Yahoo Inc.’s recent cybersecurity woes recall the ever-present danger of “unknown unknowns.”1 Companies that fail to discover or remediate data breaches have traditionally run into a host of legal issues, ranging from contract and tort claims to specific statute or regulatory violations.2 But recent developments indicate that the duty to disclose data breaches after their detection is becoming, perhaps, “duties” to disclose, with nascent issues over the timing and manner of these notifications. Thus, failing to give proper notice of a cyberattack can prove an unexpected source of liability, not only to the putative victims of the breach and state agencies, but also to others, such as the investing public. The recent Yahoo! data breach disclosures are a high-profile example of how a combination of the above can have runaway consequences for large public companies.
By way of background, Yahoo! is currently facing an SEC investigation and is targeted by a variety of class-action lawsuits; it also faces the prospect of termination of an estimated $4.8 billion deal with Verizon over its failure to timely detect and disclose that it had been hacked two years ago (affecting 500 million accounts). Yahoo! reportedly first learned about the initial breach some weeks before alerting the public.3 Proving that things could—in fact—get worse, Yahoo! more recently reported that an additional one billion user accounts were compromised in a separate cyberattack.4 “Biggest data breach in history” is an inauspicious byline for any company, much less one selling its web assets.
Right now, the Yahoo! disclosures provide an extensive case study (and perhaps soon, an SEC “test case”) on best practices in cybersecurity and emerging trends in privacy law:
Yahoo! Disclosures Suggest Greater Cybersecurity Due Diligence in M&A
The timing of the recent Yahoo! hacking revelations has led to intense scrutiny over when exactly Yahoo! learned about its data breaches and why it waited to alert the public. These revelations not only are damaging to its reputation, but also have led Verizon to suggest these breaches and potential fallout could be a “material” change to its $4.8 billion takeover bid.
The immediate takeaway: Yahoo!’s cybersecurity troubles should prompt companies to reconsider their cybersecurity evaluations prior to striking a M&A transaction. Companies considering pursuit of a sale should consider safeguards and training in order to preserve their value to prospective purchasers. Likewise, purchasers should investigate the cybersecurity profile of sellers or merger partners, offering extensive questionnaires, hiring IT professionals to conduct objective assessments, employing “white hat” hackers to probe a company’s security, among other tools and methods. Reputational harms and damage to goodwill should also not be underestimated—many articles discussing the Yahoo! cyberattacks have highlighted the stress and uncertainty caused for many of its users.
Yahoo! Disclosures May Lead to First-in-Kind SEC Case
The SEC is reportedly investigating whether Yahoo! violated securities laws by failing to disclose its cybersecurity risks to investors. In 2011, the SEC released guidance discussing the potential disclosure obligations that could be triggered by a data breach or other cyber risks (“as with other operational and financial risks”) that would impact investment decisions. Notably, the 2011 guidance does not provide a timeline for such disclosures after a breach occurs.
While the SEC has yet to bring any enforcement action related to a failure by an issuer to disclose a data breach to investors, it has been reported5 that former SEC lawyers view the circumstances surrounding Yahoo’s disclosures as a better test case than previous investigations. If the SEC ultimately decides to bring a case against Yahoo!, it could provide clarity on the duty to disclose under securities laws, particularly the timing and what properly qualifies as “material information” regarding cyber risks. An enforcement action could also indirectly suggest a federal standard for data breach notifications, at least by public companies. At the moment, efforts to pass federal data breach notification laws have been stalled in Congress, leaving companies to contend with a patchwork of 47 state laws with various disclosure requirements.
Yahoo! Disclosures May Clarify Privacy Harms in Federal and State Courts
Despite ominous headlines, Yahoo! maintains that 90% of its daily active users have “already taken or do not need to take remedial action to protect their accounts.” Yahoo! also apparently did not even lose much traffic or user engagement over its 2016 disclosures.
There is also lingering uncertainty over how Yahoo! users were actually harmed by these intrusions, and whether Yahoo! breached any applicable standards of care—the company claims that a state-sponsored actor was responsible for the hacks, suggesting a high-level of sophistication and difficulty in detection.6 These are issues that will be parsed in their ordinary course as blame and costs (if any) are eventually assigned.7
Nonetheless, Yahoo! faces a series of lawsuits in federal and state courts alleging that the company acted with “gross negligence” and harmed users by failing to secure their data. But the plaintiffs will face considerable difficulties in establishing standing in these cases, at least based on existing case law. For data breaches affecting 1.5 billion accounts with countless documents and instances of private information, any potential harm to any given plaintiff might be seen as de minimis or negligible—after all, what is the likelihood that any one person would suffer reputational or other damage that would give rise to standing? In perhaps an unintuitive way, the more massive the data breach, the more difficult it could be to establish individual standing to sue for damages, for following the U.S. Supreme Court decision in Spokeo v. Robbins (2016), federal courts hold that plaintiffs must allege concrete injuries above and beyond mere technical violations of their statutory privacy rights.
As these cases proceed, it will be of great interest to see how and if plaintiffs establish standing to sue. In the event that Yahoo! users actually document unusual activity in their accounts, such as specific instances of identity theft, their cases should stand a much greater chance of success. Moreover, it remains to be seen whether Yahoo!’s delay in informing users could add any weight to these claims or lead to novel theories of harm.
Finally, it should be noted (as a separate matter) that state attorney generals may also initiate actions for civil penalties related to violations of state breach notification laws—and they do not face the same standing issues as private plaintiffs.
Conclusion
The ongoing revelations over the recent Yahoo! data breaches should give companies some insight as to how the SEC and FTC may coordinate investigations of security breach notification duties. An FTC enforcement action detailing minimum cybersecurity for large public companies in this context and a similar SEC enforcement action establishing a data breach notification timeline has broad implications for national standards. The related litigation over the Yahoo! data breaches should also help clarify standing requirements and how privacy harms are treated in both federal and state courts.
1. From a speech by then-Secretary of Defense Donald Rumsfeld, “Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don't know we don’t know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones.”
2. This trend should only continue as the FTC grows into the de facto cybersecurity regulator and enforces minimum standards for detection and prevention. The FTC has grown into this role by bringing over 50 cybersecurity-related cases since 2000 (half of which were brought after 2010) under section 5(a) of the FTC Act which allows the FTC to bring actions against “unfair or deceptive acts or practices in or affecting commerce.” The FTC has been gradually developing cybersecurity standards under the “unfairness” prong of section 5(a). There is currently a case pending in the U.S. Court of Appeals for the Eleventh Circuit, LabMd, Inc. v. FTC, that could potentially limit the FTC’s authority in this regard.
3. There is some conflicting information about when Yahoo! learned about the hacks.
4. This was apparently discovered while Yahoo! was investigating the first breach.
5. “Yahoo Faces SEC Probe Over Data Breaches,” Wall Street Journal (Jan. 23, 2017), https://www.wsj.com/articles/yahoo-faces-sec-probe-over-data-breaches-1485133124
6. Note, however, that this has not been confirmed. There is an ongoing federal investigation into the nature of these cyberattacks and the identity of the responsible actors. Further, some cybersecurity experts, such as Brian Krebs, have questioned Yahoo!’s cybersecurity posture in the past.
7. See, e.g., Frank H. Easterbrook, “Cyberspace and the Law of the Horse,” 1996 University of Chicago Legal Forum 207 (1996) (noting that general principles of law are adequate to address new harms in cyberspace).