Cybersecurity and the Yahoo experience – Legal pays the price

If we were to roll the movie back several years, most boards in North America would have listed cybersecurity as low on their list of priorities. Experience has shown, however, that we seriously underestimated the effect a security breach could have on a company’s reputation and fortunes.

If we were to roll the movie back several years, most boards in North America would have listed cybersecurity as low on their list of priorities. Experience has shown, however, that we seriously underestimated the effect a security breach could have on a company’s reputation and fortunes.    

Companies have since then had to pay out billions of dollars in damages for infiltrations into their information systems. It is believed by some that the electoral results in the United States were skewed and orchestrated by state-sponsored hackers.

At board meetings I have attended recently, cybersecurity is very much on the minds of board members, both in their deliberations as well as in their social conversations.

Yahoo CEO and general counsel

The responsibility of boards and management teams to ensure that their information systems are secure is being brought home most poignantly with what is currently being reported about the company Yahoo.

Yahoo reported two major data breaches of user account data to hackers during the second half of 2016. The first announced breach, reported in September 2016, had occurred some time in late 2014 and affected more than 500 million Yahoo user accounts. A separate data breach, occurring earlier around August 2013, was reported in December 2016 and affected more than one billion user accounts. The attacks are the largest known security breaches of one company’s computer network ever.

According to a Form 10-K filed March 1, the company found that an additional 32 million accounts were compromised in 2015 and 2016 through the use of forged cookies. The intrusions allowed hackers acting on behalf of an unnamed foreign state to steal valuable personal information without the use of passwords.

On March 1, Yahoo announced that its CEO, Marissa Mayer, took responsibility for the theft of personal information by voluntarily foregoing her annual bonus and equity award for 2017. She asked that her bonus be redistributed to the company's employees.

The Form 10-K discloses, surprisingly, that an investigation led by an independent committee on Yahoo's board found that the company's information security team had contemporaneous knowledge of the 2014 breach as well as the cookie forging in 2015 and 2016. In other words, there was a multi-year delay on the part of Yahoo’s management team and board in investigating and disclosing the number of attacks and the extent of the potential damage done.

According to the filing, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts, and though Yahoo took certain remedial actions, the committee said senior executives including the legal team "did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the company's information security team." Accordingly, on the same day that the Mayer announcement was made, Yahoo announced that its general counsel and company secretary Ron Bell resigned from the company after more than 15 years at Yahoo and almost five years at the helm of its legal department. Unlike Mayer, however, Bell lost his job and walked away with no severance.

It is interesting that while Bell was not directly responsible for IT security, his failure to ensure a timely and thorough investigation and reporting seems to have warranted his dismissal.

Further Yahoo repercussions

The story since then has continued to unfold.

On March 17, Yahoo announced in another regulatory filing that after Yahoo sells its operating business to Verizon Communications Inc., Mayer will step down as CEO from the holding company that remains. She will leave, however, after receiving a US$23-million severance package. Besides her severance package, Mayer will gain control of stock options valued at $56.8 million, according to the filing. The stock will no doubt help ease the sting of losing out on her 2017 $1-million salary and stock option grant!

Summary

The events at Yahoo suggest that cybersecurity is now a prominent topic in board discussions.  Companies are prepared to take strong, visible steps to demonstrate that their customer’s personal information is secure. The Yahoo experience, however, suggests that the laying of responsibility may be uneven. It also seems to suggest that the legal department should play an important oversight role as well as being key to any investigation and reporting. Companies such as Yahoo are signaling that they are prepared to hold the feet of their in-house counsel to the fire for information breaches, up to and including their dismissal, particularly where they fail to act promptly and thoroughly.