[BreachExchange] 3 Lessons Companies Can Learn from the Data Breaches that Cost Yahoo $350 Million

Wed Apr 5 19:09:54 EDT 2017

http://www.lawfuel.com/lawbriefings/3-lessons-companies-can-learn-data-
breaches-cost-yahoo-350-million/

Yahoo Inc. recently disclosed three massive data breaches, which
compromised the personal information of 1.5 billion users and cost Yahoo
$350 million in its acquisition by Verizon Communications Inc.

Additionally, the company’s general counsel lost his job, the CEO forfeited
her annual bonus, and Yahoo spent $16 million on breach-related expenses in
2016 alone.  Yahoo also faces approximately 43 class action lawsuits and
will remain on the hook for 50% of lawsuit-related liabilities after
closing its deal with Verizon.

Although the news for Yahoo has not been good, Yahoo’s story offers several
lessons from which other companies can learn.

Companies Remain Unprepared to Face Cybersecurity Threats
First, even large sophisticated corporations are unprepared to face modern
cybersecurity threats.  Although technological failures contribute to data
breaches, Yahoo’s situation illustrates the consequences of having senior
management that is ill-prepared to address cybersecurity.   An
investigation by an independent committee of Yahoo’s board of directors
concluded that, at the time of a 2014 breach, “certain senior executives
did not properly comprehend or investigate, and therefore failed to act
sufficiently upon, the full extent of knowledge known internally by the
company’s information security team.”Yahoo, however, is not alone.
According to a recent survey by the National Association of Corporate
Directors (NACD), only 14% of public-company directors reported that their
boards have a high understanding of risks associated with cybersecurity.
This lack of understanding among senior executives contributes to a
disconnect between information technology professionals and corporate
decision-makers, which in Yahoo’s case led to costly errors.

Cybersecurity Due Diligence Plays an Increasing Role in Mergers &
Acquisitions
Second, the news that data breaches jeopardized Verizon’s acquisition of
Yahoo, and ultimately  caused Verizon to cut $350 million from the price it
will pay for Yahoo, underscores the increasing importance of cybersecurity
due diligence during a merger or acquisition.  In a recent Mergermarket
survey of senior executives, 77% of respondents reported walking away from
a deal as a result of data security issues that were discovered in
cybersecurity due diligence.  Executives identified the cost of correcting
existing problems and the occurrence of frequent or recent data breaches as
top concerns, which is not surprising considering that the average data
breach costs a company an estimated $4 million, or approximately $200 per
stolen record.Thus, when considering a merger or acquisition, due diligence
should include a thorough review and analysis of the seller’s privacy and
data security policies, programs, and procedures across all media;
cyberinsurance policies; social media presence; vendor contracts; and
industry-specific compliance obligations.  McNees Attorney Elaine Stanko’s
recent article, Deals and Data:  Cybersecurity M&A Due Diligence, outlines
additional steps companies should take during the due diligence process.
As the Yahoo example shows, cybersecurity due diligence can significantly
affect the outcome of a deal.
The Data Breach:  It’s a Matter of “When,” not “If”
Third, a recent Philadelphia Business Journal article quoted NACD CEO Peter
Gleason as saying that “It’s not a matter of if you’re going to get hacked,
it’s more ‘You’ve already been hacked, and you don’t know it, so what are
you doing about it?’”  Yahoo’s data breaches occurred in 2013 and 2014, yet
the full extent of those breaches was not disclosed until late 2016,
demonstrating that even heavy investment in cybersecurity cannot prevent
data breaches.  Although data breaches are inevitable, proper planning,
timely detection, and a swift response can help organizations mitigate the
fallout and minimize the losses, both financial and reputational.

In summary, Yahoo’s recent data breaches show that companies remain
unprepared to face cybersecurity threats, which are of increasing
importance in mergers and acquisitions.  Recognizing that data breaches are
unavoidable, the attorneys in McNees Wallace & Nurick LLC’s Privacy & Data
Security practice group counsel clients to be “compromise ready” by
proactively planning for data breaches, and assisting clients with their
response when breaches occur.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170405/b478ea71/attachment.html>