In the digital age, data represents a critical asset for companies, but it also represents a significant risk. According to the 20th Annual PWC CEO Survey, 62 percent of respondents cited cyber threats among their top 10 concerns. Moreover, 58 percent of CEOs worry that declining stakeholder trust could inhibit corporate growth, a 21 percent rise in just three years. Their concerns aren't unfounded: 84 percent of consumers said that breaches of data privacy and ethics degrade their trust in companies. Recent disclosures about the 2014 Yahoo data breach indicate that regulators are watching closely too. Download our eBook on understanding regulator expectations for outsourcing to the cloud.
Why is a data breach that occurred in 2014 attracting media attention now? Writing on the FCPA blog, Richard Cassin notes Yahoo's transparency—or lack of it—about the breach has raised questions. Yahoo first disclosed a breach in September 2016, but in a securities filing in November 2016, Yahoo disclosed that employees knew in late 2014 that more than 500 million accounts were breached by state-sponsored hackers. The company also disclosed a separate data breach from 2013 that affected over 1 billion user accounts.
In the November disclosure, Yahoo revealed that it had already recorded expenses of $1 million related to the data breach in September. The disclosure also stated, "However, we have subsequently incurred expenses related to the Security Incident to investigate and take remedial actions to notify and protect our users, and expect to continue to incur investigatory, legal, and other expenses associated with the Security Incident in the foreseeable future." In addition, Yahoo faces 23 consumer class action lawsuits in U.S. federal and state courts, as well as in foreign courts, and the company anticipates that additional lawsuits by or on behalf of users, partners, or shareholders.
Moreover, the two-year gap between the discovery of the breaches and subsequent disclosures is having added consequences.
The original disclosure came two months after Yahoo had completed negotiations to sell its core businesses to Verizon for $4.8 billion. Shortly after that disclosure, reports The New York Times, Verizon's general counsel Craig Silliman said, "I think we have a reasonable basis to believe right now that the impact is material, and we're looking to Yahoo to demonstrate to us the full impact. If they believe that it's not, then they'll need to show us that." The second disclosure, revealing a far larger breach, only worsened Yahoo's position. Just last month, The Guardian reported that Yahoo had "… discounted the price of its core assets to Verizon by $350 million.
One agency that is taking a closer look is the U.S. Securities and Exchange Commission. Yahoo stated in its SEC disclosure that "The Company is cooperating with several federal, state, and foreign governmental officials and agencies seeking information and/or documents about the Security Incident and related matters." While the SEC has not yet brought an enforcement action against a public company on a cyber-security breach, guidance it issued in 2011 addresses the need for making a timely disclosure of such events. Data security specialist Kim Phan told The Financial Times that "The SEC is looking for an opportunity to bring that type of action." And given the amount of time between the discovery and the disclosure, the Yahoo case could be a watershed moment. The U.S. Federal Trade Commission, several State Attorneys General, and the U.S. Attorney's office for the Southern District of New York have also taken an interest.
Similar to guidance from other regulatory agencies, the U.S. Department of Justice (DOJ) guidance shares what it considers when conducting a compliance review. Given what is transpiring from Yahoo's handling of the data breach, the section on Oversight seems especially relevant. Asked sooner, questions—like whether the board of directors has expertise needed for oversight or how the board and senior management exercised oversight when an issue arose—might have resulted in a more proactive response when the breach was first uncovered. Instead, the fallout has included a cut to the CEO's pay, the resignation of Yahoo's General Counsel, and criticism of senior management, company lawyers and the security team.
While the Yahoo data breach may make companies reluctant to move to the cloud, guidance from regulators suggests that having third-party management and well-integrated risk management processes in place—and enforcing them—can help mitigate risk. Regulators look for a program that tallies with the "nature and level of the enterprise risk identified." In addition, they want to understand the processes used to "identify, analyse, and address the particular risks" a company faces. With powerful risk assessment, due diligence and risk monitoring tools integrated into the risk mitigation process, companies can better manage compliance challenges when they arise.
1. Download the eBook to read more about regulator guidance for outsourcing to the cloud.
2. Learn how LexisNexis solutions complement your third-party risk mitigation workflow.
3. Share this blog on LinkedIn to keep the dialogue going with your colleagues and contacts.