Verizon Merger Likely to Force More Robust Yahoo Response

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Sept. 29 — Yahoo! Inc. will likely undertake a more robust data breach response to reassure Verizon Communications Inc. that it isn't acquiring an unreasonable privacy and data security burden, cybersecurity professionals told Bloomberg BNA.

To preserve the terms of the $4.8 billion planned acquisition, Yahoo needs to prove to Verizon that it is committed to improving its network security, addressing the fallout from the data breach—including consumer litigation and potential loss of customers—and preventing additional breaches, they said.

Asked to comment on whether Yahoo's data breach response efforts are being shaped by the pending merger, a Yahoo spokeswoman Sept. 29 directed Bloomberg BNA to the post by Yahoo Chief Security Officer Bob Lord announcing the breach. In that Sept. 22 statement, Lord cited “increasingly sophisticated threats” to the connected world and said “Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure.”

Nathan J. Muyskens, co-chairman of the White Collar Criminal Defense and Investigations practice at Loeb & Loeb LLP in Washington, said that “a breach of this size for a company this size is a disaster.”

Even without a pending acquisition, Yahoo probably would have addressed the “consequences very seriously.” However, with a multi-billion dollar business deal on the line, Yahoo will do “everything possible” to get the situation under control, Muyskens told Bloomberg BNA.


Yahoo doesn't want the data breach to “negatively affect its sticker price and is going to do everything it can to sell for the original amount,” DataGravity Inc. Chief Information Security Officer Andrew Hay said. On the other hand, Verizon is probably looking at Yahoo with “a stronger negotiation position than before and may try to drive down the price it agreed to pay,” Hay told Bloomberg BNA.

Ryan Vela, regional vice president of Fidelis Cybersecurity Solutions Inc. in Dallas, said that he hasn't seen a planned merger that was halted by a data breach or security incident. However, Vela said he has seen mergers being “drawn out by months due to increased diligence placed on verifying the security of the networks that were breached.”

According to Hay, Yahoo probably has some time to evaluate its cybersecurity measures and responses. “Verizon is likely giving Yahoo time to get its house in order,” he said.

Muyskens agreed. The Yahoo breach isn't a deal-breaker, “but Verizon will probably get a discount,” he said.

A source familiar with the Yahoo acquisition told Bloomberg BNA Sept. 29 that as Yahoo continues in its data security efforts, Yahoo and Verizon are continuing apace on integration planning and finalizing the merger deal.

Massive Breach

Yahoo announced Sept. 22 that personal information associated with at least 500 million accounts was stolen in a 2014 data breach (15 PVLR 1881, 9/26/16). The attack compromised names, e-mail addresses, phone numbers, dates of birth, encrypted passwords and security questions and answers, Yahoo said.

The breach disclosure came at a particularly sensitive time for Yahoo, as the acquisition by Verizon was scheduled to close in early 2017 (15 PVLR 1881, 9/26/16).

“Yahoo is in the hot seat,” Peter Nguyen, technical services director of cybersecurity company LightCyber Ltd. in Los Altos, Calif., said.

Yahoo needs to “prove its commitment to security” to minimize the negative effects on the pending merger, he said.

Vela said that given the pending merger, “Yahoo would definitely be more inclined to focus on cybersecurity,” he said. Double checking Yahoo's information security measures is in Verizon's best interest “to ensure what they are buying is not a security lemon,” Vela said.

Threat of More Breaches, Litigation

In addition to preserving the acquisition price, focusing on improving cybersecurity measures would likely allow Yahoo to decrease the risks of additional breaches, the cybersecurity pros said.

“The breach places Yahoo in the spotlight for attacks by other groups,” Vela said. If the Yahoo-Verizon merger is completed, there will “inevitably be some interconnection between the networks,” he said.

“The post-merger network will become more attractive to attackers since it will contain more personally identifiable information to steal,” he said.

There is no doubt Yahoo is “sparing no expense at increasing the security posture, especially since the breach has increased their risk level and because it could have a direct effect on the terms of the merger,” Vela said.

Yahoo should also address cybersecurity shortcomings to mitigate negative customer views and potential fallout and delays caused by related litigation, the security pros said.

“If Yahoo is known to have sub-standard security, there are plenty of places to turn to for e-mail and other services,” Nguyen said.

Citing a recent study by RAND Corp., Hay said that approximately 11 percent of customers stopped dealing with an affected company following a data breach. “Depending on whether Verizon is acquiring Yahoo for technology, brand power or customer acquisition, a potential 11 percent loss of pre-acquisition customers is enough to impact what they're willing to pay,” he said.

The massive data breach has already spurred consumer class complaints alleging that Yahoo failed to adequately protect consumers' personal information .

The future of Yahoo depends on how the company's board feels settling the suits “will affect its share price,” Hay said.

To contact the reporter on this story: Jimmy H. Koo in Washington at

To contact the editors responsible for this story: Donald G. Aplin at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.