Lessons for Boards from Yahoo’s $80 Million Data Breach Settlement

What does it mean for board liability in future data breach litigation?

At the time it was disclosed, the Yahoo! email breach was considered massive. The personal information of 1.5 billion users was compromised. In response, lead plaintiff Edward McMahon filed a suit alleging that Yahoo! Inc. intentionally misled investors and certain directors and officers about its cybersecurity practices.

In filing the claim, the plaintiffs were certainly taking a risk. During a 2016 interview, principal litigator Michael W. Stocker of Labaton Sucharow LLP told Forbes Magazine, “The problem for plaintiffs has been that at least so far, even large breaches have mostly not been accompanied by huge hits to share prices—undercutting the ability of investors to show harm.”

Fast forward to 2018, and harm we see. Yahoo agreed to settle the securities class action lawsuit to the tune of $80 million, which should serve as a wake-up call for boards. Why? It’s the first of its kind—a milestone shareholder settlement related to a data breach.

Still subject to court approval, the pending agreement will have implications not just for Yahoo’s directors and officers, said Jeff Dennis, managing partner and cybersecurity practice lead at law firm Newmeyer & Dillion. Like many others, he anticipates that the fallout from the Equifax breach would be more troubling for organizations.

Rather, Yahoo’s shareholder settlement suggests that reform is happening much faster. “The boards are going to be targets,” Dennis said. If there’s truth to that assumption, there are some critical lessons for boards to take away from this news.

This major win for the plaintiffs could be a game-changer when it comes to shareholders suing companies, and it also raises questions about board liability stemming from data breach litigation in the future.

“If you are trying to figure out legal liability after a breach, it’s too late,” Dennis said. There are, however, steps boards can take now to reduce their cyber-risks and legal liabilities, should a breach occur. To start, the board of directors must accept that it is responsible for the oversight of the company’s cyber-risk.

Ambivalent About Accountability

Despite the ever-growing number of companies that have made headlines in the aftermath of a breach, many boards have made little headway with cybersecurity governance. Perhaps the inability to effectively measure the overall cost of a breach has given the false impression that they can’t really be harmed.

How often do people in the industry point to Target as an example of a breach? Yet, no one can really cite Target’s bottom-line loss in dollars or damage to brand. The company isn’t closing stores across the globe. Yes, its name is associated with a major breach that resulted from a compromised third-party vendor. The breach led to some outcry, but the extent of the damage is difficult to quantify.

Aside from that, there has been little evidence to motivate boards to get started on making real changes—until the Yahoo settlement. The settlement amount—$80 million—is a hefty sum, which makes it much more difficult to ignore the reality that litigation continues to pick up steam.

Unfortunately, breaches are a part of everyone’s daily lives. While future cases may not be as attractive, Dennis said the Yahoo settlement has the potential to embolden plaintiff attorneys to take on these kinds of shareholder derivative cases.

Proactive Steps Toward Effective Change

Because they are responsible for cyber as part of their duties in overseeing corporate risk management, boards need to protect themselves. Dennis suggested the following six steps as a way for them to demonstrate that they are taking cyber-risk seriously:

  1. Do an honest assessment of the company’s cybersecurity posture. Be able to identify the key assets and determine what is being done, or what needs to be done to protect those assets.
  2. Evaluate the risk by using published standards, such as NIST or individual state standards, like those published by the state of New York.
  3. Establish initiatives. As a board, require regular feedback on the progress being made. Have a system (such as color coding) for prioritizing which of those are the highest risk. Identify the ones that need to be dealt with right now.
  4. Make cyber-risk an agenda item at every meeting until the board has a strong handle on it going forward.
  5. Invest in external risk management. Understand the cyber-risk issues related to contracts with the organization’s vendors and subcontractors.
  6. Decide whether cyber-insurance is something worth investing in.
Sponsored Content
Upcoming Webinar
Security at the Speed of Software Development

Security at the Speed of Software Development

There are a lot of DevSecOps offerings that are just DevOps lipstick on a traditional security-as-a-gate pig. Also, security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy an order of magnitude or ... Read More
May 8, 2018
Kacy Zurkus

Kacy Zurkus

Kacy Zurkus is a cybersecurity and InfoSec freelance writer who has contributed to several publications including Medium, CSO Online, The Parallax, InfoSec Magazine and K12 Tech Decisions. She covers a variety of security and risk topics. She has also self-published a memoir, "Finding My Way Home: A Memoir about Life, Love, and Family" under the pseudonym "C.K. O'Neil." Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 6 posts and counting.See all posts by kacy-zurkus