Yahoo Breach Teaches the Need for Cybersecurity Due Diligence

What did Verizon, the purchaser of Yahoo for $4.8 billion in 2016, know about the 2014 breach of Five Hundred Million Yahoo subscribers? What should, or could it have known? The breach undoubtedly affects the valuation of Yahoo. Should the breach have been disclosed, if possible, to Verizon in the purchase negotiations? To paraphrase Shakespeare, these questions will be the stuff lawyers’ dreams are made of.

The breach was reported in the media Thursday night September 22 and on September 23 The New York Times  raised the issue of cybersecurity as a key component in due diligence for a merger or acquisition by noting “It is unclear whether security testing. . . was performed as part of Verizon’s due diligence process before it agreed to the acquisition. (S)uch security is often overlooked by investors.”

The average time to identify cyberattacks, the article notes from a study by the Ponemon Institute, is 191 days. If the breach occurred in 2014 as reported, should Yahoo, a sophisticated technology pioneer, have detected it and, if it did, should it have disclosed this fact to Verizon? Did Verizon ask about cyber attacks in its due diligence?

These are likely to be the seeds of some very expensive litigation. Certainly a privacy class action law suit will be brought, with at least a few thousand of the affected subscribers comprising the putative class of aggrieved individuals. But class action litigation arising from breaches has had a checkered record of success, with courts finding difficulties in common interests of the class members and proof of concrete injury, and so lifespan of privacy litigation and costs to Yahoo are uncertain.

But litigation based on established merger and acquisition and contract law may well arise from an alleged lack of disclosure of this attack and its far-reaching scope, and these cases could last longer and cost more than privacy litigation. Defenses may include a claim that the acquirer, Verizon, didn’t ask the right questions. We cannot know the outcome at this very early stage. The revelation of the attack may, depending on the acquisition documents, scuttle the deal. The lesson, though, is that cybersecurity is a key component in valuation of any company in this digital age and must be addressed in due diligence to avoid time-consuming, expensive and potentially deal-fatal problems later.

If you have questions regarding how to include cybersecurity questions in due diligence and/or disclosures in mergers or acquisitions, please contact Kenneth N. Rashbaum.