Yahoo: The Cyber Breach Cautionary Tale That Keeps on Giving

The liability arising from Yahoo's massive data breach, revealed in 2017, seems endless. In the latest news, former directors and officers of Yahoo, acquired by Verizon in 2016, agreed to pay $29 million to settle a breach of fiduciary duty derivative lawsuit.

As the New York Times notes, it's the first-ever monetary settlement by a company in a data-breach related derivative suit. As a reminder, derivative suits are breach of fiduciary duty suits against directors and officers brought by shareholders on behalf of a corporation.

As I have written in the past, the corporation typically cannot indemnify the directors and officers named in these suits; settlements are paid either by D&O insurance or by the individual defendants.

This latest settlement is just one in a series of payouts for Yahoo related to its handling of data breaches from 2013 to 2016, which exposed 3 billion Yahoo user accounts.

But as we will discuss later, it's also a settlement that sets an especially threatening precedent for future directors and officers who might be faced with dealing with the fallout of a massive data breach.

Plaintiffs in this suit alleged that directors and officers (including then-CEO Marissa Mayer) knew of the breaches but failed to report them or implement appropriate security measures. In fact, the plaintiffs went so far as to allege that Yahoo engaged in a cover-up.

The cost for Yahoo to settle its data breach litigation has been high. Other settlements included an $80 million payout in 2018 to settle the shareholder securities class action lawsuit related to the breach. That same year, Yahoo settled its customer data breach class action suit for $50 million.

The company also agreed to pay $35 million in penalties to the Securities and Exchange Commission for "failing to disclose one of the world's largest data breaches."

The SEC then updated its guidance to be even more specific about what the SEC wants public companies to do when it comes to cyber disclosure.

Remember, too, that as a direct result of the data breach, Verizon revised its original purchase price for Yahoo to be about $350 million less.

How Yahoo Set a Precedent for Future Complaints

Why was the derivative suit in Yahoo's case so effective for the plaintiffs?

This is an important question given that there have been many cases in the past that stood for the proposition that a board would not be found liable for breaching fiduciary duties if it could show diligent—even if unsuccessful—efforts to address cyber issues.

The Wyndham case, in which board members won their motion to dismiss, is a great example of a sufficiently diligent board. Despite multiple breaches in multiple years, the court found that the board's effort to address the issues in multiple audit committee and board meetings was adequate.

One difference in the Yahoo's case, of course, is the sheer scale of the breach at Yahoo.

Moreover, the world has moved forward. The Wyndham board that won its derivative suit in 2014 was facing a different world than the Yahoo board facing a difficult settlement four years later in 2018. By 2018 it was impossible for a company to behave as if data breaches were unforeseen. At this point shareholders are running out of patience.

Regulators are running out of patience, too. Yahoo was not helped by the SEC's fine—the agency's first for deficient cyber-related disclosures. This surely emphasized to the plaintiffs and the defendants the seriousness of the situation.

Also, and it is hard to overemphasize this point: There was actually clear evidence of the quantum of loss the shareholder plaintiffs suffered as a result of the breach: the $350 million that Verizon knocked off its offer for Yahoo.

Finally, the complaint against the Yahoo directors and officers in the derivative suit is unusually brutal. While it may not be fair—as a reminder, the matter was settled not adjudicated, so there were no findings of fact—the complaint is well worth a read to understand how the plaintiffs bar is likely to style future complaints.

What Can Directors and Officers Do to Protect Themselves?

Yahoo is a case study of what happens when there is a massive data breach that goes unaddressed by directors and officers. The lesson is for boards to be ruthless about looking for these issues and disclosing them in a timely way. (See earlier post about The SEC’s Interpretive Guidance On Cyber Disclosure to learn more.)

This includes ensuring that the board has a mechanism in place designed to surface potential cyber issues. This can be a regular report, a dashboard, or any number of other mechanisms.

What's important is that the board is able to demonstrate that it asked to receive relevant information about cyber issues, and that the board was following up as appropriate.

When it comes to insurance, there are a few things to consider:

1. Make sure you have enough cyber insurance and make sure your policy is best in class. These are highly customized policies. It is critical to work with an expert who does a lot of this specialized type of insurance placement. It's your cyber policy that responds to things like consumer class action suits.
2. Your regular D&O insurance will pay for settlements of securities class action suits. Remember, too, that this is the insurance that will respond to reimburse the corporation for advancing legal fees to directors and officers for both securities class action suits and derivative suits. Any investigations by a special committee will probably be subject to a sublimit (meaning full limits will not be available). It's a good idea to review your limits of insurance with cyber breach-related litigation in mind. Work with a broker who understands the nuances of how these types of litigation works.
3. The Side A D&O insurance policy will fund the settlement of derivative suits. Since settlements are paid by the Side A portion of your D&O insurance program, you will want to work with your broker to determine whether you want to purchase extra Side A insurance in addition to the amount that is included in your regular D&O insurance program.

(For a more detailed explanation of regular D&O insurance and Side A D&O insurance, see here.)

The Yahoo data breach may be unprecedented now but it's hardly unique. For example, Marriott announced late last year that up to 500 million records could have been breached from its Starwood guest reservation database. This will no doubt be another set of difficult lawsuits and settlements for yet another company.

One hopes that future directors and officers will benefit from the many lessons the Yahoo cyber breach has offered.