Prepare for an attack: lessons learned from Verizon-Yahoo ordeal

It’s imperative to ensure all employees have an in-depth understanding how a cyber attack could impact your company.

As hackers become more sophisticated, it’s not a matter of “if” but “when” companies will be targeted by cyber criminals.

Is your company ready to respond to attacks? Being poorly prepared could lead to the same fate as Yahoo! Inc.

In July 2016, Verizon Communications Inc. acquired Yahoo! for approximately $4.8 billion. In September, Yahoo! disclosed it had suffered a data breach involving the theft in late 2014 of customer data from approximately 500 million user accounts. Then, in December, the company revealed another data breach: information from more than one billion accounts stolen in August 2013. This breach has been deemed the largest in history.

But that wasn’t the end. The internet giant, based in Sunnyvale, Calif., reported two more breaches in November and December, when hackers used forged cookies to access about 32 million user accounts.

Verizon saw the breaches as material adverse events and insisted that the purchase agreement be amended to reduce the purchase to $4.48 billion. According to the amended agreement, Yahoo! and Verizon are each responsible for 50% of the cash liabilities relating to government investigations and third-party litigation of the data breaches, but Yahoo! will be solely responsible for the liabilities relating to shareholder litigation and SEC investigations.

According to Yahoo!’s annual report, an investigation by an independent committee of the board of directors found in late 2014, senior executives and legal staff were aware of the breach that year, but didn’t properly comprehend or investigate it further due to failures in communication, management, inquiry and internal reporting. Nor was the company adequately advised of the legal and business risks associated with the breach.

As a result of the independent committee’s findings, CEO Marissa Mayer missed out on her 2016 annual bonus and the company accepted her offer to forgo any equity award for 2017. Yahoo’s general counsel also resigned.

Lessons learned

Yahoo!’s data breaches illustrate how the lack of proper governance structures and inadequate planning for remedial actions impact a company in many ways. Prevent similar fallout by following these tips:

Conduct regular cyber risk assessments. Identify system vulnerabilities, threats, and risks and implement an incident response plan.

When there is an attack, immediately implement the incident response plan, which may require bringing onboard cybersecurity experts to assist with the detection, containment and remediation process. Consider investing in cybersecurity liability insurance, which Yahoo! did not do according to its annual report.

Have a clear governance structure to deal with cyber incidents. All employees, including senior management and legal staff, need to have an in-depth understanding of cyber attacks. They must collaborate and communicate effectively with each other so that appropriate decisions are made.

Conduct cybersecurity due diligence in transactions. Contemplating an acquisition? Inquire about any cyber attacks that could have legal and financial consequences. To Verizon, Yahoo! is now worth $350 million less because of the company’s issues related to data breaches. Additionally, there could be litigation and exposure to regulatory investigation for Verizon post-closing. Yahoo! is currently facing 43 consumer class action lawsuits, a stockholder class action, four stockholder derivative actions as well as investigations by federal, state, and foreign governmental officials and agencies. Verizon will also need to set aside additional funds to cover the costs associated with investigations, recovering data, repairing computer systems, changing security measures, hiring additional personnel and defending litigation and regulatory actions. Yahoo! had $16 million dollars in expenses arising from the data breaches by the end of December 2016.

Know how to handle the public fallout resulting from a major breach. Have a clear communication plan in place involving early disclosure of any breaches where appropriate and a strategy on how to engage with law enforcement and regulators. This will prevent a loss of customer and business relationships and damage to the brand, all of which could result in a loss of revenue.

As the Greek philosopher Epictetus said, “It’s not what happens to you, but how you react to it that matters.” Learn from Yahoo!’s experience to better protect your company and customers.

Imran Ahmad is a partner specializing in cybersecurity law at Miller Thomson LLP in Toronto. Ashley-Rose Gillespie is a lawyer at David J. Gillespie Professional Corp. in Whitby, Ont.