Yahoo’s General Counsel Takes the Fall for Cybersecurity Breach
When news broke recently that the General Counsel for Yahoo had resigned over concerns about the company’s handling of data breaches, it highlighted the ways in which data breaches can have serious consequences for corporate officers, and it underscored the importance for in-house counsel to make sure they pay careful attention to cybersecurity preparedness and to data breach matters when they arise. Specifically, in-house counsel should ensure that cybersecurity matters are handled in a holistic and cross-disciplinary manner within the company; that counsel have or draw on the necessary technical and other expertise to effectively plan for and manage cybersecurity issues; and that the company has in place an effective cybersecurity incident response plan.
At the end of 2016, Yahoo publicly disclosed that its client database had been hit with several data breaches, including an incident in 2014 that impacted more than one billion users. In response, an independent committee of Yahoo’s Board of Directors was formed to investigate the breach, including the scope of knowledge within the company and the company’s internal and external reporting processes and remediation efforts. The results of this investigation were disclosed in Yahoo’s annual Form 10-K report filed on March 1, 2017.
The independent committee concluded that by late 2014, the legal team was aware that there had been a breach of Yahoo users’ accounts containing personal data, and the team failed to adequately assess the incident at that time. In particular, the independent committee noted that the legal team did not properly escalate the incident to senior executives and the Board of Directors.
The independent committee imposed remedial actions including management changes and revisions to security incident response protocols. CEO Marissa Mayer did not receive her expected 2016 cash bonus and she offered to forego her 2017 equity. More notably, Ronald S. Bell, Yahoo’s general counsel, resigned without any separation payment. Historically, technology departments have been held to account for data breaches; the investigation committee’s decision to place so much accountability on the legal office, with relatively fewer consequences for other senior officers of the corporation, is unusual. Whether or not Yahoo’s action against Robert Bell was warranted, this serves as a cautionary reminder to general counsel of the significant consequences that may result if cybersecurity breaches are not promptly and rigorously investigated.
General counsel should ensure they pay close and careful attention to cybersecurity matters, to include developing in-house technical and risk management expertise suited to cybersecurity matters, or drawing on the expertise of external counsel and consultants. In-house counsel should take a comprehensive and careful look at their organizations’ cybersecurity preparedness and incident response protocols to ensure that any cybersecurity breach will be promptly assessed and escalated to decision makers.
Saul Ewing’s Cybersecurity and Privacy Practice is able to assist organizations in assessing their cybersecurity risks and taking proactive steps to mitigate and reduce those risks. For more information on these matters, please contact the authors or the attorney at the firm with whom you are regularly in contact.