Hitting Them Where It Hurts: Yahoo! Shareholder Lawsuit Over Breaches Sets Powerful Precedent
“Cleveland Browns Win Super Bowl LIII” With the Browns coming off a perfect 0-16 season, that headline was just as likely to appear in the news as “Yahoo Shareholders Successfully Sue Former Directors Over Data Breach”. However, earlier this month, the headline claiming victory for Yahoo! shareholders did indeed appear in the New York Times. On January 4th, a court approved a settlement between shareholders of Yahoo! and the former board of directors claiming gross negligence leading up to and after a massive data breach that exposed 3 billion records, nearly half the planet’s population.
Data breaches are nothing new or even noteworthy anymore. The typical lifecycle of a breach follows a basic formula: that the company notifies authorities and the public of a breach, the stock takes a hit on the next day of trading, senior security executives and staff are usually dismissed, free credit monitoring is offered, the company promises to do better, sometimes there is a monetary fine, and no one ever goes to jail. Insert the name of any organization who suffered a major breach and you will likely find that the news stories fit the pattern perfectly: Marriot, Equifax, Yahoo!, Home Depot, Target, TJX, Quora, Cathay Pacific, the list goes on and on. Putting my personal e-mail address into haveibeenpwned.com reveals that I have been a part of no less than 18 breaches.
At the end of the day, average users get their data exposed and have to look over their shoulder forever, business continues with the affected company, and a lawsuit from the users may be successful. These lawsuits typically result in millions of dollars in fees paid to the attorneys with each user receiving less than $10 and free credit monitoring for a year. The recovery for the users is more of a middle finger than even a consolation prize, considering it used to cost more than $10 to put a credit freeze in place at the three major credit bureaus.
The phrase “Cybersecurity is now a board decision” has been increasingly used in marketing material for cybersecurity vendor collateral. While it is true that boards of directors for companies must take the cyber risk seriously or face serious backlash at the company level, directors themselves have been mostly indemnified from any legal action (criminal or civil) against a cyber breach. Prior lawsuits alleging gross negligence on the part of individual directors have either been dismissed or awarded without any financial payout (mostly a symbolic decision). However, in the case of Yahoo!, that all changed.
Between 2013 and 2016, Yahoo! suffered several major data breaches that would lead to the leakage and exposure of almost 3 billion records which included names, email addresses, dates of birth, encrypted passwords and telephone numbers. Yahoo! executives and board members hid these breaches until Verizon made a takeover bid to purchase Yahoo! After a purchase price was agreed on, Yahoo! disclosed the breaches to both acquiring company Verizon and the public, resulting in a $350 million discount to the previously agreed upon price due to the increased legal exposure. Users got their information exposed, shareholders lost out, and no Yahoo! executives went to jail.
Yahoo!’s board of directors' gross negligence extended beyond the simple fact that there were insufficient security controls to prevent the breach in the first place. There have been countless data breaches that did not meet the standard for gross negligence. The standard for gross negligence (typically by deliberate actions or extreme carelessness) applied when there was a systematic and deliberate coverup, failure to immediately notify the public and authorities once the breach was discovered, as required by law, and failure to implement stronger security controls once the initial breaches were discovered. These facts made it easy for the shareholder lawsuit to settle for $29 million, a fraction of the company’s decrease in value prior to the Version sale, to be paid out by Yahoo!’s insurance company and not the individual directors.
While it is an undeniable fact that cybersecurity has now become a board decision, the precedent from the Yahoo! lawsuit, that individual directors can be liable for gross negligence is worth further exploration.
A typical boardroom discussion concerning cybersecurity is to have an outside auditor or head of cybersecurity report that they are protected against attack and that there is a plan in place in the event of a successful attack (business continuity plan). This approach leads to cybersecurity decisions being made to purchase “good enough” security solutions to satisfy the auditors and the insurance companies. However, after the successful Yahoo! shareholder lawsuit, boards may need to revisit the decision of implementing "good enough" security or be forced to personally pay in the event of a breach. Having to explain in open court why the decision was made to purchase a “good enough” security solution rather than a comprehensive security platform is something most people would want to avoid. After all, an ounce of prevention is often worth a pound of cure.