[BreachExchange] Lessons for Boards from Yahoo’s $80 Million Data Breach Settlement

[Audrey McNeil]

https://securityboulevard.com/2018/03/lessons-for-boards-
from-yahoos-80-million-shareholder-settlement/


What does it mean for board liability in future data breach litigation?

At the time it was disclosed, the Yahoo! email breach was considered
massive. The personal information of 1.5 billion users was compromised. In
response, lead plaintiff Edward McMahon filed a suit alleging that Yahoo!
Inc. intentionally misled investors and certain directors and officers
about its cybersecurity practices.

In filing the claim, the plaintiffs were certainly taking a risk. During a
2016 interview, principal litigator Michael W. Stocker of Labaton Sucharow
LLP told Forbes Magazine, “The problem for plaintiffs has been that at
least so far, even large breaches have mostly not been accompanied by huge
hits to share prices—undercutting the ability of investors to show harm.”

Fast forward to 2018, and harm we see. Yahoo agreed to settle the
securities class action lawsuit to the tune of $80 million, which should
serve as a wake-up call for boards. Why? It’s the first of its kind—a
milestone shareholder settlement related to a data breach.

Still subject to court approval, the pending agreement will have
implications not just for Yahoo’s directors and officers, said Jeff Dennis,
managing partner and cybersecurity practice lead at law firm Newmeyer &
Dillion. Like many others, he anticipates that the fallout from the Equifax
breach would be more troubling for organizations.

Rather, Yahoo’s shareholder settlement suggests that reform is happening
much faster. “The boards are going to be targets,” Dennis said. If there’s
truth to that assumption, there are some critical lessons for boards to
take away from this news.

This major win for the plaintiffs could be a game-changer when it comes to
shareholders suing companies, and it also raises questions about board
liability stemming from data breach litigation in the future.

“If you are trying to figure out legal liability after a breach, it’s too
late,” Dennis said. There are, however, steps boards can take now to reduce
their cyber-risks and legal liabilities, should a breach occur. To start,
the board of directors must accept that it is responsible for the oversight
of the company’s cyber-risk.

Ambivalent About Accountability

Despite the ever-growing number of companies that have made headlines in
the aftermath of a breach, many boards have made little headway with
cybersecurity governance. Perhaps the inability to effectively measure the
overall cost of a breach has given the false impression that they can’t
really be harmed.

How often do people in the industry point to Target as an example of a
breach? Yet, no one can really cite Target’s bottom-line loss in dollars or
damage to brand. The company isn’t closing stores across the globe. Yes,
its name is associated with a major breach that resulted from a compromised
third-party vendor. The breach led to some outcry, but the extent of the
damage is difficult to quantify.

Aside from that, there has been little evidence to motivate boards to get
started on making real changes—until the Yahoo settlement. The settlement
amount—$80 million—is a hefty sum, which makes it much more difficult to
ignore the reality that litigation continues to pick up steam.

Unfortunately, breaches are a part of everyone’s daily lives. While future
cases may not be as attractive, Dennis said the Yahoo settlement has the
potential to embolden plaintiff attorneys to take on these kinds of
shareholder derivative cases.

Proactive Steps Toward Effective Change

Because they are responsible for cyber as part of their duties in
overseeing corporate risk management, boards need to protect themselves.
Dennis suggested the following six steps as a way for them to demonstrate
that they are taking cyber-risk seriously:

1. Do an honest assessment of the company’s cybersecurity posture. Be able
to identify the key assets and determine what is being done, or what needs
to be done to protect those assets.
2. Evaluate the risk by using published standards, such as NIST or
individual state standards, like those published by the state of New York.
3. Establish initiatives. As a board, require regular feedback on the
progress being made. Have a system (such as color coding) for prioritizing
which of those are the highest risk. Identify the ones that need to be
dealt with right now.
4. Make cyber-risk an agenda item at every meeting until the board has a
strong handle on it going forward.
5. Invest in external risk management. Understand the cyber-risk issues
related to contracts with the organization’s vendors and subcontractors.
6. Decide whether cyber-insurance is something worth investing in.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180322/1ee95ffc/attachment.html>