.
••We celebrate achievement.
••We yodel.
•• e share a personal responsibility to maintain our customers’
W
loyalty and trust.
•• e listen and respond to our customers and seek
W
to exceed their expectations.
4
Together, we share a commitment to safeguard
Yahoo’s reputation for integrity. Our continued
success depends on your ability to make decisions
that are consistent with our values. Do your part
to understand and comply with the letter and the
spirit of Yahoo’s Code of Ethics. Conduct business
with honesty and integrity and refrain from doing
anything that would harm our reputation.
5
Our Code
“What Should I Do If…”
from the ECO or the Legal Department. Changes to and
waivers of this Code of Ethics will be publicly disclosed as
required by applicable law and regulations.
Yahoo’s Code of Ethics is a resource designed to help you
navigate your way through ethical situations you may
encounter on the job. It defines what Yahoo expects of its
businesses and people, and provides the information
necessary to help each of us act with integrity and in
compliance with the laws and regulations applicable to our
worldwide operations.
For purposes of this Code of Ethics, the term “Yahoos”
refers to employees of Yahoo. Third-party contractors,
agents, outsourced service providers, consultants, and
interns performing services for Yahoo must also comply
with this Code of Ethics in their performance of such
services and have the same obligations and responsibilities
as Yahoos under this Code.
The Code Applies to Everyone at Yahoo
This Code of Ethics applies to all Yahoo employees
(including officers, senior financial officers, and employees
of our international subsidiaries and affiliates), directors,
and all contractors assigned at Yahoo, regardless of
position, location, or level of responsibility. As a global
business, Yahoo employees are subject to the laws and
regulations of different countries and organizations, such as
the European Union. Each of us is responsible for knowing
and following the laws that apply to us where we work.
Yahoos outside the United States should refer to local
Yahoo policies and guidelines. In some cases, local country
law may establish requirements that differ from our Code.
In these cases or when in doubt, seek guidance
Exercise Good Judgment
You won’t find the answer to every question here, but
you will find the guidance you need to help you use good
judgment in your decision-making, and you’ll find a list
of resources you can tap regarding any questions or
concerns. When faced with a situation that is not covered
in the Code, consider your action in light of the following
questions:
• Is it ethical?
• Is it legal?
6
Our Code
• Is it consistent with Yahoo’s values?
KNOW THE CODE
• oes it comply with our Code of Ethics or other
D
company policy?
• ake decisions that are consistent with our values.
M
• ould you feel okay about it if it was reported in the
W
media or communicated to management? Your peers?
Your family?
• ead, understand, and follow the Code.
R
• now and comply with the laws and regulations of
K
each country where we do business.
• Does it protect both Yahoos short-term and long-term
interests?
• Work to ensure that third-party contractors, agents,
or consultants who work on Yahoo’s behalf or are
assigned to Yahoo are aware of our Code and act
consistent with it.
• ould you be able to look your manager or CEO in the
W
eye and say you did the right thing?
If you can answer “yes” to all of these questions, then the
decision to move forward is probably appropriate. If you’re
not sure, consult with your manager, the Legal Department,
or the ECO for guidance.
• f you are a supervisor, promote compliance and
I
ethics by example – show what it means to act with
integrity.
• eport any violations of our Code and seek advice if
R
you are ever unsure about what to do.
Speak up if you see or suspect activity that violates
our Code. It may seem easier to say nothing or to look
the other way, but taking no action can have serious
consequences.
7
Our
Company
Our people
are our most
important asset.
We respect each
other. We work
together as One
Yahoo.
8
Respect for Our Fellow Yahoos
The experiences, skills, and insights of employees from a
variety of backgrounds and cultures enrich our corporate
environment, improve our employees’ effectiveness and
satisfaction, and ultimately contribute to the success of
Yahoo.
KNOW THE CODE
• reat others with respect and dignity.
T
• peak up if you see or suspect that others are being
S
harassed or discriminated against.
Yahoo is an equal opportunity employer and believes
every employee is entitled to fair treatment, courtesy,
and respect. We do not tolerate illegal employment
discrimination or unlawful workplace harassment. We
maintain a diverse and inclusive work environment where
the cultural differences of employees are embraced.
• f you’re a manager, make sure employment
I
decisions comply with company policy and are
based on lawful business reasons.
• Follow Yahoo’s privacy and data protection policy.
Each of us has a responsibility to protect personal data
from unauthorized access, loss, misuse, or unauthorized
disclosure.
For further guidance on respect for our fellow
Yahoos, U.S. employees may consult the “Our
Standards” policies on Working @ Yahoo on
Backyard.
Yahoos outside the U.S. should refer to local policies
and guidelines.
9
A Safe and Secure Workplace
Yahoo is committed to providing a safe, healthy, secure,
and drug-free work environment for all employees. As a
Yahoo, you are prohibited from using, possessing, selling,
or being under the influence of any illegal substance on
Yahoo property or when conducting Yahoo business. To
further ensure a safe workplace, Yahoos are also prohibited
from making threats, committing acts of violence or
intimidation, or possessing or selling firearms or weapons
on Yahoo property or when conducting Yahoo business.
KNOW THE CODE
• Know and abide by Yahoo policies regarding drugs
and alcohol.
• eport any unsafe conditions, violent acts, or threats.
R
For further guidance on a safe and secure workplace,
U.S. employees can refer to the security, health,
and safety policies on Working @ Yahoo on
Backyard.
Yahoos outside the U.S. should refer to local policies
and guidelines.
10
Conflicts of Interest
potential for a conflict of interest and determine how it can
be resolved. And remember, you may not use other people
to do indirectly what you are prohibited from doing yourself.
We all must dedicate our best efforts to Yahoo’s success
and ensure that our efforts are not compromised by
potential conflicts of interest. Each of us must avoid any
situation that may create or appear to create a conflict
between our personal interests and the interests of Yahoo.
You are required to disclose all potential conflicts of
interest and to promptly take action to eliminate a conflict
if Yahoo requests that you do so.
KNOW THE CODE
• Always ask yourself: Am I doing what’s right for
Yahoo?
Conflicts of interest can arise in many ways, including:
• utside board memberships (including technical
O
advisory boards)
• f a conflict of interest (or even the appearance of
I
one) develops, seek guidance from the ECO.
• Outside business activities
• Don’t accept employment or serve as a member on
the board (including a technical advisory board) of a
Yahoo competitor.
• Outside employment
• Outside investments
• Get written approval from the ECO before accepting
employment or assignment if (1) employment is with
a Yahoo customer, supplier, or other business
partner, or (2) the employment will interfere
with your responsibilities at Yahoo (this includes
excessive time commitments, pay, etc.).
• Business relationships with friends or relatives
• Using your position or assignment at Yahoo for
personal gain
• Outside relationships with Yahoo suppliers, customers,
competitors, or partners
• et written approval from the ECO before serving
G
on the board (including a technical advisory board)
of any for-profit organization.
Transparency is the key to avoiding conflicts of interest.
When in doubt, ask the ECO for guidance to assess the
11
Conflicts of Interest
• You don’t need to seek approval from the ECO to
serve on the board of a not-for-profit organization
unless the organization has a business relationship
with Yahoo.
• Always obtain written approval from the ECO before
directing or recommending that Yahoo business be
referred to an outside company in which you or a
related person has a financial interest or before
conducting any Yahoo business with such a
company.
• You may not own an interest in any nonpublic
company that competes with Yahoo or an interest in
excess of 1% in any public company that competes
with Yahoo.
• Don’t accept from a third party any stocks,
discounted stocks, “friends and family stock,” or
stock options that are offered by virtue of your
being a Yahoo or because of the work you do for
Yahoo.
• Obtain written approval from the ECO before
securing an interest in any nonpublic company that
does business with Yahoo or securing an interest in
excess of 1% of any public company that does
business with Yahoo.
• n any situation in which ECO approval is required by
I
this policy, members of the Board of Directors and
executive officers must also obtain written approval
by the Audit Committee of the Board of Directors.
• on’t hire or conduct business with a related person
D
unless you obtain approval in writing from the
ECO. Related person means any family member
including current spouse, children, parents, in-laws,
grandparents, grandchildren, brothers, sisters, aunts,
uncles, cousins, nephews, nieces, domestic partners,
and anyone else whose relationship to you, in the
judgment of the Compliance Officer, could impair or
be perceived to impair objective judgment and/or
good working relationships.
For further guidance on conflicts of interest,
refer to the Conflict of Interest Policy on
Backyard.
12
Accurate Business Communications, Records, and Contracts
Accurate and reliable business records are critical to
meeting our financial, legal, and business obligations. If
you are responsible for creating and maintaining Yahoo’s
financial records, you must do so in accordance with
applicable legal requirements and generally accepted
accounting practices. Disclosure in reports and documents
filed with or submitted to the U.S. Securities and Exchange
Commission and in other public communications
made by Yahoo must be full, fair, accurate, timely, and
understandable. In order to make sure our contractual
commitments are properly reviewed and approved, Yahoos
must comply with all signature authority policies.
• void exaggerating, making derogatory
A
characterizations of people or companies, or
drawing legal conclusions in business records and
communications (including email, IMs, voicemail,
blogs, twikis, and informal memos, regardless of
intended distribution).
• nsure that written agreements accurately and
E
completely reflect the terms of the business deal
they describe.
• Don’t make any unauthorized extra-contractual
promises, commitments, or side letters on behalf of
Yahoo without obtaining the approval of the Legal
Department.
• btain approval from the appropriate business, legal,
O
or financial approver for any nonstandard terms and
agreements or for any proposed modifications to
existing agreements.
KNOW THE CODE
• ake sure information we disclose about our
M
company is clear, truthful, and accurate.
• Don’t enter into any contracts or commit Yahoo
to any obligations with an outside party unless
you’re authorized to do so.
• If you become aware of any omission, inaccuracy,
or falsification in Yahoo’s business records (or its
supporting information), contact the ECO or Legal
Department.
13
External Communications
Communicating consistent and accurate information to
the public is vital to our image and is required to meet
regulatory and legal obligations. Only people authorized
by our Corporate Communications Department may speak
as a Yahoo representative or about Yahoo’s business with
the press or at external events, conferences, industry
tradeshows, or forums. And only Yahoos authorized by the
Chief Financial Officer or the Investor Relations
Department may speak on behalf of Yahoo to members of
the financial community, such as securities analysts,
stockholders, or fund managers.
KNOW THE CODE
• Don’t speak on behalf of Yahoo unless you’re
authorized to do so.
• irect any inquiries from the media, analysts,
D
and other organizations to either Corporate
Communications or Investor Relations.
• onsult with the Legal Department before
C
responding to requests for information from
government agencies and regulators, including
subpoenas.
• f the Legal Department advises you to respond to
I
requests for information, make sure that what you
provide is complete, current, and accurate.
14
Confidential Information and Intellectual Property
By protecting our knowledge base and our information
systems, we protect our competitive advantage. If you
are employed by Yahoo or providing services to Yahoo,
you may have access to confidential and/or proprietary
information regarding our business, users, advertisers,
content providers, vendors, partners, candidates for
employment, or perhaps even fellow Yahoos.
Protecting this information is vital to our success. We
are also committed to respecting the intellectual
property and protected information of others.
Examples of confidential information include product
information, plans, specifications, designs, and pricing;
nonpublic financial information, including forecasts,
budgets, and data; acquisition or merger prospects or
arrangements; marketing or advertising plans or strategies;
business strategies; contract terms; credit procedures;
customer preferences; research and development plans;
technical information and data; customer lists or files;
employment and personnel information, and; compensation
data, including information relating to employee stock
ownership or entitlement. We have a responsibility to
protect our trademarks too, including the Yahoo name and
logos, slogans – even our yodel.
15
Confidential Information and Intellectual Property
KNOW THE CODE
• Safeguard confidential information and abide by the
terms of the proprietary information agreement you
signed when you started working at Yahoo.
• f you become aware of others using our logos,
I
names, or other trademarks in a way that’s
unauthorized, contact the trademark group.
• Don’t disclose any confidential information outside
of Yahoo or to anyone who does not have a need
to know, unless you’re authorized by appropriate
management or the Legal Department to do so.
• Don’t bring confidential or proprietary information of
a prior employer or another third party into Yahoo.
•Remember, your obligation to protect confidential
information applies even if you stop working at
Yahoo.
For further guidance on confidential information
and intellectual property, U.S. employees can refer to
the security, health, and safety policies on Working
@ Yahoo on Backyard.
• ny unsolicited, third-party proprietary information
A
should be refused. If you inadvertently receive it,
notify the Legal Department immediately.
Yahoos outside the U.S. should refer to local policies
and guidelines.
• Always use Yahoo trademarks in accordance with our
trademarks policies – if you have questions, contact
the Brand Team (brand-issues@yahoo-inc.com) and
the trademark group within the Legal Department
(trademarks@yahoo-inc.com).
16
Copyrights
Articles, images, audio and video recordings, lyrics, TV
shows, movies, computer software, and other authored
materials may be covered by copyright laws. The absence
of a copyright notice does not necessarily mean the
materials are not copyrighted. Likewise, you should not rely
solely on a user’s representation that he or she owns the
copyright to uploaded material for any repurposing of that
material by Yahoo. When in doubt, always check with the
Legal Department.
KNOW THE CODE
• rotect copyrighted information.
P
• o not make unauthorized copies of copyrighted
D
materials or incorporate someone else’s work into
your own. It’s also illegal to distribute, display,
or publicly perform copyright work without
authorization.
• Yahoo licenses the use of computer software from
outside companies and, in most cases, this software
is protected by copyright – don’t make, acquire, or
use unauthorized copies of it.
• ontact the Legal Department if you become aware
C
of any apparent unauthorized use of copyrighted
materials or have questions regarding how to
determine whether a work is copyrighted.
For further guidance on copyright, please refer to the
Copyright Policy at: http://info.yahoo.com/
copyright/us/yahoo/en-us/details.html.
Yahoos outside the U.S. should refer to local policies
and guidelines.
17
Use of Yahoo Resources
• Remember, all of the computing and
communications resources at Yahoo are the
property of Yahoo and data from those resources
may be inspected, monitored, collected, or disclosed
by Yahoo in accordance with applicable law.
Yahoo’s computer and communication resources, including
computers, cell phones, voicemail, and email, provide
substantial benefits but also present significant security
and liability risks to you and Yahoo. We each have a
responsibility to use and maintain these assets with care
and to guard against waste and abuse. Remember, when
you use Yahoo computer or communications resources to
access Internet services or to send email, IMs, text
messages, voicemail, or other communication, you are
acting as a representative of Yahoo. Any improper use of
these resources may reflect poorly on Yahoo, damage its
reputation, and expose you and Yahoo to legal liability.
For further guidance on the use of Yahoo resources,
U.S. employees may consult Data Security, Using
Company Property, and Using Electronic
Communications.
http://twiki.corp.yahoo.com/view/Paranoidpolicy/
WebHome
http://backyard2.yahoo.com/policies/US/index.htm
KNOW THE CODE
Yahoos outside the U.S. should refer to local policies
and guidelines.
• Use computer and communication resources in
accordance with all Yahoo policies, including those
that relate to harassment, privacy, copyrights,
trademarks, trade secrets, and data security.
• Don’t use Yahoo resources in a way that’s unlawful,
disruptive, or offensive to others.
18
Q&A
Q: I overheard a co-worker threaten another Yahoo, who
Q: My wife’s company is bidding on a contract with
was afraid to report the situation. What should I do?
another business unit of Yahoo where I have no
decision-making authority. Do I need to report this
as a conflict of interest?
A: Tell your manager, your Human Resources Business
Partner or contact the ECO immediately. Yahoo
will not tolerate acts or threats of violence and will
investigate all reports as appropriate. You have a
responsibility to act when you see or suspect a
threat or risk to anyone at Yahoo.
A: Yes. Even though you might not have direct control
over the outcome of the bid, the fact that your
wife has connections to the company might give
the appearance of a conflict of interest and should
be reported. You must also avoid any attempts to
influence decisions or decision-makers at Yahoo with
respect to your wife’s company.
If
you observe violence or other emergency in
progress, do not intervene if doing so puts you or
others in danger. Instead contact security or local law
enforcement immediately.
Q: What if my manager is exerting pressure on me to
“make the numbers work”?
A: You have a responsibility to be honest and accurate.
If you feel pressured to do otherwise, speak with
someone in the ECO or consult with the Legal
Department or your HR Business Partner. You may
also contact the Audit Committee of the Board of
Directors. If you feel uncomfortable going through
internal channels, you can contact the IntegrityLine
anytime, night or day.
19
Q&A
Q: A former member of my team called to ask me for
Q: hat if you have a personal blog, where you talk
W
about your life and your work – should you be
concerned about what you discuss?
some copies of materials we worked on together
when she was at Yahoo. As we talked, I realized that
she still had some data we used on the project. I told
her I’d call her back – now what?
A:
A: First, don’t provide copies of the materials she
requested. You may be in violation of the Code by
doing so. She may have violated the Code by
taking Yahoo confidential and/or proprietary
information, and there could be other issues if she
shared this information with others. Contact your
manager, the ECO, or the Legal Department for
guidance.
20
Yes. Yahoo believes in fostering a thriving online
community and supports blogging as a valuable
component of shared media. But, you need to be
careful not to disclose confidential and/or proprietary
information of Yahoo, our clients, or third parties
to anyone (including family and friends) without a
specific and legitimate need for the information.
Make sure you know and follow Yahoo’s Personal
Blog Guidelines and always be careful about
discussing business matters with anyone outside of
Yahoo, on the Internet, or even in physical spaces,
within hearing distance of outsiders (for example, at
lunch, on the Yahoo shuttle, or in elevators).
Our Business
Relationships
The business
relationships
we forge,
founded on
trust and mutual
advantage, are
vital to our success.
21
Fair Competition
Yahoo believes in a free and open marketplace. We
compete vigorously in all of our business activities, and we
comply with laws that support this kind of market, wherever
we do business. Antitrust and competition laws differ by
country, are complex, and are not always intuitive. Generally,
they prohibit any activities that may limit a business’s
independent judgment or restrain free trade. These
laws touch upon and affect almost every aspect of our
operations, so it’s important that you are familiar with them
and that you contact the Legal Department or the ECO for
help in understanding how they affect your day-to-day
work.
– gree to contracts that provide for “exclusive
A
rights”
– nter into any joint ventures
E
• on’t agree with competitors to allocate or restrict
D
customers, suppliers, markets, products, purchases,
services, or sales territories – don’t even discuss these
kinds of matters with a competitor.
• on’t agree with competitors to set prices or priceD
related terms or conditions – again, even discussions
with competitors about any aspect of pricing is
prohibited.
• ever discriminate in the prices, terms, and services
N
you offer to similarly situated customers.
KNOW THE CODE
• ever enter into “tying arrangements,” in which a
N
customer is required – as a condition of purchasing
one product – to have to purchase a second, distinct
product.
• lways consult with the Legal Department before you:
A
– oin any trade associations or standards-setting
J
bodies
–C
ommunicate with a competitor regarding
business issues
– ttend meetings where competitively sensitive
A
topics may be discussed with people who are not
Yahoos
22
Insider Trading
Applicable laws and Yahoo policy prohibit us from trading
in Yahoo securities while possessing material nonpublic
(sometimes referred to as “inside”) information. Material,
nonpublic information is information that has not yet
become publicly available that a reasonable investor would
consider important in making a decision to buy, sell, or
hold Yahoo stock. The same restrictions apply to trading in
the stock of other companies, if you have knowledge of
material, nonpublic information about them. Remember,
even a “tip” is unlawful – passing along material nonpublic
information to friends or family is also considered a form of
insider trading.
KNOW THE CODE
• Make sure you read and understand Yahoos Insider
Trading Policy.
• Don’t trade in Yahoo securities or the securities of
any other company (including Yahoo business
partners or customers) when you possess material,
nonpublic information.
• Remember that some Yahoos, because of their
position in the company and the potential access they
have to material nonpublic information, are also not
allowed to trade during specified “blackout periods.”
Examples of nonpublic material information may include:
financial results; projections of future earnings or losses;
proposed mergers and acquisitions; a sale of significant
assets; the gain or loss of a substantial customer or
supplier; execution or termination of significant contracts;
unanticipated changes in level of sales, orders, or expenses;
an extraordinary item for accounting purposes; major
financings or restructurings; creation of a material financial
obligation; new equity or debt offerings; stock splits or
dividend information; major product announcements;
significant developments in litigation, senior management,
or organizational changes, such as layoffs.
• e aware that insider trading can result in criminal
B
penalties, civil penalties and/or disciplinary action,
including dismissal.
For further guidance on insider trading, consult the
Insider Trading Policy on Backyard.
If you have a question about your proposed
transactions in our stock, contact a stock
administrator at stockadmin@yahoo-inc.com.
23
Business Courtesies
It is sometimes customary to exchange with third
parties business courtesies, such as gifts, meals, drinks,
entertainment, recreation, honoraria, transportation,
discounts, promotional items, facilities, and equipment.
The appropriateness of offering or accepting business
courtesies depends on the circumstances and parties
involved. In every case, a business courtesy should never
be offered or accepted if it might create a sense of
obligation, compromise your professional judgment, or
create the appearance that it might. And gifts of cash or
cash equivalents (such as gift certificates, securities, or
below-market loans) in any amount are always prohibited.
Also remember, it’s never acceptable to solicit a business
courtesy. If you are in doubt about whether a business
courtesy is appropriate, contact the ECO for guidance.
KNOW THE CODE
• t is generally permissible to offer or accept a
I
business courtesy with a commercial customer,
supplier, vendor, or business partner when the
business courtesy:
– Is of customary value, as determined by Yahoo
and industry practices
– s for the purpose of promoting goodwill and is
I
not intended to influence a particular decision or
create a reciprocal obligation
– Is customary in the country where the exchange
takes place and is not in violation of any laws,
regulations, or policies
– Would not reflect adversely on Yahoo if publicly
disclosed, and
– Has been approved by your manager
• tricter and more specific rules apply when we do
S
business with U.S. state, local, and federal government
personnel and contractors acting on their behalf –
business courtesies extended to these individuals
must be approved in advance and in writing by the
24
ECO or the Legal Department.
Business Courtesies
• he specific rules and regulations that govern business
T
courtesies for non-U.S. government entities differs
from country to country, and violations can result
in criminal liability under the U.S. Foreign Corrupt
Practices Act. Business courtesies to government
officials or representatives of non-U.S. countries or
regional entities must be approved in advance and in
writing by the Legal Department.
For further guidance on business courtesies, refer to the
Accepting Business Courtesy Policy and the Providing
Business Courtesy Policy on Backyard.
25
Export, Import, and Anti-Boycott Laws
The U.S. export and import laws regulate where and with
whom Yahoo can do business and where we may transfer
services, software, and other technologies. These laws also
regulate the disclosure of technical information to nonU.S. nationals, including non-U.S. national Yahoo
employees, agents, and contractors located in the United
States.
All Yahoo employees, agents, and contractors must also
adhere to the applicable customs and laws for importing
products or technology. All commercial items arriving
in a foreign country are subject to customs declarations
whether the item is in your baggage, hand-carried, or
shipped as freight.
Yahoo is prohibited from participating in boycotts that are
not sanctioned by the U.S. government – this includes (but
is not limited to) agreements to discriminate, refusals to do
business with certain countries or companies blacklisted by
other governments, or letters of credit that require boycottrelated acts. To ensure compliance with anti-boycott laws,
always have the Legal Department review agreements,
transactions, and letters of credit that contain potential
boycott-related language.
The U.S. export laws apply to exports delivered
electronically via the Internet, email, or download, as well
as to physical products. Remember, our ability to export
products, services, and technologies is a privilege, not a
right, and the U.S. government can revoke that privilege
in the event of a violation. Failure to comply with the law
can lead to a range of severe civil and criminal penalties
for Yahoo and individual employees, agents, and
contractors, including fines, imprisonment, and revocation
of the company’s export privileges.
26
Export, Import, and Anti-Boycott Laws
KNOW THE CODE
• oordinate early with the Legal Department in the
C
product planning and development process in order
to comply with export and import laws as they relate
to physical or electronic international transfer of
controlled goods, services, software, or technology
outside the United States.
• o not engage in transactions with parties engaged in
D
proliferation of weapons of mass destruction, including
nuclear, missile, chemical, and biological weaponry
activities.
• emember that transactions with countries subject
R
to U.S. trade embargo (currently Iran, Sudan, North
Korea, Syria, and Cuba) are prohibited.
• on’t participate in or promote boycotts that the
D
United States does not support.
• Comply with required declarations and customs
regulations when you are engaged in Yahoo business.
• otify the Legal Department of any boycott-related
N
requests so that they may be reported to the U.S.
government.
• o not conduct business with parties listed on
D
governmental trade exclusion lists, including (but
not limited to) the U.S. Denied Persons, Entity, and
Specially Designated Nationals List.
• ever release or disclose export-restricted software
N
or technology to certain non-U.S. nationals without
an export license.
For further guidance on export, import, and antiboycott laws consult Export Compliance on Backyard
or email ExportCompliance@yahoo-inc.com.
27
Money Laundering
Money laundering is an attempt by individuals or
organizations to hide or disguise the proceeds of criminal
activity through a series of otherwise legitimate business
transactions. We review Yahoo products and services
before release to determine if any features could be
susceptible to money laundering. Yahoo forbids knowingly
engaging in transactions that facilitate money laundering or
result in unlawful diversion.
KNOW THE CODE
• If you become aware of potential money laundering
activities, immediately report your concerns to the
Legal Department or to the ECO.
28
Gathering Information About Competitors
It is entirely proper for us to gather information about our
marketplace, including information about our competitors
and their products and services. But we must always do it
appropriately and in a manner that will not reflect
adversely on Yahoo. We should never use illegal or
unethical means (such as by theft, spying, bribery, or in
breach of a nondisclosure agreement) to obtain
information. Remember, the improper gathering or use of
competitive information could subject you and Yahoo to
criminal and civil liability. When in doubt as to whether
your receipt or collection of information is proper, contact
the Legal Department or litcon@yahoo-inc.com.
KNOW THE CODE
• eview public sources, such as websites, analyst
R
reports, and business and marketing literature for
information about competitors.
• Never attempt to obtain confidential information
from competitors’ current or former employees
or from Yahoo business partners, customers, or
suppliers that do business with them.
• f there is any indication that competitive information
I
you obtained was not lawfully received, refuse to
accept it.
• f you receive any competitive information
I
anonymously or marked “confidential,” don’t
open or review it – contact the Legal Department
immediately.
29
Anticorruption Laws
As Yahoos, we conduct business honestly and fairly, and
we don’t provide or offer anything of value to anyone in
exchange for a favorable decision or to secure favorable
treatment.
Remember, you could be subject to criminal and civil
penalties (including fines and imprisonment) for violating
anticorruption laws. Also, remember that Yahoo can be
held responsible for the conduct of our agents, contractors,
and anyone else who is working on our behalf. Before hiring
any third parties, make sure they are adequately screened
for a prior history of – or a propensity to engage in – any
corrupt activities. Once hired, make sure they comply with
the law and with Yahoo’s anticorruption policies while
engaged in activities on our behalf.
Anticorruption laws, such as the U.S. Foreign Corrupt
Practices Act (FCPA), prohibit the offering or payment
of anything of value (including, but not limited to, money,
stock, services, products, travel expenses, employment
of related persons, and entertainment) to a foreign
government official, political party, party official, or a
candidate for political office in order to influence official
acts, obtain or retain business, or secure any improper
advantage. The FCPA also prohibits creating inaccurate or
false books and records, and requires companies to have
adequate controls regarding accounting and corporate
assets. Before making any kind of payment or offering
anything of value to a government official or official of any
company or entity that may be directly or indirectly owned
by the government, for any reason, you must consult with
the ECO and obtain approval in advance, in writing.
30
Q: In a conversation with a competitor, you agree that
Anticorruption Laws
you will not engage in a price war. Is that okay?
A: No. Any agreement between competitors that directly
relates to the prices they charge violates antitrust law,
regardless of whether prices or price levels are part of
the agreement.
KNOW THE CODE
• Comply with anticorruption laws and consult with
the ECO or the Legal Department if you ever have
questions or concerns.
Q: I’m working on a large joint venture which will
• f you have any knowledge or suspicion of corrupt
I
activity or have been asked to make an improper
payment, report it immediately to the ECO or the
Legal Department.
probably be publicly announced in two weeks.
Can I buy stock in our joint venture partner?
A:
• If you are responsible for hiring or managing
partners, agents, or other third parties to act on
Yahoo’s behalf, exercise due diligence to ensure
they:
– ave no history of or propensity for engaging in
H
corrupt activities
– Are conducting Yahoo business in accordance
with our anticorruption policies
For further guidance on anticorruption laws consult
Anticorruption on Backyard.
31
No. You must never trade in Yahoo securities or the
securities of any other company, including Yahoo
business partners when you possess material,
nonpublic information. If you have any questions
about whether you may trade, consult the Insider
Trading Policy or contact the Legal Department.
Q&A
Q:
A:
Q:
In working with one of Yahoo’s joint venture
partners, the partner offers you a bonus for going
“above and beyond.” Can you accept the bonus?
No. In situations like this, only Yahoo should provide
incentives to employees if the company feels they
are due. Incentives to Yahoo employees or
contractors could create the perception of a conflict
of interest and should not be provided by or
accepted from third parties, even if they are close
partners.
An opportunity arises for Yahoo to do business in
another country, but a local official expects special
fees and other compensation for the business. What
do I do?
A: ertain payments, even if normal under local custom,
C
could violate the U.S. FCPA. Before making any
kind of payment or offering anything of value to a
government official, for any reason, you must consult
with the ECO and obtain approval in advance, in
writing.
32
Our
Community
We strive
to make our
communities
better places
to live and work,
everywhere we
do business.
33
User Privacy
Many of Yahoo’s features and services require that we
collect, process, and store personal information about our
users. They trust us to protect their information and use
and maintain it according to our published policies. Our
Privacy Policy gives our users notice of what we collect,
how it will be used, and with whom we will share it. It gives
them choices about how we use their information and the
opportunity to opt out of certain uses of their data, such
as for commercial communications. It also gives them the
ability to update and correct some of their registration
information. Finally, it provides them with assurances that
we take measures to protect the security of their personal
information.
KNOW THE CODE
• Respect our users’ privacy and handle user data
according to our Privacy Policy.
• Don’t share Yahoo user information with parties
outside of Yahoo unless approved by the Legal
Department.
• Be aware that international properties may have
additional privacy policy requirements – if you have
a situation involving non-U.S. users, consult with the
Legal Department.
• Personal information about Yahoo users under the
age of 13 is subject to special handling requirements
– if you have a situation involving users under the
age of 13, again, consult with the Legal
Department.
For further guidance on user privacy consult the
Privacy Policy on Backyard.
34
Protecting the Environment
Yahoo has a strong commitment to corporate citizenship,
and we strive to conduct business in an environmentally
responsible manner. To this end, it is our policy to comply
with all environmental laws and regulations. Decisions
about environmentally sensitive actions, such as disposal
of electronic equipment, must comply with applicable laws
and environmentally responsible practices.
KNOW THE CODE
• onduct business in an environmentally responsible
C
manner.
• Make the proper inquiries into the background,
integrity, and financial responsibility of all
companies or people performing disposal or other
environmentally sensitive services for Yahoo.
• Direct any actual or potential environmental,
health, or safety problems, or questions about your
responsibilities or Yahoo policies about
environmental protection to your manager or to the
Department of Real Estate & Workplace (REW).
35
Political Activities and Contributions
Various laws restrict us from using Yahoo funds, assets,
services, or facilities on behalf of a political party or
candidate. You may not engage in any political activity
(such as running for public office, serving as an elected
official, or campaigning for a political candidate) using
company time or resources. Also, you may not make
any payments of corporate funds to any political party,
candidate, or campaign unless permitted under applicable
law and approved in writing and in advance by the Global
Public Policy Office. Of course, you may participate in
political activities on an individual basis, with your own
money and on your own time.
KNOW THE CODE
• Yahoo will not compensate or reimburse you, in any
form, for political contributions.
• Before engaging in any activity on behalf of Yahoo
that might be considered a political contribution or
lobbying, obtain written approval from the Yahoo
Global Public Policy Office.
• e aware that laws of some jurisdictions require
B
registration and reporting by anyone who engages in
a lobbying activity. Generally, lobbying includes:
– ommunicating with any member or employee
C
of a legislative branch of government for the
purpose of influencing legislation
– ommunicating with government officials for the
C
purpose of influencing government action
– ngaging in research or other activities
E
to support or prepare for these kinds of
communications
36
Representations Regarding Yahoo’s Business,
Products, Services, and Competitors
To maintain our high standards of credibility and avoid
creating unintended contractual liability, all
representations made by Yahoo employees and agents
concerning Yahoo’s products and services must be
current, accurate, complete, and not misleading. This
standard is particularly important to follow when engaging
in any communication made outside Yahoo, including, but
not limited to, press releases, marketing materials, blogs,
Internet posts, customer meetings, and sales
presentations.
KNOW THE CODE
• Make sure any communications about our products
and services are current, accurate, complete, and
honest.
37
Human Rights
Yahoo supports the idea that our users, wherever located,
should enjoy fundamental rights to free expression and
that those rights are essential to human dignity. We are
committed to doing our utmost to help protect those
rights through thoughtful, responsible business decisions
and processes, and rigorous application of the laws that
protect those rights. If you become aware of government
actions that you believe may conflict with our support of
these fundamental rights, email the Business & Human
Rights Program at HumanRights@yahoo-inc.com.
KNOW THE CODE
• Speak up if you become aware of government
actions that may conflict with our fundamental right
to free expression.
• If you are asked by any government official
to provide information about a Yahoo user or
subscriber, please contact the Legal Department
(http://twiki.corp.yahoo.com/view/LegalDepartment/
WebHome), Mission Control, or the ECO immediately
and before taking action.
38
Child Protection
Yahoo’s commitment to fostering a safe online
environment for users of all ages begins with our own
products and services. Yahoo works to prevent people
from misusing our services to harm children. We have
demonstrated our commitment to child safety by focusing
our efforts on four key areas:
KNOW THE CODE
• Immediately escalate any incidents involving
suspected child pornography or child sexual
exploitation to Customer Care and the Legal
Department.
(1) uilding safer online spaces by educating users and
B
providing user empowerment tools;
(2) eveloping tools and policies for reporting child
D
protection issues;
(3) eveloping processes for detecting and deterring child
D
pornography; and
(4) artnering with law enforcement, child advocacy
P
groups, and our industry peers.
In addition to our proactive efforts, in many jurisdictions
we also have legal requirements to report instances of child
pornography to designated government or child protection
agencies.
39
Q&A
Q: I’ve seen some activities in my office that may be
Q: A friend of mine is running for political office, and
A: No. Every Yahoo is responsible for taking action when
A: No. Your personal support is your personal business.
creating an environmental hazard, but I don’t want
to get involved. Is that okay?
I would like to help her out with her campaign. Is
there a problem with this?
aware of potential violations of our Code of Ethics.
This includes reporting environmental hazards or any
unsafe working conditions.
Just make sure you do not use Yahoo assets –
including Yahoo company time or the Yahoo name –
to advance the campaign.
If
you’re located in a country that does not permit
your employer to require you to report concerns,
you are encouraged – but not required – to speak up.
Anyone who reports a violation will be treated with
dignity and respect and will not be subjected to any
form of discipline or retaliation for reporting truthfully
and in good faith.
40
Q&A
Q: What should I do if I think I see a violation of a
Q: I got assigned to fix a bug related to a user’s
account, and in the course of trying to fix the
problem, I came across some troubling pictures in
the user’s account. The pictures were pornographic,
and the people in the images looked like young
teenagers. Do I need to do anything about this?
Yahoo user’s online rights to privacy or freedom of
expression?
A:
Yahoo has established its Business & Human Rights
Program (http://ycorpblog.com/2008/05/07/
business-and-human-rights/) to address issues
regarding freedom of expression and privacy around
the world. If you think you see a violation of a Yahoo
user’s rights to privacy or freedom of expression
resulting from an action or demand by a government
on Yahoo, or a Yahoo partner or vendor, send an
email describing your concern to HumanRights@
yahoo-inc.com. In particular, please contact this
address if the issue appears to involve improper
disclosure by Yahoo (or a partner or vendor) of
Yahoo user data to a government, or restrictions by
Yahoo (or a partner or vendor) on political or
religious speech resulting from government action or
demand on Yahoo (or a partner or vendor).
A: Yes. The images described may be illegal child
pornography images. Federal law prohibits the
possession, solicitation, or distribution of such child
pornography images, which are defined as images
of minors (under the age of 18) engaged in sexually
explicit conduct or posing in a lewd and lascivious
manner. Yahoo is required by law to take action
on apparent instances of child pornography on our
network, so you should immediately report the Yahoo
user to swat-priority@cc.yahoo-inc.com. In your
email, please provide the Yahoo user ID as well as the
property in which you discovered the offending
images (e.g., Mail, Flickr, Groups). DO NOT attach the
offending images to the email, however. If you have
additional questions or concerns, you should contact
the Legal Department and/or your HR Business
Partner.
41
Our
Responsibility
Our work
environment
encourages
people to
raise concerns
without fear.
42
Seeking Guidance
Reporting Violations
Yahoo’s Code of Ethics provides an overview of Yahoo’s
commitment to acting with integrity and high standards in
all business practices. It does not provide definitive answers
to all questions. Even in the absence of a specific company
policy or law to guide you in a particular situation, you
are expected to act with the highest degree of integrity
applicable to the situation. If you have questions regarding
any of the content discussed in this Code or if you are
in doubt about the best course of action in a particular
situation, please seek guidance from the ECO.
If you know of or suspect a violation of applicable laws or
regulations, this Code of Ethics, or Yahoo’s related
policies, you have an obligation to immediately report it
to your manager, the Legal Department, or the ECO.
Yahoo employees located in countries that prohibit
requiring employees to make such reports are
encouraged to report such violations but are not required
to.
Any Yahoo who reports a violation will be treated with
dignity and respect and will not be subjected to any form
of discipline or retaliation for reporting truthfully and in
good faith.
The ECO administers and oversees the Code and is
dedicated to providing Yahoos the support and advice they
need to act according to our ethical principles. Its staff acts
as a resource, providing training materials, communications,
and guidance on matters related to our Code and the
integrity of our company. They are always available to listen
to your concerns and suggest approaches for resolving
ethical issues you may face on the job.
Retaliation against anyone who provides information
or otherwise assists in an investigation or proceeding
regarding any conduct that the individual believes in
good faith constitutes a violation of applicable laws or
regulations, this Code of Ethics, or Yahoo’s related policies
is prohibited and will, in itself, be treated as a violation of
this Code of Ethics.
43
Tools and Resources
IntegrityLine
It is important that you do not attempt to investigate
a known or suspected violation on your own.
You may use the 24-hour IntegrityLine or the Online Ethics
Reporting Tool to seek guidance anonymously or to report
violations of applicable laws and regulations, this Code of
Ethics, or Yahoo’s related policies.*
Yahoo has a variety of tools that allow you to seek
guidance and report known or suspected violations.
Use the one you are most comfortable with:
Phone: 1-888-47-Yahoo (1-888-479-2466)
ECO
Website: integrityline.yahoo.com
To ask questions or to report suspected violations,
you may contact the ECO.
*Note: Certain countries in which Yahoo does business
prohibit any requirement to speak up and many do not
allow concerns to be reported anonymously – for more
information about reporting procedures in the country
where you work, check the ECO website on Backyard.
Phone: 408-349-3059
Email: eco@yahoo-inc.com
Website: http://backyard2.yahoo.com/eco/index.htm
Mail:
Yahoo Inc.
Attention: Compliance Officer
701 First Avenue
Sunnyvale, California 94089
44
Tools and Resources
The Legal Department
Investigations of Suspected Violations and Data
Protection
Yahoos are encouraged to refer to the following website for
contact information about the Legal Department that has
jurisdiction over your office: http://twiki.corp.yahoo.com/
view/LegalDepartment/WebHome.
All reported violations of company policy will be promptly
investigated and treated confidentially to the extent
reasonably possible.
All Yahoos have a duty to cooperate fully with
investigations and to promptly, completely, and truthfully
comply with all requests for information, interviews, or
documents. In the case of an investigation by people or
agencies outside Yahoo, such compliance must be under
the direction of the ECO or the Legal Department.
Audit Committee
You have the right to contact the Audit Committee of the
Board of Directors about concerns regarding financial
impropriety within the company. The Audit Committee has
procedures to receive and address such information.
Due to certain requirements under data protection laws
in Europe, Yahoo may be obligated to inform the subject
of a reported violation that the report was filed, and how
the subject may exercise his or her right to access and
correct the information regarding the allegation. But this
right to access information does not entitle the subject of
the allegation to information identifying the person who
reported the allegation.
Email: CorporateSecretary@yahoo-inc.com
Mail:
Yahoo Board of Directors Audit Committee
c/o Corporate Secretary
701 First Avenue
Sunnyvale, California 94089
You must not alter or destroy documents or records in
response to an internal or external investigation or
other legal request. Yahoo records and documents
45
Tools and Resources
Discipline for Violations
are to be retained and destroyed only in accordance with
Yahoo record-retention policies, and never when they
are the subject of an investigation or legal request or
process. When in doubt about the appropriateness of
destroying a record or document, contact the Legal
Department.
Collection of personal data by the ECO or its outside
service providers may involve transferring data outside
an employee’s country of origin. Such collection and
transfer of the data will be done in compliance with
Yahoo’s Privacy Policy and security policies and relevant
data protection laws.
Our Code will be enforced fairly and without prejudice at
all levels. Subject to applicable law, Yahoos who violate
the Code and/or other Yahoo policies and procedures
may be subject to disciplinary action up to and including
termination of employment and, if warranted, civil legal
action or referral for criminal prosecution. In addition,
subject to applicable law, disciplinary action up to and
including termination of employment may be taken
against anyone who directs or approves infractions or has
knowledge of them and does not promptly report them
in accordance with our policies.
46
Tools and Resources
Waivers of the Code
Treatment of Complaints and Retention of Records
Regarding Accounting Issues
Yahoo will waive application of the policies set forth in this
Code only where circumstances warrant granting a waiver
based on the best interests of Yahoo and its stockholders.
Other than board members, any waiver must be approved
by the Chief Compliance Officer and by the Chief Executive
Officer. Waivers of the Code for directors and executive
officers may be made only by those members of the Board
of Directors not involved in the possible waiver and must
be promptly disclosed as required by law or regulation.
The Chief Compliance Officer, in conjunction with the
company’s Vice President of Internal Audit, will forward,
as appropriate, complaints and concerns regarding
accounting issues to the Audit Committee of the Board of
Directors. These concerns and complaints will be promptly
investigated. The Chief Compliance Officer will provide
periodic reports, as appropriate, to the Audit Committee
regarding concerns or complaints relating to
accounting issues. Yahoo will retain, in accordance with
its records-retention policy and applicable law, copies
of all reports, investigative reports, summaries of reports,
and other documents relating to complaints and
concerns regarding accounting issues.
47
A Message from Yahoo’s Board of Directors
Dear Fellow Yahoos,
We are proud of Yahoo’s heritage of integrity and its insistence on high ethical standards. We are committed to preserving
this legacy by ensuring that the company is governed according to this Code of Ethics. We support Yahoo’s Code of
Ethics and comply with the Code in our actions on Yahoo’s behalf. In addition:
• ny review and disposition of a possible conflict of interest involving a board member or executive officer will be
A
determined by the Audit Committee. Prior to accepting any invitation to serve as a director or trustee of any outside entity,
executive officers and board members must advise the ECO and the Audit Committee in writing so that they may evaluate
any potential conflicts of interest.
• Any review and disposition of a possible waiver of the Code of Ethics involving a board member or an executive officer
of Yahoo will be determined by those board members who are not involved in the possible waiver. Waivers will be
granted only upon a written determination of the Board of Directors that the waiver is in the best interests of Yahoo and
its stockholders and will be disclosed as required by applicable law.
We are proud that Yahoo has consistently maintained a strong focus on integrity throughout its history and we are
committed to ensuring that it continues to do so. This focus is an integral element of our strategy to meet the challenges
facing the company and make certain that we meet the high expectations of our stockholders, employees, business
partners, and other stakeholders in Yahoo’s success.
The Board of Directors
48
09.11
701 First Avenue
Sunnyvale, California 94089
EXHIBIT E
An Important Message to Yahoo Users on Security
September 22, 2016 02:28 PM Eastern Daylight Time
SUNNYVALE, Calif.(BUSINESS WIRE)A recent investigation by Yahoo! Inc. (NASDAQ:YHOO) has confirmed that a
copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a
statesponsored actor. The account information may have included names, email addresses, telephone numbers, dates
of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security
questions and answers. The ongoing investigation suggests that stolen information did not include unprotected
passwords, payment card data, or bank account information; payment card data and bank account information are not
stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes
that information associated with at least 500 million user accounts was stolen and the investigation has found no
evidence that the statesponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement
on this matter.
Yahoo is notifying potentially affected users and has taken steps to secure their accounts. These steps include
invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking
potentially affected users to change their passwords. Yahoo is also recommending that users who haven’t changed their
passwords since 2014 do so.
Yahoo encourages users to review their online accounts for suspicious activity and to change their password and
security questions and answers for any other accounts on which they use the same or similar information used for their
Yahoo account. The company further recommends that users avoid clicking on links or downloading attachments from
suspicious emails and that they be cautious of unsolicited communications that ask for personal information.
Additionally, Yahoo asks users to consider using Yahoo Account Key, a simple authentication tool that eliminates the
need to use a password altogether.
Online intrusions and thefts by statesponsored actors have become increasingly common across the technology
industry. Yahoo and other companies have launched programs to detect and notify users when a company strongly
suspects that a statesponsored actor has targeted an account. Since the inception of Yahoo’s program in December
2015, independent of the recent investigation, approximately 10,000 users have received such a notice.
Additional information will be available on the Yahoo Security Issue FAQs page, https://yahoo.com/securityupdate,
beginning at 11:30 am Pacific Daylight Time (PDT) on September 22, 2016.
About Yahoo
Yahoo is a guide to digital information discovery, focused on informing, connecting, and entertaining through its search,
communications, and digital content products. By creating highly personalized experiences, Yahoo helps users discover
the information that matters most to them around the world on mobile or desktop. Yahoo connects advertisers with
target audiences through a streamlined advertising technology stack that combines the power of Yahoo's data, content,
and technology. Yahoo is headquartered in Sunnyvale, California, and has offices located throughout the Americas, Asia
Pacific (APAC) and the Europe, Middle East and Africa (EMEA) regions. For more information, visit the pressroom
(pressroom.yahoo.net) or the Company's blog (yahoo.tumblr.com).
Statements in this press release regarding the findings of Yahoo’s ongoing investigation involve potential risks and
uncertainties. The final conclusions of the investigation may differ from the findings to date due to various factors
including, but not limited to, the discovery of new or additional information and other developments that may arise during
the course of the investigation. More information about potential risks and uncertainties of security breaches that could
affect the Company's business and financial results is included under the caption “Risk Factors” in the Company’s
Quarterly Report on Form 10Q for the quarter ended June 30, 2016, which is on file with the SEC and available on the
SEC's website at www.sec.gov.
Yahoo!, the Yahoo family of marks, and the associated logos are trademarks and/or registered trademarks of Yahoo! Inc.
Other names are trademarks and/or registered trademarks of their respective owners.
Contacts
Yahoo
Suzanne Philion, +1 4083494040
sphilion@yahooinc.com
EXHIBIT F
12/21/2016
⌂ Home
Yahoo Security Notice December 14, 2016 | Yahoo Help SLN27925
Mail
Search
News
Sports
Finance
Celebrity
Weather
Search Help
Answers
Flickr
Search Web
Mobile
More ⋁
👤
ign in
S
✉
ail
M
Back to Help Central
Yahoo Security Notice December 14,
2016
Yahoo has identified data security issues concerning certain Yahoo user
accounts. Yahoo has taken steps to secure user accounts and is working
closely with law enforcement.
Below are FAQs containing details about these issues and steps users can
take to help protect their accounts.
For information about the data security issue the company disclosed on
September 22, 2016, click here.
What happened?
Law enforcement provided Yahoo in November 2016 with data files that a
third party claimed was Yahoo user data. We analyzed this data with the
assistance of outside forensic experts and found that it appears to be Yahoo
user data. Based on further analysis of this data by the forensic experts, we
believe an unauthorized third party, in August 2013, stole data associated
with more than one billion user accounts. Yahoo has not been able to identify
the intrusion associated with this theft. We believe this incident is likely
distinct from the incident we disclosed on September 22, 2016. We are
notifying potentially affected users and have taken steps to secure their
accounts, including requiring users to change their passwords. Yahoo has
also invalidated unencrypted security questions and answers so that they
cannot be used to access an account.
Separately, our outside forensic experts have been investigating the creation
of forged cookies that could allow an intruder to access users’ accounts
without a password. Based on the ongoing investigation, the outside forensic
experts have identified user accounts for which they believe forged cookies
were taken or used in 2015 or 2016. The company is notifying the affected
account holders, and has invalidated the forged cookies. We have connected
some of this activity to the same statesponsored actor believed to be
responsible for the data theft we disclosed on September 22, 2016.
Was my account affected by the August 2013 incident?
We are notifying potentially affected users and posting additional information
on our website. Additionally, we are taking steps to secure users’ accounts,
including requiring users to change their passwords. Yahoo has also
invalidated unencrypted security questions and answers so that they cannot
be used to access an account.
https://help.yahoo.com/kb/SLN27925.html
1/6
12/21/2016
⌂ Home
Yahoo Security Notice December 14, 2016 | Yahoo Help SLN27925
Mail
Search
News
Sports
Finance
Celebrity
Was my account affected by the cookie forging activity?
Weather
Search Help
Based on the ongoing investigation, the outside forensic experts have
identified user accounts for which they believe forged cookies were taken or
used in 2015 or 2016. The company is notifying the affected account holders,
and has invalidated the forged cookies.
Answers
Flickr
Search Web
Mobile
More ⋁
👤
ign in
S
✉
ail
M
What information was taken in the August 2013 incident?
For potentially affected accounts, the stolen user account information may
have included names, email addresses, telephone numbers, dates of birth,
hashed passwords (using MD5) and, in some cases, encrypted or
unencrypted security questions and answers. The investigation indicates that
the stolen information did not include passwords in clear text, payment card
data, or bank account information. Payment card data and bank account
information are not stored in the system the company believes was affected.
What is a "hashed" password?
Hashing is a oneway mathematical function that converts an original string of
data into a seemingly random string of characters. As such, passwords that
have been hashed can’t be reversed into the original plain text password. At
the time of the August 2013 incident, we used MD5 to hash passwords. We
began upgrading our password protection to bcrypt in the summer of 2013.
Bcrypt is a password hashing mechanism that incorporates security features,
including salting and multiple rounds of computation, to provide advanced
protection against password cracking.
What information was affected by the cookie forging activity?
Forged cookies could allow an intruder to access users’ accounts without a
password. Based on an ongoing Yahoo investigation, we believe an
unauthorized third party accessed our proprietary code to learn how to forge
cookies. The outside forensic experts have identified user accounts for which
they believe forged cookies were taken or used. The company is notifying the
affected account holders, and has invalidated the forged cookies.
What is a “cookie”?
A cookie is a small piece of information stored on a computer for the purpose
of identifying a web browser during interaction on websites. Websites use
cookies to remember and recognize details about visitors, such as website
preferences. Click here for more information on Yahoo practices regarding
cookies and similar technologies.
Are these incidents related to the data theft that Yahoo announced on
September 22, 2016?
We believe that the August 2013 incident is likely distinct from the incident we
disclosed on September 22, 2016.
We have connected some of the cookie forging activity to the same state
sponsored actor believed to be responsible for the data theft we disclosed on
https://help.yahoo.com/kb/SLN27925.html
2/6
12/21/2016
Yahoo Security Notice December 14, 2016 | Yahoo Help SLN27925
⌂ Home
Mail
Search
News
Sports
Finance
Celebrity
Weather
September 22, 2016. Those users targeted by the statesponsored actor
were sent an additional notification like the one found here.
Search Help
Answers
Flickr
Search Web
Mobile
More ⋁
👤
ign in
S
✉
ail
M
I think I received one or more emails about this issue. How do I know
they're really from Yahoo?
Click here to view the content of our notice to affected users. Please note that
the emails from Yahoo about this issue will display the Yahoo icon when
viewed through the Yahoo website or Yahoo Mail app. Importantly, the emails
do not ask you to click on any links or contain attachments and does not
request your personal information. If an email you received about these
issues prompts you to click on any links, download an attachment, or asks
you for information, the email was not sent by Yahoo and may be an attempt
to steal your personal information. Avoid clicking on links or downloading
attachments from such suspicious emails.
What is Yahoo doing to protect my account?
We have taken action to protect our users, including:
We are requiring potentially affected users to change their passwords.
We invalidated unencrypted security questions and answers so that they
cannot be used to access an account.
We invalidated the forged cookies and hardened our systems to secure them
against similar attacks.
We continuously enhance our safeguards and systems that detect and
prevent unauthorized access to user accounts.
How do I change my password or disable security questions and
answers?
You can change your Yahoo password or security questions and answers by
clicking here. We are requiring potentially affected users to change their
passwords, and we have invalidated unencrypted security questions and
answers so that they cannot be used to access an account.
Is there anything I can do to protect myself?
We encourage all of our users to follow these security recommendations:
Change your password and security questions and answers for any other
accounts on which you use the same or similar information used for your
Yahoo Account.
Review all of your accounts for suspicious activity.
Be cautious of any unsolicited communications that ask for your personal
information or refer you to a web page asking for personal information.
Avoid clicking on links or downloading attachments from suspicious emails.
Additionally, please consider using Yahoo’s Account Key, a simple
authentication tool that eliminates the need to use a password on Yahoo
altogether.
What additional steps can I take to protect my information?
https://help.yahoo.com/kb/SLN27925.html
3/6
12/21/2016
Yahoo Security Notice December 14, 2016 | Yahoo Help SLN27925
⌂ Home
Mail
Search
News
Sports
Finance
Celebrity
Weather
Although the affected account information did not include passwords in clear
text, payment card data, or bank account information, we encourage you to
Search Help
remain vigilant by reviewing your account statements and monitoring your
credit reports. Below is contact information for the three nationwide consumer
reporting agencies from which you can obtain a credit report.
Equifax
Equifax Credit
Information
Services, Inc.
P.O. Box 740241
Atlanta, GA 30374
1800
525
6285
Experian Inc.
P.O. Box 9554
Allen, TX 75013
1888
397
3742
TransUnion
1800
680
7289
Search Web
Mobile
More ⋁
👤
ign in
S
✉
ail
M
www.experian.com
TransUnion LLC
P.O. Box 2000
Chester, PA
190222000
Flickr
www.equifax.com
Experian
Answers
www.transunion.com
To protect yourself from possible identity theft, consider placing a fraud alert
on your credit file. You also may wish to place a “security freeze” (also known
as a “credit freeze”) on your credit file. A security freeze is designed to
prevent potential creditors from accessing your credit file at the consumer
reporting agencies without your consent. There may be fees for placing,
lifting, and/or removing a security freeze, which generally range from $5$20
per action. Unlike a fraud alert, you must place a security freeze on your
credit file at each consumer reporting agency individually. For more
information on security freezes, you may contact the three nationwide
consumer reporting agencies or the FTC as described above. As the
instructions for establishing a security freeze differ from state to state, please
contact the three consumer reporting agencies to find out more information.
The consumer reporting agencies may require proper identification prior to
honoring your request. For example, you may be asked to provide:
Your full name with middle initial and generation (such as Jr., Sr., II, III)
Your Social Security number
Your date of birth
Addresses where you have lived over the past five years
A legible copy of a governmentissued identification card (such as a state
driver’s license or military ID card)
Proof of your current residential address (such as a current utility bill or
account statement)
You have the right to obtain a police report and request a security freeze as
described above. The consumer reporting agencies may charge you a fee of
up to $10 to place a security freeze on your account, and may require that
you provide certain personal information (such as your name, Social Security
number, date of birth, and address) and proper identification (such as a copy
of a governmentissued ID card and a bill or statement) prior to honoring your
request for a security freeze. There is no charge, however, to place, lift or
remove a security freeze if you have been a victim of identity theft and you
provide the consumer reporting agencies with a valid police report.
https://help.yahoo.com/kb/SLN27925.html
4/6
12/21/2016
Yahoo Security Notice December 14, 2016 | Yahoo Help SLN27925
⌂ Home
Mail
Search
News
Sports
Finance
Celebrity
Weather
For U.S. residents, you can contact the FTC to learn more about protecting your
personal information. The contact information for the FTC is below:
Search Help
Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue, NW
Washington, DC 20580
1877IDTHEFT (4384338)
www.ftc.gov/idtheft/
For Rhode Island residents, you may obtain information about protecting your
personal information from the Rhode Island Office of the Attorney General at:
Rhode Island Office of the Attorney General
Consumer Protection Unit
150 South Main Street
Providence, RI 02903
(401)2744400
Answers
Flickr
Search Web
Mobile
More ⋁
👤
ign in
S
✉
ail
M
Are Tumblr accounts affected?
No. The systems from which the data was stolen in August 2013 contained
no Tumblr user data at the time of the theft. Additionally, Yahoo has no
indication that the forged cookies were used to access Tumblr accounts.
How can I get help with my account?
If you need further information or assistance with your account, please visit
https://help.yahoo.com, where you will find the latest information and may be
able to access direct customer support. DO NOT ENGAGE with any support
service other than those provided by Yahoo, particularly support service
providers that charge a fee for their service. Yahoo does not charge for
support service for its accounts. Please note that Yahoo channels all support
through https://help.yahoo.com.
Was this article helpful?
Yes
No
https://help.yahoo.com/kb/SLN27925.html
Privacy
Terms
5/6
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?