Landmark Shift In Data Breach Liability Former Yahoo Directors Personally Liable To The Tune Of Us29 Million
In early January this year a derivative action lawsuit bought by YAHOO against a number of former directors was settled for $29 million. The suit related to a data breach that was disclosed just prior to the acquisition of Yahoo by Verizon.
In 2013 and 2014 Yahoo suffered data breaches that affected millions of their customers. Both breaches were only detected in late 2016 when Yahoo notified approximately 500 million affected users of the 2014 breach. Later in December, the company reported another 1 billion users’ data was compromised in the 2013 breach. This figure was reassessed at 3 billion later in 2017, impacting all Yahoo users.
What was the breach?:
Attackers of the 2014 breach gained access to user data through a cookie-based attack, allowing authenticated login without a user’s password. Upon notifying the SEC of the 2013 breach, it remained unclear how attackers gained access to all user data throughout Yahoo. Attackers obtained sensitive information including names, email addresses, telephone numbers, security questions and answers, dates of birth and hashed passwords. Yahoo indicated that credit card information had not been exposed as a result of the break-in.
Much legal action has been launched in response to Yahoo’s announcement of both breaches. The SEC launched an investigation into whether Yahoo ought to have disclosed the record-breaking breaches earlier, ultimately fining the company U$35 million. Approximately 43 consumer class actions were raised concurrently against the internet giant, with the company settling these through a U$50 million settlement agreement covering 200 million users. It also settled another U$80 million in a shareholder class action claiming damages for share price loses as a result of the breaches. The U.S. Justice Department indicted a further four men for their involvement in the 2014 attack. Verizon acquired Yahoo from Altaba Inc. for U$4.48 billion – a U$300 million discount following the additional disclosure – in 2017, giving up their right to sue Altaba Inc. for failure to disclose the breaches sooner.
Derivative action and the risk to directors:
Derivative action refers to the statutory mechanism allowing current or former members and officers to bring proceedings against director(s) on behalf of the company. This means that shareholders may bring proceedings against directors personally, rather than suing the corporation through a more traditional class action suit. This exposes directors to personal liability for failure to meet their duties as set out in the Corporations Act. In the case of user data, directors may be liable for negligently failing to prevent or avoid a breach. Directors cannot rely upon the expertise of others to avoid liability, making it critical that every director is involved in the company’s data security.
The case demonstrates the potential for substantial personal liability to directors as a result of poor data security. The derivative suit may serve as precedent for further litigation against directors as a result of breaches elsewhere, in conjunction with the risk of consumer and shareholder class actions.