Corporate Directors’ and Officers’ Cybersecurity Standard of Care: The Yahoo Data Breach

61 Pages Posted: 13 Dec 2016 Last revised: 24 Dec 2017

See all articles by Lawrence J. Trautman

Lawrence J. Trautman

Prairie View A&M University - College of Business

Peter Ormerod

Western Carolina University

Date Written: February 9, 2017

Abstract

On September 22, 2016 Yahoo! Inc. announced that a data breach and theft of information from over 500 million user accounts had taken place during 2014 (the largest data breach ever at the time), likely including names, birthdays, telephone numbers, email addresses, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers. Yahoo further disclosed their belief that the stolen data “did not include unprotected passwords, payment card data, or bank account information. Just two months before Yahoo disclosed its 2014 data breach, a proposed sale of the company’s core business to Verizon Communications was announced. Then, during mid-December 2016, Yahoo announced that another 1 billion customer accounts had been compromised during 2013, a new record for largest data breach.

Social media and electronic commerce websites face significant risk factors and mergers and acquisitions may bring cyber liability and vulnerabilities to the acquirer. The fact pattern in this announced acquisition raises a number of important corporate governance issues, including: whether Yahoo’s conduct leading up to the data breaches and its subsequent conduct constitutes a breach of the duty to provide security, the duty to monitor, the duty to disclose, or some combination thereof; whether the directors of Verizon will feel compelled to renegotiate pricing for the proposed acquisition of Yahoo given disclosure of the 2013 and 2014 data breaches; and whether clawbacks in compensation granted to key Yahoo executives are now in order?

We believe that cybersecurity remains a threat to all enterprises and this article contributes to the corporate governance literature, particularly as it applies to mergers and acquisitions and the management risk.

Keywords: Alibaba; Caremark; Corporate Governance; Compensation Clawbacks; Cybersecurity; Data Breach; Director and Officer (D&O) Liability; Duties of Care; Loyalty; disclose; monitor; provide data security; Hackers; Mergers and Acquisitions; Nortel software acquisition; Privacy

Suggested Citation

Trautman, Lawrence J. and Ormerod, Peter, Corporate Directors’ and Officers’ Cybersecurity Standard of Care: The Yahoo Data Breach (February 9, 2017). 66 American University Law Review, 1231 (2017).. Available at SSRN: https://ssrn.com/abstract=2883607 or http://dx.doi.org/10.2139/ssrn.2883607

Lawrence J. Trautman (Contact Author)

Prairie View A&M University - College of Business ( email )

Prairie View, TX
United States

Peter Ormerod

Western Carolina University ( email )

United States

Register to save articles to
your library

Register

Paper statistics

Downloads
919
Abstract Views
2,580
rank
24,279
PlumX Metrics