Data Breaches Will Cost Yahoo and Verizon Long After Sale

Advertisement

data breach Yahoo VerizonFive Things You (and Your M&A Diligence Team) Should Know

Recently it was announced that Verizon would pay $350 million less than it had been prepared to pay previously for Yahoo as a result of data breaches that affected over 1.5 billion users, pending Yahoo shareholder approval. Verizon Chief Executive Lowell McAdam led the negotiations for the price reduction. Yahoo took two years, until September of 2016, to disclose a 2014 data breach that Yahoo has said affected at least 500 million users, while Verizon Communications was in the process of acquiring Yahoo. In December of 2016, Yahoo further disclosed that it had recently discovered a breach of around 1 billion Yahoo user accounts that likely took place in 2013.

While some may be thinking that the $350 million price reduction has effectively settled the matter, unfortunately, this is far from the case. These data breaches will likely continue to cost both Verizon and Yahoo for years to come.  Merger and acquisition events that are complicated by pre-existing data breaches will likely face at least four categories of on-going liabilities.  The cost of each of these events will be difficult to estimate during the deal process, even if the breach event is disclosed during initial diligence. First, the breach event will probably render integration of the systems of the target and acquirer difficult, as the full extent of the security issues is often difficult to assess and may evolve through time. According to Verizon executives, Yahoo’s data breaches created integration issues that had not been previously understood.  The eventual monetary cost of this issue remains unknown.

Advertisement

Second, where the target is subject to the authority of the Security and Exchange Commission (SEC), an SEC investigation and penalties if applicable, is likely, along with related shareholder lawsuits. As we wrote previously, The SEC is currently investigating if Yahoo should have reported the two massive data breaches it experienced earlier to investors, according to individuals with knowledge. Under the current agreement, Yahoo will bear sole liability for shareholder lawsuits and any penalties that result from the SEC investigation.

Third, there will likely be additional private party actions due to the breach. Exactly what these liabilities will be will depend on the data subject to exfiltration as a result of the breach.  In Yahoo’s case, Verizon and Yahoo have agreed to equally share in costs and liabilities created by lawsuits from customers and partners.  Multiple private party lawsuits have already been filed against Yahoo alleging negligence.

Advertisement

Fourth, other government investigations, such as by the Federal Bureau of Investigation (FBI), could result in additional costs, both monetary and reputational. The FBI is currently investing the Yahoo breaches.  Verizon and Yahoo will share the costs of the FBI investigation and other potential third party investigations.

Advertisement

Fifth, depending on the scope of the breach, there would likely be on-going remediation costs after the deal closes. According to a knowledgeable source, as of February 2017, Yahoo had sent notifications to a “mostly final” list of users, indicating that some remaining remediation activities may yet occur.

As we have seen, merger and acquisition events involving a target with a pre-existing data breach issues create difficult to assess costs and liabilities that will survive the closing of the transaction.

©1994-2017 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Published by

National Law Forum

A group of in-house attorneys developed the National Law Review on-line edition to create an easy to use resource to capture legal trends and news as they first start to emerge. We were looking for a better way to organize, vet and easily retrieve all the updates that were being sent to us on a daily basis.In the process, we’ve become one of the highest volume business law websites in the U.S. Today, the National Law Review’s seasoned editors screen and classify breaking news and analysis authored by recognized legal professionals and our own journalists. There is no log in to access the database and new articles are added hourly. The National Law Review revolutionized legal publication in 1888 and this cutting-edge tradition continues today.