Five Things You (and Your M&A Diligence Team) Should Know
Recently it was announced that Verizon would pay $350 million less than it had been prepared to pay previously for Yahoo as a result of data breaches that affected over 1.5 billion users, pending Yahoo shareholder approval. Verizon Chief Executive Lowell McAdam led the negotiations for the price reduction. Yahoo took two years, until September of 2016, to disclose a 2014 data breach that Yahoo has said affected at least 500 million users, while Verizon Communications was in the process of acquiring Yahoo. In December of 2016, Yahoo further disclosed that it had recently discovered a breach of around 1 billion Yahoo user accounts that likely took place in 2013.
While some may be thinking that the $350 million price reduction has effectively settled the matter, unfortunately, this is far from the case. These data breaches will likely continue to cost both Verizon and Yahoo for years to come. Merger and acquisition events that are complicated by pre-existing data breaches will likely face at least four categories of on-going liabilities. The cost of each of these events will be difficult to estimate during the deal process, even if the breach event is disclosed during initial diligence. First, the breach event will probably render integration of the systems of the target and acquirer difficult, as the full extent of the security issues is often difficult to assess and may evolve through time. According to Verizon executives, Yahoo’s data breaches created integration issues that had not been previously understood. The eventual monetary cost of this issue remains unknown.
Second, where the target is subject to the authority of the Security and Exchange Commission (SEC), an SEC investigation and penalties if applicable, is likely, along with related shareholder lawsuits. As we wrote previously, The SEC is currently investigating if Yahoo should have reported the two massive data breaches it experienced earlier to investors, according to individuals with knowledge. Under the current agreement, Yahoo will bear sole liability for shareholder lawsuits and any penalties that result from the SEC investigation.
Third, there will likely be additional private party actions due to the breach. Exactly what these liabilities will be will depend on the data subject to exfiltration as a result of the breach. In Yahoo’s case, Verizon and Yahoo have agreed to equally share in costs and liabilities created by lawsuits from customers and partners. Multiple private party lawsuits have already been filed against Yahoo alleging negligence.
Fourth, other government investigations, such as by the Federal Bureau of Investigation (FBI), could result in additional costs, both monetary and reputational. The FBI is currently investing the Yahoo breaches. Verizon and Yahoo will share the costs of the FBI investigation and other potential third party investigations.
Fifth, depending on the scope of the breach, there would likely be on-going remediation costs after the deal closes. According to a knowledgeable source, as of February 2017, Yahoo had sent notifications to a “mostly final” list of users, indicating that some remaining remediation activities may yet occur.
As we have seen, merger and acquisition events involving a target with a pre-existing data breach issues create difficult to assess costs and liabilities that will survive the closing of the transaction. While targets can reduce the risk of such adverse events through enforcing a comprehensive Cybersecurity Risk Management program, acquirers or targets facing these issues as part of a transaction should consult experienced legal counsel and M&A due diligence teams should include data privacy/security subject matter experts as a matter of course.