Corporate Directors’ and Officers’ Cybersecurity Standard of Care: The Yahoo Data Breach

61 Pages Posted: 13 Dec 2016 Last revised: 24 Dec 2017

See all articles by Lawrence J. Trautman

Lawrence J. Trautman

Prairie View A&M University - College of Business; Texas A&M University School of Law (By Courtesy)

Peter Ormerod

Western Carolina University

Date Written: February 9, 2017


On September 22, 2016 Yahoo! Inc. announced that a data breach and theft of information from over 500 million user accounts had taken place during 2014 (the largest data breach ever at the time), likely including names, birthdays, telephone numbers, email addresses, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers. Yahoo further disclosed their belief that the stolen data “did not include unprotected passwords, payment card data, or bank account information. Just two months before Yahoo disclosed its 2014 data breach, a proposed sale of the company’s core business to Verizon Communications was announced. Then, during mid-December 2016, Yahoo announced that another 1 billion customer accounts had been compromised during 2013, a new record for largest data breach.

Social media and electronic commerce websites face significant risk factors and mergers and acquisitions may bring cyber liability and vulnerabilities to the acquirer. The fact pattern in this announced acquisition raises a number of important corporate governance issues, including: whether Yahoo’s conduct leading up to the data breaches and its subsequent conduct constitutes a breach of the duty to provide security, the duty to monitor, the duty to disclose, or some combination thereof; whether the directors of Verizon will feel compelled to renegotiate pricing for the proposed acquisition of Yahoo given disclosure of the 2013 and 2014 data breaches; and whether clawbacks in compensation granted to key Yahoo executives are now in order?

We believe that cybersecurity remains a threat to all enterprises and this article contributes to the corporate governance literature, particularly as it applies to mergers and acquisitions and the management risk.

Keywords: Alibaba; Caremark; Corporate Governance; Compensation Clawbacks; Cybersecurity; Data Breach; Director and Officer (D&O) Liability; Duties of Care; Loyalty; disclose; monitor; provide data security; Hackers; Mergers and Acquisitions; Nortel software acquisition; Privacy

Suggested Citation

Trautman, Lawrence J. and Ormerod, Peter, Corporate Directors’ and Officers’ Cybersecurity Standard of Care: The Yahoo Data Breach (February 9, 2017). 66 American University Law Review, 1231 (2017)., Available at SSRN: or

Lawrence J. Trautman (Contact Author)

Prairie View A&M University - College of Business ( email )

Prairie View, TX
United States

Texas A&M University School of Law (By Courtesy) ( email )

1515 Commerce St.
Fort Worth, TX 76102
United States

Peter Ormerod

Western Carolina University ( email )

United States

Do you want regular updates from SSRN on Twitter?

Paper statistics

Abstract Views
PlumX Metrics