Twenty years ago, Yahoo! was the first place anyone looked when browsing the internet. Now, it's the first place organizations and especially general counsel should look to understand how pervasive the ramifications of data security breaches are and, more importantly, how devastating it can be when the obligations of data privacy and security are not adequately managed. It's no secret that Yahoo!'s data security department has been dealt some tough blows recently. Last September, the company announced that 500 million users' accounts were compromised by a cyberattack in 2014. Just two months later, Yahoo! confirmed that a similar attack had been carried out in 2013, affecting more than one billion accounts. And two weeks ago, it revealed that an unknown number of accounts were inappropriately accessed in 2015 and 2016. As a result of these incidents, Yahoo! has paid $16 million in publicly reported expenses, has lost $350 million from its sale of core assets to Verizon, and is being probed by the Senate Committee on Commerce, Science, and Transportation, among other things. While these consequences are severe, they are unsurprising to anyone who follows data security. The real news is how the breaches have impacted Yahoo!'s legal department.
Last week, Yahoo! filed a 10-K with the Securities and Exchange Commission stating that its general counsel was resigning, effective immediately, and would receive no payments in connection with his resignation. Describing the investigations into the breaches, the filing provided that while Yahoo! "took certain remedial action" and implemented "significant additional security measures," those efforts were insufficient. After Yahoo!'s independent committee found that "the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it," the general counsel found himself on the chopping block. The 10-K confirms that Marissa Mayer, CEO, still has her job, but she will not receive a 2016 bonus or any 2017 annual equity award.
Data security is a complex intersection of business operations; information technology; and state, federal, and international laws and regulations. Consequently, in-house counsel are uniquely positioned to lead their companies' data security efforts and, as we have learned from Yahoo!, are likely to take the fall if things go awry. Data security breaches are a matter of "when," not "if," and whether a company (and its employees) will emerge unscathed from a breach depends principally upon one thing: preparedness. A company cannot develop a data security incident response plan in the midst of a breach, just as it cannot prepare an emergency evacuation plan while the fire alarm is blaring. While any plan is better than no plan, an effective data security incident response plan must address how to determine: (1) what systems have been compromised; (2) the source of the compromise; (3) how to prevent the spread; (4) what risks must be communicated up the chain of command; (5) which clients, employees, vendors, and governing bodies must be notified; and (6) what those individuals and entities must be told and, when the playing field evolves as the breach unfolds, the plan must provide a map for identifying and responding to each development.