Five Things You (and Your M&A Diligence Team) Should Know

Recently it was announced that Verizon would pay $350 million less than it had been prepared to pay previously for Yahoo as a result of data breaches that affected over 1.5 billion users, pending Yahoo shareholder approval. Verizon Chief Executive Lowell McAdam led the negotiations for the price reduction.  Yahoo took two years, until September of 2016, to disclose a 2014 data breach that Yahoo has said affected at least 500 million users, while Verizon Communications was in the process of acquiring Yahoo.  In December of 2016, Yahoo further disclosed that it had recently discovered a breach of around 1 billion Yahoo user accounts that likely took place in 2013.

While some may be thinking that the $350 million price reduction has effectively settled the matter, unfortunately, this is far from the case. These data breaches will likely continue to cost both Verizon and Yahoo for years to come.  Merger and acquisition events that are complicated by pre-existing data breaches will likely face at least four categories of on-going liabilities.  The cost of each of these events will be difficult to estimate during the deal process, even if the breach event is disclosed during initial diligence.

Continue Reading Data Breaches Will Cost Yahoo and Verizon Long After Sale

The Securities and Exchange Commission (SEC) is investigating whether Yahoo! should have reported the two massive data breaches it experienced earlier to investors, according to individuals with knowledge.  The SEC will probably question Yahoo as to why it took two years, until September of 2016, to disclose a 2014 data breach that Yahoo has said affected at least 500 million users.  The September 2016 disclosure came to light while Verizon Communications was in the process of acquiring Yahoo.  As of now, Yahoo has not confirmed publically the reason for the two year gap.  In December of 2016, Yahoo also disclosed that it had recently discovered a breach of around 1 billion Yahoo user accounts.  As Yahoo appears to have disclosed that breach near in time to discovery, commentators believe that it is less likely that the SEC will be less concerned with it.

After a company discovers that it has experienced an adverse cyber incidents, it faces a potentially Faustian choice: attempt to remediate the issue quietly and avoid reputational harm, or disclose it publically in a way that complies with SEC guidance, knowing that public knowledge could reduce public confidence in the company’s business and could even prove to be the impetus for additional litigation.

Part of the issue may be that while the SEC has various different mechanisms to compel publically traded companies to disclose relevant adverse cyber events, including its 2011 guidance, exactly what and when companies are required to disclose has been seen as vague.  Commentators have argued that companies may have a legitimate interest in delaying disclosure of significant adverse cyber incidents to give law enforcement and cyber security personnel a chance to investigate, and that disclosing too soon would hamper those efforts, putting affected individuals at more risk.

Even so, many see the two year gap period between Yahoo’s 2014 breach and its September 2016 disclosure as a potential vehicle for the SEC to clarify its guidance, due to the unusually long time period and large number of compromised accounts. As a result of its investigation, it is possible that the SEC could release further direction for companies as to what constitutes justifiable reasons for delaying disclosure, as well as acceptable periods of delay.  As cybersecurity is one of the SEC’s 2017 Examination Priorities, at a minimum, companies should expect the SEC to increase enforcement of its existing cybersecurity guidance and corresponding mechanisms.  Whatever the SEC decides during its investigation of Yahoo, implementing a comprehensive Cybersecurity Risk Management program will help keep companies out of this quagmire to begin with.

If you have any questions regarding compliance with SEC cyber incident guidance, please do not hesitate to contact the team at Mintz Levin.

cookiesVerizon Wireless has reached a settlement with the Federal Communications Commission over Verizon’s insertion of unique identifier headers (“UIDH”), also known as “supercookies,” to track customers’ mobile Internet traffic without their knowledge or consent.  Verizon inserted UIDH into customers’ web traffic and associated the UIDH with customer proprietary information to create profiles and deliver targeted ads.  In at least one instance, a Verizon advertising partner overrode customers’ privacy choices by using the UIDH to restore cookies deleted by the customer.  For over two years Verizon Wireless did not disclose its use of UIDH in its privacy policies or offer consumers the opportunity to opt-out of the insertion of UIDH into their Internet traffic.

Continue Reading Verizon Settles Supercookie Probe with FCC

Another busy week in the privacy/security world.  We have some bits and bytes to start your week:

Verizon 2014 Data Breach Investigation Report – Something Old, Something New

Verizon is out with its 2014 edition of the comprehensive Data Breach Investigation Report (DBIR).   You can get your copy here for your reading pleasure — or heartburn.   Retailers should take particular note of this report.  “(2013) may be tagged as the ‘year of the retailer breach,’ but a more  comprehensive assessment of the InfoSec risk environment shows it was a year of  transition from geopolitical attacks to large-scale attacks on payment card  systems,” according to the report.    Random-access memory (RAM)scraping — a technique that was thought to be past its sell-by date — appears to have increased with alarming intensity.    Retail point-of-sale (POS) systems can be thwarted by weak or nonexistent passwords, allowing criminals to insert malware that will sit on a POS and collect card numbers.  The bad guys grab the numbers from the RAM and dump them into a file then return and pick them up at a later date.   New PCI DSS rules take effect in July that will shift the liability from banks and card issuers to the retailers.   Time to review the security of your systems.

State Legislation Roundup

We recently updated our Mintz Matrix to include Kentucky as the 47th state to enact a data breach notification law, and to account for Iowa’s amendment requiring notice to the state’s Attorney General.  We will likely need to make further updates as the state legislative calendars wind on.  Minnesota is debating expansive amendments to its data breach notification law, described in our post here.   A very expansive amendment to Florida’s data breach notification law is sitting on the Governor’s desk awaiting signature.   SB 1524, the Florida Information Actwill repeal the existing data breach notification law and replace it with a law that expands the definition of personal information (to include medical information, health insurance information, user names and e-mail addresses), reducing the notification period from 45 days to 30 days, additionally requires notification to the Attorney General’s office, and clarifies that if a vendor notifies individuals on a company’s behalf, the company is deemed to have violated the law where the vendor fails to provide proper notice. The Act adds civil penalties for violations not exceeding $500,000:  $1,000 for each day up to the first 30 days and $50,000 for each subsequent 30-day period up to 180 days.  If the violation continues more than 180 days, the penalty shall not exceed $500,000.   In the absence of Congressional action after the 2013 Target, Michaels, Neiman Marcus, et al, breaches — the states are continuing to lead the way.

Canadian Anti-Spam Law (CASL) Compliance Deadline is Approaching

At last week’s IAPP Canada Privacy Symposium, Canadian regulators held a jam-packed session on the new anti-spam legislation coming north of the border on July 1.    The basic message was:  this our last warning, and the compliance onus is on you.   Warning to US marketers — CASL applies to any commercial email message sent to a Canadian email address.   It need not be “spam.”   If you are not preparing your compliance program and sorting your mailing lists, there is a maximum penalty of $10 million waiting.