Cybersecurity: What Can We Learn From the Yahoo Data Breach?

Yahoo Breach Offers Two Important Cybersecurity Lessons

Yahoo Inc.’s cybersecurity woes continue to offer lessons for New York and New Jersey businesses. The company’s 2014 security breach, which impacted more than 500 million accounts, lowered the value of the company in its acquisition by Verizon and recently resulted in the resignation of the company’s top lawyer.

Liability of Top Executives for Cyber Breaches

Last fall, Yahoo disclosed that hackers stole the personal data of more than 500 million users, including their names, email addresses, dates of birth, telephone numbers, and encrypted passwords. Another breach in 2013 affected more than one billion accounts. Of course, the first question many asked was, “Why are we just learning about this now?”

In addition to facing class-action lawsuits, Yahoo is under investigation by the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC). The company also launched its own investigation into how the company handled the data breach. Yahoo ultimately concluded that senior executives were aware of the attacks, but failed to “properly comprehend or investigate” the cyber intrusion. The board subsequently ordered the company to overhaul its cybersecurity program.

CEO Marissa Mayer acknowledged that she shares some of the blame and agreed to forfeit some of her annual compensation. In a recent blog post, she wrote: “I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees, who contributed so much to Yahoo’s success in 2016.” Yahoo’s general counsel is also being held accountable for the data security lapses. He resigned and will not receive any severance pay.

As highlighted by the recent fallout at Yahoo, boards are starting to hold senior executives accountable for data breaches, particularly if they could have been easily prevented or if the response is mismanaged. Executives left holding the bag may not only lose part of their paychecks, but also their jobs.

Cybersecurity’s Role in M&A Transactions

Verizon reduced Yahoo’s acquisition value by $350 million in the wake the significant cyberattacks. The price reduction reflects that data breaches can significantly impact a company’s reputation and lead to significant legal liability. Cybersecurity incidents can also lead to public disclosure of valuable trade secrets and other proprietary information. Accordingly, when contemplating a merger or acquisition, companies in all industries are making cybersecurity a more important part of the due diligence process.

Prior to closing a M&A transaction, buyers should review any past data breaches and other cybersecurity incidents. It is important to evaluate not only why the breach occurred, but also how prepared the company was prepared to respond. While cyber breaches have become commonplace, having robust policies and procedures in place can often go a long way in limiting the potential damages.

In structuring a M&A transaction, the parties should also address how liability for breaches will be apportioned. In the Yahoo-Verizon deal, the two companies have agreed to “share certain legal and regulatory liabilities arising from … data breaches incurred by Yahoo.” According to a recent press statement, Yahoo will be responsible for 50 percent of all cash liabilities incurred after the closing related to non-SEC government investigations and third-party litigation. Meanwhile, Yahoo will be solely responsible for all liabilities from shareholder lawsuits and SEC investigations.