Academic journal article American University Law Review

Corporate Directors' and Officers' Cybersecurity Standard of Care: The Yahoo Data Breach

Academic journal article American University Law Review

Corporate Directors' and Officers' Cybersecurity Standard of Care: The Yahoo Data Breach

Article excerpt


Yahoo! Inc. ("Yahoo" or the "Company") announced on September 22, 2016, that a state-sponsored hacker had breached the Company's digital systems in 2014 and had stolen personal information from over 500 million user accounts.1 The information stolen likely included names, birthdays, telephone numbers, email addresses, "hashed passwords (the vast majority with bcrypt), and, in some cases, encrypted or unencrypted security questions and answers."2 At the time it was announced, this 2014 theftrepresented the largest data breach ever.3 This record would only later be surpassed by another Yahoo breach: a 2013 breach affecting 1 billion user accounts that the Company announced in December 2016.4 Yahoo further disclosed its belief that the stolen data "did not include unprotected passwords, payment card data, or bank account information."5 Just two months before Yahoo disclosed its 2014 data breach, it announced a proposed sale of the Company's core business to Verizon Communications, Inc. ("Verizon").6 During mid-December 2016, Yahoo announced that another 1 billion customer accounts had been compromised during 2013, establishing a new record for the largest data breach ever.

Almost all corporations-from technology companies like Yahoo to brick-and-mortar sales companies that use electronic commerce services-face a significant risk from data breaches, and mergers and acquisitions may result in cyber liability and vulnerabilities for the acquirer.7 This announced acquisition raises a number of important corporate governance issues: whether Yahoo breached its duty to provide data security, its duty to monitor, its duty to disclose, or some combination thereof; the impact on Verizon shareholders of a renegotiated deal for the two companies to share the cost of liability; and whether more severe and wide-ranging compensation clawbacks would be appropriate.

This Article proceeds in three parts. Part I discusses corporate governance and the director's duty of care, including the duty to secure data and the duties to monitor and disclose. Part II presents a brief description of Yahoo; outlines Verizon's proposed acquisition; describes the Yahoo data breaches and their known impact to date; and looks at Yahoo's executive compensation, code of ethics, and duty to disclose material events. Part III examines the important corporate governance issues raised by the proposed Yahoo/Verizon transaction. The Article concludes with some thoughts on the evolution of corporate liability as it relates to data security and what the future may hold for this important and fast-developing area of the law.


A. The Duty to Provide Data Security

Corporate directors and officers have a duty to behave reasonably. This duty of care applies across directors' and officers' myriad responsibilities, including handling the corporation's digital data. There is, therefore, an emerging specific application of the duty of care as related to information technology: the duty to secure data. The applicable standard of care requires directors "to provide 'reasonable' or 'appropriate' physical, technical, and administrative security measures to ensure the confidentiality, integrity, and availability of corporate data."8

There is not, however, a single source-such as a comprehensive federal statute or regulation-that imposes a duty to provide data security. Rather, corporate legal obligations to implement data security systems are "set forth in an ever-expanding patchwork of state, federal, and international laws, regulations, and enforcement actions, as well as in common law duties, contractual commitments, and other expressed and implied obligations to provide 'reasonable' or 'appropriate' security for corporate data."9

1. Sources of the duty

a. Statutes and regulations

The primary statutory and regulatory sources of corporate data security obligations are diverse: privacy laws, data security laws, electronic transaction laws, corporate governance laws, unfair and deceptive business practice and consumer protection laws, and breach notification laws. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.