Corporate Directors' and Officers' Cybersecurity Standard of Care: The Yahoo Data Breach

By Trautman, Lawrence J.; Ormerod, Peter C. | American University Law Review, January 5, 2017 | Go to article overview

Corporate Directors' and Officers' Cybersecurity Standard of Care: The Yahoo Data Breach


Trautman, Lawrence J., Ormerod, Peter C., American University Law Review


INTRODUCTION

Yahoo! Inc. ("Yahoo" or the "Company") announced on September 22, 2016, that a state-sponsored hacker had breached the Company's digital systems in 2014 and had stolen personal information from over 500 million user accounts.1 The information stolen likely included names, birthdays, telephone numbers, email addresses, "hashed passwords (the vast majority with bcrypt), and, in some cases, encrypted or unencrypted security questions and answers."2 At the time it was announced, this 2014 theftrepresented the largest data breach ever.3 This record would only later be surpassed by another Yahoo breach: a 2013 breach affecting 1 billion user accounts that the Company announced in December 2016.4 Yahoo further disclosed its belief that the stolen data "did not include unprotected passwords, payment card data, or bank account information."5 Just two months before Yahoo disclosed its 2014 data breach, it announced a proposed sale of the Company's core business to Verizon Communications, Inc. ("Verizon").6 During mid-December 2016, Yahoo announced that another 1 billion customer accounts had been compromised during 2013, establishing a new record for the largest data breach ever.

Almost all corporations-from technology companies like Yahoo to brick-and-mortar sales companies that use electronic commerce services-face a significant risk from data breaches, and mergers and acquisitions may result in cyber liability and vulnerabilities for the acquirer.7 This announced acquisition raises a number of important corporate governance issues: whether Yahoo breached its duty to provide data security, its duty to monitor, its duty to disclose, or some combination thereof; the impact on Verizon shareholders of a renegotiated deal for the two companies to share the cost of liability; and whether more severe and wide-ranging compensation clawbacks would be appropriate.

This Article proceeds in three parts. Part I discusses corporate governance and the director's duty of care, including the duty to secure data and the duties to monitor and disclose. Part II presents a brief description of Yahoo; outlines Verizon's proposed acquisition; describes the Yahoo data breaches and their known impact to date; and looks at Yahoo's executive compensation, code of ethics, and duty to disclose material events. Part III examines the important corporate governance issues raised by the proposed Yahoo/Verizon transaction. The Article concludes with some thoughts on the evolution of corporate liability as it relates to data security and what the future may hold for this important and fast-developing area of the law.

I. CORPORATE GOVERNANCE AND THE DIRECTOR'S DUTY OF CARE

A. The Duty to Provide Data Security

Corporate directors and officers have a duty to behave reasonably. This duty of care applies across directors' and officers' myriad responsibilities, including handling the corporation's digital data. There is, therefore, an emerging specific application of the duty of care as related to information technology: the duty to secure data. The applicable standard of care requires directors "to provide 'reasonable' or 'appropriate' physical, technical, and administrative security measures to ensure the confidentiality, integrity, and availability of corporate data."8

There is not, however, a single source-such as a comprehensive federal statute or regulation-that imposes a duty to provide data security. Rather, corporate legal obligations to implement data security systems are "set forth in an ever-expanding patchwork of state, federal, and international laws, regulations, and enforcement actions, as well as in common law duties, contractual commitments, and other expressed and implied obligations to provide 'reasonable' or 'appropriate' security for corporate data."9

1. Sources of the duty

a. Statutes and regulations

The primary statutory and regulatory sources of corporate data security obligations are diverse: privacy laws, data security laws, electronic transaction laws, corporate governance laws, unfair and deceptive business practice and consumer protection laws, and breach notification laws. …

The rest of this article is only available to active members of Questia

Already a member? Log in now.

Notes for this article

Add a new note
If you are trying to select text to create highlights or citations, remember that you must now click or tap on the first word, and then click or tap on the last word.
One moment ...
Default project is now your active project.
Project items
Notes
Cite this article

Cited article

Style
Citations are available only to our active members.
Buy instant access to cite pages or passages in MLA 8, MLA 7, APA and Chicago citation styles.

(Einhorn, 1992, p. 25)

(Einhorn 25)

(Einhorn 25)

1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

Note: primary sources have slightly different requirements for citation. Please see these guidelines for more information.

Cited article

Corporate Directors' and Officers' Cybersecurity Standard of Care: The Yahoo Data Breach
Settings

Settings

Typeface
Text size Smaller Larger Reset View mode
Search within

Search within this article

Look up

Look up a word

  • Dictionary
  • Thesaurus
Please submit a word or phrase above.
Print this page

Print this page

Why can't I print more than one page at a time?

Help
Full screen
Items saved from this article
  • Highlights & Notes
  • Citations
Some of your highlights are legacy items.

Highlights saved before July 30, 2012 will not be displayed on their respective source pages.

You can easily re-create the highlights by opening the book page or article, selecting the text, and clicking “Highlight.”

matching results for page

    Questia reader help

    How to highlight and cite specific passages

    1. Click or tap the first word you want to select.
    2. Click or tap the last word you want to select, and you’ll see everything in between get selected.
    3. You’ll then get a menu of options like creating a highlight or a citation from that passage of text.

    OK, got it!

    Cited passage

    Style
    Citations are available only to our active members.
    Buy instant access to cite pages or passages in MLA 8, MLA 7, APA and Chicago citation styles.

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn, 1992, p. 25).

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn 25)

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn 25)

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences."1

    1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

    Cited passage

    Thanks for trying Questia!

    Please continue trying out our research tools, but please note, full functionality is available only to our active members.

    Your work will be lost once you leave this Web page.

    Buy instant access to save your work.

    Already a member? Log in now.

    Search by... Author
    Show... All Results Primary Sources Peer-reviewed

    Oops!

    An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.