Cybersecurity and the Yahoo experience – Legal pays the price

If we were to roll the movie back several years, most boards in North America would have listed cybersecurity as low on their list of priorities. Experience has shown, however, that we seriously underestimated the effect a security breach could have on a company’s reputation and fortunes.

If we were to roll the movie back several years, most boards in North America would have listed cybersecurity as low on their list of priorities. Experience has shown, however, that we seriously underestimated the effect a security breach could have on a company’s reputation and fortunes.    

Companies have since then had to pay out billions of dollars in damages for infiltrations into their information systems. It is believed by some that the electoral results in the United States were skewed and orchestrated by state-sponsored hackers.

At board meetings I have attended recently, cybersecurity is very much on the minds of board members, both in their deliberations as well as in their social conversations.

Yahoo CEO and general counsel

The responsibility of boards and management teams to ensure that their information systems are secure is being brought home most poignantly with what is currently being reported about the company Yahoo.

Yahoo reported two major data breaches of user account data to hackers during the second half of 2016. The first announced breach, reported in September 2016, had occurred some time in late 2014 and affected more than 500 million Yahoo user accounts. A separate data breach, occurring earlier around August 2013, was reported in December 2016 and affected more than one billion user accounts. The attacks are the largest known security breaches of one company’s computer network ever.

According to a Form 10-K filed March 1, the company found that an additional 32 million accounts were compromised in 2015 and 2016 through the use of forged cookies. The intrusions allowed hackers acting on behalf of an unnamed foreign state to steal valuable personal information without the use of passwords.

On March 1, Yahoo announced that its CEO, Marissa Mayer, took responsibility for the theft of personal information by voluntarily foregoing her annual bonus and equity award for 2017. She asked that her bonus be redistributed to the company's employees.

The Form 10-K discloses, surprisingly, that an investigation led by an independent committee on Yahoo's board found that the company's information security team had contemporaneous knowledge of the 2014 breach as well as the cookie forging in 2015 and 2016. In other words, there was a multi-year delay on the part of Yahoo’s management team and board in investigating and disclosing the number of attacks and the extent of the potential damage done.

According to the filing, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts, and though Yahoo took certain remedial actions, the committee said senior executives including the legal team "did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the company's information security team." Accordingly, on the same day that the Mayer announcement was made, Yahoo announced that its general counsel and company secretary Ron Bell resigned from the company after more than 15 years at Yahoo and almost five years at the helm of its legal department. Unlike Mayer, however, Bell lost his job and walked away with no severance.

It is interesting that while Bell was not directly responsible for IT security, his failure to ensure a timely and thorough investigation and reporting seems to have warranted his dismissal.

Further Yahoo repercussions

The story since then has continued to unfold.

On March 17, Yahoo announced in another regulatory filing that after Yahoo sells its operating business to Verizon Communications Inc., Mayer will step down as CEO from the holding company that remains. She will leave, however, after receiving a US$23-million severance package. Besides her severance package, Mayer will gain control of stock options valued at $56.8 million, according to the filing. The stock will no doubt help ease the sting of losing out on her 2017 $1-million salary and stock option grant!

Summary

The events at Yahoo suggest that cybersecurity is now a prominent topic in board discussions.  Companies are prepared to take strong, visible steps to demonstrate that their customer’s personal information is secure. The Yahoo experience, however, suggests that the laying of responsibility may be uneven. It also seems to suggest that the legal department should play an important oversight role as well as being key to any investigation and reporting. Companies such as Yahoo are signaling that they are prepared to hold the feet of their in-house counsel to the fire for information breaches, up to and including their dismissal, particularly where they fail to act promptly and thoroughly.

Free newsletter

The Canadian Legal Newswire is a FREE weekly newsletter that keeps you up to date on news and analysis about the Canadian legal scene. A separate InHouse Edition is delivered every two weeks, providing targeted news and information of interest to in-house counsel.

Please complete the form below to receive the weekly Canadian Legal Newswire and/or the Canadian Inhouse Legal Newswire.

Recent articles & video

Daphne Dumont to receive CBA’s Cecilia I. Johnstone award

Quebec taking harsh line on cannabis edibles

Will the conversation catalyzed by the Law Society of Ontario mean the end of articling?

Copyright law: set for an overhaul?

Corporate Counsel Survey 2019 closes on Monday, Aug 26

When Legal Aid is a political prop, Access to justice suffers

Most Read Articles

The Ontario government is destroying university legal clinics

Will the conversation catalyzed by the Law Society of Ontario mean the end of articling?

Quebec taking harsh line on cannabis edibles

When Legal Aid is a political prop, Access to justice suffers