CORPORATE DIRECTORS' AND OFFICERS' CYBERSECURITY STANDARD OF CARE: THE YAHOO DATA BREACH

On September 22, 2016, Yahoo! Inc. ("Yahoo") announced that a data breach and theftof information from over 500 million user accounts had taken place during 2014, marking the largest data breach ever at the time. The information stolen likely included names, birthdays, telephone numbers, e...

Full description

Saved in:
Bibliographic Details
Published inThe American University law review Vol. 66; no. 5; pp. 1231 - 1291
Main Authors Trautman, Lawrence J, Ormerod, Peter C
Format Journal Article
LanguageEnglish
Published Washington American University Law Review 01.01.2017
Subjects
Acquisitions & mergers
Business judgment rule
Clawback
Consumer protection
Consumers
Corporate governance
Cybersecurity
Data integrity
Directors
Disclosure
Duty of care
Electronic commerce
Electronic documents
Electronic Signatures in Global & National Commerce Act 2000-US
Enforcement
Executive compensation
Federal court decisions
Financial Services Modernization Act 1999-US
Judicial reviews
Liability
Network security
Personal information
Privacy Act 1974-US
Public companies
Revenue procedures & rulings
SEC regulations
Security management
Standard of care
Stockholders
United States > US
California
Online AccessGet full text

Cover

More Information
Summary:On September 22, 2016, Yahoo! Inc. ("Yahoo") announced that a data breach and theftof information from over 500 million user accounts had taken place during 2014, marking the largest data breach ever at the time. The information stolen likely included names, birthdays, telephone numbers, email addresses, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers. Yahoo further disclosed its belief that the stolen data "did not include unprotected passwords, payment card data, or bank account information." Just two months before Yahoo disclosed its 2014 data breach, it announced a proposed sale of the company's core business to Verizon Communications. Then, during mid-December 2016, Yahoo announced that another 1 billion customer accounts had been compromised during 2013, a new record for largest data breach. Social media and electronic commerce websites face significant risk factors, and an acquirer may inherit cyber liability and vulnerabilities. The fact pattern in this announced acquisition raises a number of important corporate governance issues: whether Yahoo's conduct leading up to the data breaches and its subsequent conduct constituted a breach of the duty to shareholders to provide security, the duty to monitor, the duty to disclose, or some combination thereof; the impact on Verizon shareholders of the acquisition price renegotiation and Verizon's assumption of post-closing cyber liabilities; and whether more drastic compensation clawbacks for key Yahoo executives would be appropriate. Cybersecurity remains a threat to all enterprises, and this Article contributes to the corporate governance literature, particularly as it applies to mergers and acquisitions and the management of cyber liability risk.
ISSN:0003-1453
1943-5673