[BreachExchange] Data Breaches Will Cost Yahoo and Verizon Long After Sale

Mon Feb 27 18:33:43 EST 2017

http://www.lexology.com/library/detail.aspx?g=227fa8bf-d121-4922-98b4-
d6cafda8e5e9

Five Things You (and Your M&A Diligence Team) Should Know

Recently it was announced that Verizon would pay $350 million less than it
had been prepared to pay previously for Yahoo as a result of data breaches
that affected over 1.5 billion users, pending Yahoo shareholder approval.
Verizon Chief Executive Lowell McAdam led the negotiations for the price
reduction. Yahoo took two years, until September of 2016, to disclose a
2014 data breach that Yahoo has said affected at least 500 million users,
while Verizon Communications was in the process of acquiring Yahoo. In
December of 2016, Yahoo further disclosed that it had recently discovered a
breach of around 1 billion Yahoo user accounts that likely took place in
2013.

While some may be thinking that the $350 million price reduction has
effectively settled the matter, unfortunately, this is far from the case.
These data breaches will likely continue to cost both Verizon and Yahoo for
years to come. Merger and acquisition events that are complicated by
pre-existing data breaches will likely face at least four categories of
on-going liabilities. The cost of each of these events will be difficult to
estimate during the deal process, even if the breach event is disclosed
during initial diligence. First, the breach event will probably render
integration of the systems of the target and acquirer difficult, as the
full extent of the security issues is often difficult to assess and may
evolve through time. According to Verizon executives, Yahoo’s data breaches
created integration issues that had not been previously understood. The
eventual monetary cost of this issue remains unknown.

Second, where the target is subject to the authority of the Security and
Exchange Commission (SEC), an SEC investigation and penalties if
applicable, is likely, along with related shareholder lawsuits. As we wrote
previously, The SEC is currently investigating if Yahoo should have
reported the two massive data breaches it experienced earlier to investors,
according to individuals with knowledge. Under the current agreement, Yahoo
will bear sole liability for shareholder lawsuits and any penalties that
result from the SEC investigation.

Third, there will likely be additional private party actions due to the
breach. Exactly what these liabilities will be will depend on the data
subject to exfiltration as a result of the breach. In Yahoo’s case, Verizon
and Yahoo have agreed to equally share in costs and liabilities created by
lawsuits from customers and partners. Multiple private party lawsuits have
already been filed against Yahoo alleging negligence.

Fourth, other government investigations, such as by the Federal Bureau of
Investigation (FBI), could result in additional costs, both monetary and
reputational. The FBI is currently investing the Yahoo breaches. Verizon
and Yahoo will share the costs of the FBI investigation and other potential
third party investigations.

Fifth, depending on the scope of the breach, there would likely be on-going
remediation costs after the deal closes. According to a knowledgeable
source, as of February 2017, Yahoo had sent notifications to a “mostly
final” list of users, indicating that some remaining remediation activities
may yet occur.

As we have seen, merger and acquisition events involving a target with a
pre-existing data breach issues create difficult to assess costs and
liabilities that will survive the closing of the transaction. While targets
can reduce the risk of such adverse events through enforcing a
comprehensive Cybersecurity Risk Management program, acquirers or targets
facing these issues as part of a transaction should consult experienced
legal counsel and M&A due diligence teams should include data
privacy/security subject matter experts as a matter of course.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170227/fd75f1c7/attachment.html>