Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Jimmy H. Koo
Sept. 29 — Yahoo! Inc. will likely undertake a more robust data breach response to reassure Verizon Communications Inc. that it isn't acquiring an unreasonable privacy and data security burden, cybersecurity professionals told Bloomberg BNA.
To preserve the terms of the $4.8 billion planned acquisition, Yahoo needs to prove to Verizon that it is committed to improving its network security, addressing the fallout from the data breach—including consumer litigation and potential loss of customers—and preventing additional breaches, they said.
Asked to comment on whether Yahoo's data breach response efforts are being shaped by the pending merger, a Yahoo spokeswoman Sept. 29 directed Bloomberg BNA to the post by Yahoo Chief Security Officer Bob Lord announcing the breach. In that Sept. 22 statement, Lord cited “increasingly sophisticated threats” to the connected world and said “Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure.”
Nathan J. Muyskens, co-chairman of the White Collar Criminal Defense and Investigations practice at Loeb & Loeb LLP in Washington, said that “a breach of this size for a company this size is a disaster.”
Even without a pending acquisition, Yahoo probably would have addressed the “consequences very seriously.” However, with a multi-billion dollar business deal on the line, Yahoo will do “everything possible” to get the situation under control, Muyskens told Bloomberg BNA.
Yahoo doesn't want the data breach to “negatively affect its sticker price and is going to do everything it can to sell for the original amount,” DataGravity Inc. Chief Information Security Officer Andrew Hay said. On the other hand, Verizon is probably looking at Yahoo with “a stronger negotiation position than before and may try to drive down the price it agreed to pay,” Hay told Bloomberg BNA.
Ryan Vela, regional vice president of Fidelis Cybersecurity Solutions Inc. in Dallas, said that he hasn't seen a planned merger that was halted by a data breach or security incident. However, Vela said he has seen mergers being “drawn out by months due to increased diligence placed on verifying the security of the networks that were breached.”
According to Hay, Yahoo probably has some time to evaluate its cybersecurity measures and responses. “Verizon is likely giving Yahoo time to get its house in order,” he said.
Muyskens agreed. The Yahoo breach isn't a deal-breaker, “but Verizon will probably get a discount,” he said.
A source familiar with the Yahoo acquisition told Bloomberg BNA Sept. 29 that as Yahoo continues in its data security efforts, Yahoo and Verizon are continuing apace on integration planning and finalizing the merger deal.
Yahoo announced Sept. 22 that personal information associated with at least 500 million accounts was stolen in a 2014 data breach (15 PVLR 1881, 9/26/16). The attack compromised names, e-mail addresses, phone numbers, dates of birth, encrypted passwords and security questions and answers, Yahoo said.
The breach disclosure came at a particularly sensitive time for Yahoo, as the acquisition by Verizon was scheduled to close in early 2017 (15 PVLR 1881, 9/26/16).
“Yahoo is in the hot seat,” Peter Nguyen, technical services director of cybersecurity company LightCyber Ltd. in Los Altos, Calif., said.
Yahoo needs to “prove its commitment to security” to minimize the negative effects on the pending merger, he said.
Vela said that given the pending merger, “Yahoo would definitely be more inclined to focus on cybersecurity,” he said. Double checking Yahoo's information security measures is in Verizon's best interest “to ensure what they are buying is not a security lemon,” Vela said.
In addition to preserving the acquisition price, focusing on improving cybersecurity measures would likely allow Yahoo to decrease the risks of additional breaches, the cybersecurity pros said.
“The breach places Yahoo in the spotlight for attacks by other groups,” Vela said. If the Yahoo-Verizon merger is completed, there will “inevitably be some interconnection between the networks,” he said.
“The post-merger network will become more attractive to attackers since it will contain more personally identifiable information to steal,” he said.
There is no doubt Yahoo is “sparing no expense at increasing the security posture, especially since the breach has increased their risk level and because it could have a direct effect on the terms of the merger,” Vela said.
Yahoo should also address cybersecurity shortcomings to mitigate negative customer views and potential fallout and delays caused by related litigation, the security pros said.
“If Yahoo is known to have sub-standard security, there are plenty of places to turn to for e-mail and other services,” Nguyen said.
Citing a recent study by RAND Corp., Hay said that approximately 11 percent of customers stopped dealing with an affected company following a data breach. “Depending on whether Verizon is acquiring Yahoo for technology, brand power or customer acquisition, a potential 11 percent loss of pre-acquisition customers is enough to impact what they're willing to pay,” he said.
The massive data breach has already spurred consumer class complaints alleging that Yahoo failed to adequately protect consumers' personal information .
The future of Yahoo depends on how the company's board feels settling the suits “will affect its share price,” Hay said.
To contact the reporter on this story: Jimmy H. Koo in Washington at email@example.com
To contact the editors responsible for this story: Donald G. Aplin at firstname.lastname@example.org
Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)