Yahoo’s Three Expensive Breach Lessons
Cybersecurity is very important, and your in-house legal team must be at the forefront of managing any type of breach.
If you haven’t read Yahoo’s 2016 10K yet, you should (especially pages 46 and 47). The 10K is full of numerous excellent lessons and, in many ways, speaks for itself.
To set the stage, Yahoo had three large-scale security incidents. As a result, Yahoo recorded massive related expenses in 2016 and faced federal and state class-actions, litigations, investigations, and most recently, a Congressional inquiry. Simply put: a complete, total, expensive, and very public mess.
The Independent Committee of the Board of Directors provided some key lessons from Yahoo’s experience in the 10K.
Legal AI: 3 Steps Law Firms Should Take Now
Lesson 1: The board of directors must treat cybersecurity as an enterprise-wide risk management issue.
. . . the Company’s information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016.
The IT department isn’t the best option to manage information security, because it can disconnect the company from taking responsibility for its data and is often stretched thin from a resource perspective. By making cybersecurity an enterprise-wide risk management issue, the board can ensure that the company is protecting data in a strategic, cross-departmental, and cost-effective manner.
In late 2014, . . . . it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team.
Sponsored
Early Adopters Of Legal AI Gaining Competitive Edge In Marketplace
Is The Future Of Law Distributed? Lessons From The Tech Adoption Curve
Navigating Financial Success by Avoiding Common Pitfalls and Maximizing Firm Performance
Navigating Financial Success by Avoiding Common Pitfalls and Maximizing Firm Performance
The board must seek assurances that management is taking an enterprise-wide approach to cybersecurity by creating a board-appointed, cross-organization management team consisting of stakeholders from all key departments. Once the board establishes ownership of the problem, a CLO/GC (with enough resources and support), CFO, or COO can be the right senior leader to lead the cross-departmental charge. This team needs to meet regularly and develop reports to the board, conduct audits, keep updated matrices, and develop and adopt an organization-wide, cyber-risk management plan and internal communication strategy.
Lesson 2: Legal is responsible for ensuring the board understands the legal implications of cyber risks in a context of their specific company.
“Understanding cybersecurity regulations is a simple feat,” said nobody ever.
On the federal level, there is a complex mix of regulations from the SEC, FTC, FCC, Dodd-Frank, HAS, OCR, FDA, and others. Most states also have their notice of disclosure of personal information requirement with state attorney generals offices pursuing enforcement along with state financial regulators. To make matters even more problematic, the imposing GDPR cloud is nearly upon us, and will impact how companies collect, store, transfer, and use data of EU citizens.
Yet, the legal team will need to be at the forefront of managing any type of breach.
Sponsored
Legal AI: 3 Steps Law Firms Should Take Now
The Business Case For AI At Your Law Firm
Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident.
And the fallout of failing to adequately inform the board is unpleasant:
The Independent Committee also found that the Audit and Finance Committee and the full Board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters.
Based on the Independent Committee’s findings, the Board has taken the management related actions described below, adopted certain process and structure changes to address the Company’s issues with respect to the Security Incidents, and taken certain other disciplinary actions.
On March 1, 2017, Ronald S. Bell resigned as the Company’s General Counsel and Secretary and from all other positions with the Company. No payments are being made to Mr. Bell in connection with his resignation.
As part of its guidance to the board, the legal department should also consider existing insurance coverage and the company’s plans to avoid, accept, mitigate, or transfer cyber risks. A company’s cyber-risk tolerance must be consistent with its strategy and resource allocation, and it’s a good idea to address the following questions:
• What data and how much of it is the company willing to lose or have compromised?
• How does the company assess the impact of cyber events?
• How can certain cyber risks be transferred?
• How should risks be mitigated?
Lesson 3: The board must have adequate and regular access to cybersecurity expertise.
If your company’s board isn’t already considering doing so, adding a board member with cyber and/or IT expertise may be worthwhile. At a minimum, legal can play a key role in advising the board to schedule deep dive briefings with third-party experts, leverage independent advisors, and encourage board members to participate in education programs. The board will also need to make sure that management isn’t downplaying the true state of the company’s exposure and preparedness in the event of a security incident.
. . . the Board has directed the Company to implement or enhance a number of corrective actions, including revision of its technical and legal information security incident response protocols to help ensure: escalation of cybersecurity incidents to senior executives and the Board of Directors; rigorous investigation of cybersecurity incidents and engagement of forensic experts as appropriate; rigorous assessment of and documenting any legal reporting obligations and engagement of outside counsel as appropriate; comprehensive risk assessments with respect to cybersecurity events; effective cross-functional communication regarding cybersecurity events; appropriate and timely disclosure of material cybersecurity incidents; and enhanced training and oversight to help ensure processes are followed.
Olga V. Mack is an award-winning general counsel, operations professional, startup advisor, public speaker, adjunct professor at Berkeley Law, and entrepreneur. Olga founded the Women Serve on Boards movement that advocates for women to serve on corporate boards of Fortune 500 companies. Olga also co-founded SunLaw to prepare women in-house attorneys become general counsel and legal leaders and WISE to help women law firm partners become rainmakers. She embraces the current disruption to the legal profession. Olga loves this change and is dedicated to improving and shaping the future of law. She is convinced that the legal profession will emerge even stronger, more resilient, and inclusive than before. You can email Olga at olga@olgamack.com or follow her on Twitter @olgavmack.
