Follow ACC Docket Online:  

Summary Judgment: The Yahoo Data Breach

O n August 1, 2016, Yahoo reportedly experienced a data breach that resulted in the hacking of 200 million user accounts, according to a report by BBC. Usernames, passwords, and dates of birth were sold on the dark web for three bitcoins (US$1719) by a hacker connected to recent data attacks on MySpace and LinkedIn. As Yahoo scrambles to fully ascertain the extent of the breach, the event stands as a lesson for in-house counsel on the growing importance of cybersecurity initiatives in the coming year. How can in-house counsel learn from Yahoo’s misfortune and what steps can they take to avoid becoming a victim in the future?

According to the 2016 ACC Chief Legal Officers Survey, nearly 70 percent of CLOs with 200 or more employees say they have experienced a data breach within the past two years. 59 percent of CLO respondents classify “data breaches or the protection of corporate data” as an “extremely important” issue to address within the next 12 months.

As discussed in the September 2015 feature article Once More Unto the Breach: Why and How to be Ready for a Data Breach, there are certain precautions that in-house counsel can take to increase its cybersecurity efforts. By acknowledging the risk and taking preparatory steps to help mitigate it, in-house counsel can be far more confident in the safety of their practice. No organization should consider itself immune to a cyber attack. The article states:

“'You’re going to be hacked. Have a plan.' These blunt words from Joseph Demarest, assistant director of the FBI’s Cyber Division, capture the reality of our cyber threat environment. Data security breaches have become ubiquitous across industries, and high profile breaches at Target, eBay, Home Depot, JP Morgan Chase, Sony, Anthem and the federal Office of Personal Management have saturated the news. The New York Times ran more than 700 data breach articles in 2014, a five fold increase from the prior year.”

By implementing a first response strategy in preparation for a breach, in-house counsel can more easily execute a multi-departmental data protection effort in the event of an impending threat. Clear communication is a powerful step to ensure that data breach procedures are well understood, as many different responses are required to mitigate risk across all platforms.  The article continues:

“Managing effective breach response is no small feat. There are 10 different channels of response activity for an organization that has suffered a data security breach. Most of these activity channels are involved in every data breach, and all must be attended to in significant breach scenarios. These activity channels are not sequential — they must be orchestrated in a synchronized manner in order for the response to be successful."

One crucial aspect to ensuring data security involves preemptively implementing secure practices with outside resources. As outlined by the December 2015 article Data Security and Vendor Agreements, The Chain Is Only As Strong As Its Weakest Link, maintaining trust in your vendor is a powerful way to ensure confidence in your company’s data protection.

“Prior to entering into an agreement with a vendor that will have access to confidential information, including the personally identifiable information of employees, customers or others, a company should take steps described herein to ensure that the vendor is in fact able to protect the data. Such due diligence may also help streamline the contracting process, as inherent risks will likely be identified earlier in the contracting process. It should be noted, however, that the need to conduct due diligence may depend on the nature and volume of information to be exchanged between the parties.”

In truth, preparing for a data breach and working to resolve one that’s already happened are two different scenarios. In a March 2014 feature article titled How to Prepare for and Respond to Cyber Attacks, authors Daniel E. Frank and Don Borelli stress that the best response to a data breach that’s already happened is to preserve the evidence. The article states:

“In-house counsel can and should make sure that the security team understands how to secure and preserve digital evidence in a manner that preserves it for later use in legal proceedings.”

If the company expects that it’s heading for litigation, in-house counsel will have to play an important role in ensuring the theft qualifies as a breach under state law. To avoid excess litigation fees, in-house counsel must guarantee that the incident meets regulatory requirements governing the scope of investigation before heading to trial.

In light of recent alleged events at Yahoo, the recent increase in data breaches is not cause for panic. With a solid set of preparation protocols and an informed legal staff, in-house counsel can effectively and efficiently prevent the next impending cyber attack.  

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.