Last week, Yahoo disclosed that in 2014 it suffered one of the largest data breaches in history, with at least 500 million Yahoo accounts compromised. Given the timing of its acquisition deal with Verizon, Yahoo has been criticized for failing to sooner notify its customers of the breach. Reportedly, Yahoo has been aware of loss of information as early as July 2016, the same month that it was revealed that Verizon would acquire Yahoo. Did Yahoo have a duty to disclosure the “breach”?
A “breach” generally indicates unauthorized acquisition compared to an “incident” where unauthorized access is attempted. Under California breach notification laws—where Yahoo is headquartered—unless notification would impede a criminal investigation, expedient disclosure without unreasonable delay must be given following the discovery or notification of a breach. This law requires a business or a government agency that owns or licenses unencrypted computerized data that includes personal information to notify any California resident whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. The California Office of Privacy Protection provides guidance that notice should be given within 10 business days.
But the notification requirements for Yahoo are further complicated by the fact that each state’s law protects the breach of personal information of residents only of that state. Thus, for a company like Yahoo who has customers in all 50 states, it is subject to many separate breach notification laws. Currently all states and the District of Columbia have their own breach notification laws with the exception of Alabama, New Mexico, and South Dakota. In states such as Connecticut, New Jersey, and the U.S. territory of Puerto Rico, notification may be triggered based on discovery of unauthorized access alone.
Data breach notification is intended to give individuals early warning to take protective action against their personal information being compromised. Practically speaking, one can argue that in the case of Yahoo, the information was stolen over two years ago and any unauthorized use could have occurred well before the two month delay in disclosing the breach. Nonetheless, breach notification laws nationwide require otherwise.