Yahoo’s troubles for failing to timely disclose security breaches provides rare insight into quantifying the financial and other costs to a company’s shareholders and leadership when a security breach occurs and is mishandled.

In 2014, more than a billion Yahoo accounts were hacked. Then in 2015 and 2016, more than 500,000 Yahoo user accounts were hacked by the same attacker. In all cases, hackers accessed user emails and sensitive information. However, it is alleged that Yahoo failed to thoroughly investigate the breaches. Yahoo also failed to disclose the breaches until late 2016, when it was in talks to sell the company’s core assets to Verizon.

Yahoo’s executive team denied having knowledge of the breaches prior to the disclosure. However, on March 1, 2017, Yahoo disclosed its independent investigation results and stated that Yahoo’s IT staff had “contemporaneous knowledge” of the 2014, 2015, and 2016 incidents. While finding there was no intent to suppress the breaches, the investigation concluded Yahoo’s IT team and legal staff did not properly comprehend or investigate them.

The SEC was examining whether the breaches were hidden from Yahoo customers and shareholders, but it is not clear whether anything will come of this investigation. Yahoo shareholders demanded that the company claw back a portion of CEO’s Marissa Mayer’s compensation, claiming she had to have known but covered up the breaches to avoid derailing a sale of the struggling company.

Ultimately, in late February 2017, Verizon agreed to move ahead with its purchase, but renegotiated the purchase price down by $350 million to a new price of $4.48 billion. This week, it was also disclosed that senior executives managing Yahoo at the time of the breaches would face consequences. Yahoo’s legal counsel was forced out. CEO Mayer said she voluntarily gave up her 2016 annual cash bonus and 2017 stock award, which together are worth about $14 million.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kathleen Porter Kathleen Porter

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and…

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and privacy practices to comply with the patchwork of laws and rules applicable to the collection, use, safeguarding, sharing, and transfer of protected or personal data. She regularly structures arrangements with promoters, marketers, website exchanges, and other third parties for the purchase, sale, sharing, and safeguarding of personal data. Kathy prepares and negotiates representations, warranties, and indemnities regarding personal or protected data and privacy and data practices. She also assists clients with privacy audits and works with third-party certification organizations to obtain certification of companies’ privacy practices. She guides clients through internal investigations to assess and address notice and other obligations regarding privacy breaches. Kathy often works closely with our litigation attorneys to manage external investigations such as those by federal or state regulators. Read her rc.com bio here.