Corporate Directors’ and Officers’ Cybersecurity Standard of Care : The Yahoo Data Breach

On September 22, 2016 Yahoo! Inc. announced that a data breach and theft of information from over 500 million user accounts had taken place during 2014 (the largest data breach ever at the time), likely including names, birthdays, telephone numbers, email addresses, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers. Yahoo further disclosed their belief that the stolen data “did not include unprotected passwords, payment card data, or bank account information. Just two months before Yahoo disclosed its 2014 data breach, a proposed sale of the company’s core business to Verizon Communications was announced. Then, during mid-December 2016, Yahoo announced that another 1 billion customer accounts had been compromised during 2013, a new record for largest data breach. Social media and electronic commerce websites face significant risk factors and mergers and acquisitions may bring cyber liability and vulnerabilities to the acquirer. The fact pattern in this announced acquisition raises a number of important corporate governance issues, including: whether Yahoo’s conduct leading up to the data breaches and its subsequent conduct constitutes a breach of the duty to provide security, the duty to monitor, the duty to disclose, or some combination thereof; whether the directors of Verizon will feel compelled to renegotiate pricing for the proposed acquisition of Yahoo given disclosure of the 2013 and 2014 data breaches; and whether clawbacks in compensation granted to key Yahoo executives are now in order? We believe that cybersecurity remains a threat to all enterprises and this article contributes to the corporate governance literature, particularly as it applies to mergers and acquisitions and the management risk