This week’s disclosure that a 2013 data breach may have affected all 3 billion Yahoo accounts then in existence could alter the scope of the consolidated data breach cases currently pending against Yahoo in the federal court in San Francisco. In the wake of the court’s August 30 order denying Yahoo’s motion to dismiss the case, the parties have been in the process of negotiating a schedule for discovery and motion practice. The parties had been due to make their joint scheduling submission to the Court today. However, just last night, Judge Lucy Koh issued an order postponing the submission deadline in order to allow the parties to address the impact of Yahoo’s recent disclosure. The court ordered Yahoo to “disclose to Plaintiffs available information regarding the recent data breach disclosure by October 6, 2017, so that the Joint Case Management Statement can propose a realistic amended case schedule.” The court also directed that Yahoo “expedite its production of discovery regarding the recent data breach disclosure and include a proposal to do so” in the parties’ joint scheduling submission, which is now due to be submitted on October 11, 2017.
Five Things You (and Your M&A Diligence Team) Should Know
Recently it was announced that Verizon would pay $350 million less than it had been prepared to pay previously for Yahoo as a result of data breaches that affected over 1.5 billion users, pending Yahoo shareholder approval. Verizon Chief Executive Lowell McAdam led the negotiations for the price reduction. Yahoo took two years, until September of 2016, to disclose a 2014 data breach that Yahoo has said affected at least 500 million users, while Verizon Communications was in the process of acquiring Yahoo. In December of 2016, Yahoo further disclosed that it had recently discovered a breach of around 1 billion Yahoo user accounts that likely took place in 2013.
While some may be thinking that the $350 million price reduction has effectively settled the matter, unfortunately, this is far from the case. These data breaches will likely continue to cost both Verizon and Yahoo for years to come. Merger and acquisition events that are complicated by pre-existing data breaches will likely face at least four categories of on-going liabilities. The cost of each of these events will be difficult to estimate during the deal process, even if the breach event is disclosed during initial diligence.
The Securities and Exchange Commission (SEC) is investigating whether Yahoo! should have reported the two massive data breaches it experienced earlier to investors, according to individuals with knowledge. The SEC will probably question Yahoo as to why it took two years, until September of 2016, to disclose a 2014 data breach that Yahoo has said affected at least 500 million users. The September 2016 disclosure came to light while Verizon Communications was in the process of acquiring Yahoo. As of now, Yahoo has not confirmed publically the reason for the two year gap. In December of 2016, Yahoo also disclosed that it had recently discovered a breach of around 1 billion Yahoo user accounts. As Yahoo appears to have disclosed that breach near in time to discovery, commentators believe that it is less likely that the SEC will be less concerned with it.
After a company discovers that it has experienced an adverse cyber incidents, it faces a potentially Faustian choice: attempt to remediate the issue quietly and avoid reputational harm, or disclose it publically in a way that complies with SEC guidance, knowing that public knowledge could reduce public confidence in the company’s business and could even prove to be the impetus for additional litigation.
Part of the issue may be that while the SEC has various different mechanisms to compel publically traded companies to disclose relevant adverse cyber events, including its 2011 guidance, exactly what and when companies are required to disclose has been seen as vague. Commentators have argued that companies may have a legitimate interest in delaying disclosure of significant adverse cyber incidents to give law enforcement and cyber security personnel a chance to investigate, and that disclosing too soon would hamper those efforts, putting affected individuals at more risk.
Even so, many see the two year gap period between Yahoo’s 2014 breach and its September 2016 disclosure as a potential vehicle for the SEC to clarify its guidance, due to the unusually long time period and large number of compromised accounts. As a result of its investigation, it is possible that the SEC could release further direction for companies as to what constitutes justifiable reasons for delaying disclosure, as well as acceptable periods of delay. As cybersecurity is one of the SEC’s 2017 Examination Priorities, at a minimum, companies should expect the SEC to increase enforcement of its existing cybersecurity guidance and corresponding mechanisms. Whatever the SEC decides during its investigation of Yahoo, implementing a comprehensive Cybersecurity Risk Management program will help keep companies out of this quagmire to begin with.
If you have any questions regarding compliance with SEC cyber incident guidance, please do not hesitate to contact the team at Mintz Levin.