Yahoo Billion Account Breach May Push Enforcement

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Yahoo! Inc.'s disclosure of a billion-account data breach—its second major breach revelation in three months—will increase the likelihood of regulators taking public data security enforcement action, privacy and security professionals said Dec. 15.

Edward J. McAndrew, a cybersecurity partner at Ballard Spahr LLP in Philadelphia, told Bloomberg BNA that it would be “very surprising if Yahoo’s data security practices did not attract the attention of various regulators here and abroad, beginning with the Federal Trade Commission.”

The FTC, state attorneys general and international privacy regulators will want to “investigate how Yahoo failed to secure the personal data of at least 1.5 billion” accounts over such a long period of time, McAndrew said.

Katherine E. Armstrong, counsel at Drinker Biddle & Reath LLP in Washington and a former FTC attorney, agreed. “Certainly the Yahoo breach will catch the attention of regulators, but that is almost all we know for certain,” she told Bloomberg BNA. “Whether or not the FTC determines to bring a law enforcement action depends upon the careful analysis of the facts surrounding the breach,” she said.

Josh Tzuker, attorney-advisor to FTC Commissioner Terrell McSweeny, told Bloomberg BNA Dec. 15 that although he can’t disclose or discuss ongoing investigations, the FTC has “very diligent and effective investigators and attorneys who continually work in the public’s best interests.”

New York Attorney General Eric T. Schneiderman Dec. 15 issued a consumer alert, urging New Yorkers to “take immediate steps to protect their personal information online” in the wake of Yahoo’s announcement. Schneiderman said his office is in touch with Yahoo and is examining the breach. Office of California Attorney General Kamala D. Harris didn’t immediately respond to Bloomberg BNA’s request for comments on whether it is looking into the new breach.

Yahoo announced Dec. 14 that more than 1 billion user accounts may have been affected in a 2013 data breach incident. This data breach is in addition to a 2014 breach incident the company disclosed in September that may have compromised at least 500 million user accounts.

Yahoo is the ninth largest public internet media company in the world with approximately $39 billion in market capitalization, Bloomberg data show. Verizon Communications Inc. agreed to buy Yahoo for $4.8 billion, in a deal scheduled to conclude in early 2017. According to a Dec. 15 Bloomberg Technology report, Verizon is exploring a price cut or possible exit from the pending acquisition.

‘Attractive Case Target’

Barry Goheen, partner at King & Spalding LLP in Atlanta, told Bloomberg BNA that “if it turns out there are strong similarities between the two data breaches,” regulators may be forced to “vigorously” investigate the matter. It isn’t a “huge leap to imagine other federal agencies” getting involved in the investigation, he said.

Chris Jay Hoofnagle, a technology, privacy and law professor at the University of California, Berkeley, said that “several factors make the Yahoo breach an attractive case target for the FTC—its size, the presence of several breaches, the apparent discovery of the breach by law enforcement and the reported scaling back of resources for security.”

However, Hoofnagle told Bloomberg BNA that there are “several factors” against intervention by the FTC. “First, the root cause of the latest breach is unknown, and if that root cause has already been the subject of existing FTC cases, it makes the effort less novel,” he said. “Second, Yahoo is likely to be punished in the market for these breaches, by Verizon and by the class action bar,” Hoofnagle said.

Yahoo is already facing consolidated multidistrict consumer claims over the 2014 data breach.

Privacy regulators in the U.K. and Ireland have already said they are investigating the new Yahoo breach.

To contact the reporter on this story: Jimmy H. Koo in Washington at

To contact the editor responsible for this story: Donald Aplin at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security