The Yahoo Breach: M&A Lessons for Corporate Fiduciaries

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Yahoo Data Breach

To understand the lessons to be learned from the Yahoo-Verizon deal, one must consider the fiduciary duties at issue in mergers and acquisitions, the role of data in the modern economy and the importance of ensuring corporate fiduciaries are in a strong position to objectively discharge their duty of loyalty and care. The author provides three lessons that may be gleaned from the Yahoo-Verizon merger when it comes to the treatment of data.

Steven L. Caponi

By Steven L. Caponi

Steven Caponi is a partner at K&L Gates LLP in Wilmington, Del. in the firm's Complex Commercial Litigation and Dispute, and Cyber Law and Cybersecurity practice groups.

There are various iterations of the saying, but its most popular form states: “Wise men learn from their mistakes, but wiser men learn from the mistakes of others.” For corporate fiduciaries involved with merger and acquisition (M&A) transactions, the recently disclosed breach at Yahoo! Inc., and its impact on the pending merger with Verizon Communications Inc., offers many lessons. The most significant is the realization that data can be a valuable asset; but conversely, the mishandling of data in connection with a transaction can quickly become a significant latent liability for both sellers and buyers. To avoid potential liability, prudent fiduciaries (officers/directors) should take several key lessons from the Yahoo breach and adopt best practices for mitigating data risks in the context of corporate transactions.

To understand the lessons to be learned from the Yahoo-Verizon deal, one must consider the fiduciary duties at issue in the M&A context and the role of “data” in the modern economy. The two primary fiduciary duties are those of loyalty and care to the company. The duty of loyalty is frequently described as the obligation to refrain from being “interested” in the transaction and to remain “independent” relative to the decisions being made. A less often discussed aspect of loyalty, however, is the affirmative obligation to monitor risks to the corporation. Directors who fail to monitor or oversee known risks can be deemed to have disabled themselves from being informed of problems requiring their attention, thus breaching their duty of loyalty. Closely related to this aspect of the duty of loyalty, the duty of care requires directors to remain informed and to consider all material information reasonably available when making decisions, including decisions pertinent to a pending merger or acquisition.

The importance of ensuring corporate fiduciaries are in a strong position to objectively discharge their duty of loyalty and care is not theoretical or simply a best practice. Cornerstone Research regularly conducts annual surveys looking at the impact of litigation challenges to M&A activity. Cornerstone estimates that, since 2009, over 90 percent of public M&A deals over $100 million resulted in a legal challenge. A staple of these lawsuits are allegations that directors/officers breached their fiduciary duty. In light of this reality, following a transaction directors and officers will likely have a 90 percent chance of finding themselves standing before a court having to justify their conduct. Given the detrimental impact of litigation, it is critical that the process followed by a board during its consideration of a merger or acquisition is sound, can be objectively established, and comports with its fiduciary duties.

As the “global economy” gives way to the “digital economy,” data is both a material asset and a liability that must be specifically considered by fiduciaries. While not as easy to value as tangible assets, there is a clear consensus in the marketplace that data is becoming an increasingly valuable part of every company.

In an article exploring the difficulty in valuing data, the Wall Street Journal estimated in 2014 that corporate holdings of data and other intangible assets exceeded $8 trillion. This is not a surprising figure when one considers IBM's assessment that “[e]very day we create 2.5 quintillion bytes of data—so much that 90 percent of the data in the world has been created in the last two years alone.”

The plethora of data explains in part why Nanalyze, which provides objective information about companies involved in disruptive technologies, noted there is now 14 “Big Data” companies worth over $1 billion each. But data is proving to be very valuable even to decidedly low tech companies. It has been reported in various financial publications that Supermarket operator Kroger Co., which diligently tracks the purchasing history of it customers, is estimated to generate around $100 million a year from data sales, on total revenue of approximately $1 billion.

Just as data can be valuable if utilized efficiently, it can be a source of significant liability if mishandled. According to the IBM 2016 Ponemon Cost of Data Breach Study, for breaches involving 100,000 or fewer records the average cost for each lost or stolen record containing sensitive customer information increased from $154 in 2015 to $158 this year. The report also noted that breach costs increased the larger the breach and the longer it took to detect the breach.

With respect to the recent “mega breaches” suffered by Target Corp. and Home Depot Inc., hackers stole approximately 100 million customer files, which according to their various Security and Exchange Commission filings resulted in combined direct incident response costs of over $550 million or around $4.50 a record. Although these figures are significant in themselves, it is important to note that they do not include indirect costs such as in-house investigations, customer losses, reputational losses, drop in stock value, governmental investigation costs and general business disruption expenses.

It is the intersection of the above described fiduciary duties, the importance of the data economy and the events surrounding the Yahoo breach, where directors can learn a few important lessons. Whether contemplating a sale or acquisition, the directors' primary obligation is to protect the interests of the shareholders by remaining well informed of all material risks related to the transaction—including data related risks. This point was most recently driven home by the public disclosure of the Yahoo breach.

Earlier this year, Verizon offered to purchase Yahoo for $4.8 billion. It is widely assumed the mobile telecom provider is pursuing the transaction to obtain Yahoo's advertising and content businesses. According to press reports, this is part of a larger Verizon strategy to develop scale to increase revenues from digital advertising on mobile devices.

On July 23, the two companies executed a Stock Purchase Agreement that anticipates a closing before the end of the first quarter of 2017. Less than two months later, Yahoo publicly announced that data associated with at least 500 million user accounts had been stolen. The data included customer names, e-mail addresses, telephone numbers, dates of birth, passwords and security questions and answers.

Within days of the announcement, several class action lawsuits were filed against Yahoo claiming the company intentionally or recklessly failed to protect user data in violation of various state and federal laws, including the Federal Trade Commission Act and California privacy statutes. It is widely expected that the Securities and Exchange Commission, Federal Trade Commission and various state and federal investigations will closely scrutinize Yahoo's privacy practices and handling of the breach.

What are the lessons that can be gleaned from the Yahoo-Verizon transaction when it comes to the treatment of data? If you are a corporate fiduciary looking to reduce your risk of personal liability, there are three significant points to consider when contemplating your next merger or acquisition.

Lesson #1: Choose the Correct Deal Structure

Assuming media reports are accurate, Verizon is acquiring Yahoo to obtain its proprietary add and content assets, but not other underperforming aspects of the business. Yet Verizon structured the transaction as a stock acquisition and not as an asset sale. This decision may prove significant. By acquiring 100 percent of Yahoo's stock, Verizon will acquire 100 percent of Yahoo's liabilities—including those associated with the recently disclosed breach that occurred two years ago in 2014. When evaluating a transaction, fiduciaries should consider whether an asset sale or stock acquisition makes more sense given the drivers behind the transaction. If the deal is driven by discrete assets, boards should seriously consider purchasing just the desired assets and/or explicitly excluding from the sale any data (and potential liabilities) associated with noncore assets.

Lesson #2: Adopt Appropriate Reps and Warranties

The Yahoo-Verizon merger agreement sought to address data liabilities by including several specific provisions requiring Yahoo to represent and warrant the condition of its data privacy practices. By way of example, this included the following statement “[t]o the knowledge of [Yahoo], there have not been any incidents of, or third party claims alleging, (i) Security Breaches, unauthorized access or unauthorized use of any of [Yahoo's] … information technology systems … that could reasonably be expected to have a Business Material Adverse Effect.”

Though this language obligates sellers to disclose known incidents, it does nothing to protect the buyer in the situation where the intrusion was undiscovered or unknown. As discussed in media reports, Yahoo was unaware of the breach for over two years. The late detection is not surprising since most hacks rely on malicious code that enters a network disguised as a mundane attachment and then sits silently until activated; days, weeks, months and even years later. It is not uncommon for a buyer to acquire a company, only to suffer a post closing breach facilitated by a virus that was implanted preclosing and without the knowledge of the seller. Had Yahoo remained in the dark for only a few more months, Verizon would have closed on the transaction and inherited significant data breach liabilities, but would have had limited recourse against Yahoo because it technically complied with the applicable reps and warranties.

Another weakness with the “standard” reps and warranties found in many merger agreements is the fact that they are breached only if there is a “material adverse effect” on the business. In the case of data breaches, however, it is often very difficult if not impossible, to predict whether an incident will have a material adverse effect until months if not years later. The durations of litigations, extent of governmental investigations, magnitude of fines, full impact of reputational damage, cost of internal remediation, etc., can remain largely unknown for an extended period of time. This leaves the buyer in the position of claiming the breach constituted a material adverse change, while the seller argues the incident is a minor set-back given the magnitude of the transaction.

According to reports by the financial network CNBC, Verizon is seeking a $1 billion discount from the pending $4.8 billion agreement with Yahoo. On one hand, this discount would not seem out of line if the Target/Home Depot breaches are used as a benchmark. Because the Yahoo breach involved twice as many records, Verizon could argue the liabilities will double the $550 million incurred by Target and Home Depot.

On the other hand, every breach is unique and the Yahoo negative breach does not appear to involve credit cards or issuing banks—two factors that can significantly increase the cost of a breach. Effectively, Yahoo and Verizon, both sides are left in a grey area with few good options due to the over reliance on reps and warranties. One side or the other can declare a breach by claiming the cost of responding to the incident will constitute a material adverse event. But doing so exposes that party to the risk of paying a significant termination fee if they are wrong—the Yahoo-Verizon transaction includes a termination fee exceeding $150 million. The other option is to renegotiate the terms of the transaction. But there is no guarantee the counter party will agree to open the discussions. Even if they do, neither party knows the full scope of what is being renegotiated so reaching a consensus may prove elusive.

Lesson #3: There is No Substitute for Affirmative Due Diligence.

While the inclusion of data specific representations and warranties is a good start, it is not enough. In addition to requiring the disclosure of known issues, buyers should insist on provisions in the merger agreement that can unearth latent problems by allowing for third-party testing of the seller's technology and that include specific rights/obligations depending on what is found. This process is very similar to the Phase I and Phase II testing adopted to address hidden environmental liabilities. The first step is to conduct a basic survey of the seller's systems. There are numerous data security specialists who can quickly and inexpensively scan networks for the existence of malware, to detect old or ongoing breaches, and identify significant vulnerabilities. To the extent the first phase of this active due diligence uncovers potential issues, the merger agreement would permit more extensive testing to fully understand the scope of the problem and the magnitude of the potential liability.

While active due diligence provisions are preferable to simply asking the seller to identify “known” issues, they should be coupled with language that specifically delineates the parties' rights and remedies. For example, the merger agreement can define a “material adverse effect” in the context of a data breach by setting thresholds. An event involving fewer than 100,000 records may be deemed not material or information involving health records may automatically be deemed material regardless of the number of records disclosed. Or the agreement could require the parties to negotiate in good faith to establish a reserve or escrow if a breach is discovered using a pre-negotiated formula. The options are endless, and can be tailored to address the nature of the transaction and the seller's business.

For corporate fiduciaries engaged in M&A transactions, the significance of data is no longer a theoretical or minor concern. Data has the ability to deprive purchasers of the value they hoped to achieve through the acquisition and can saddle shareholders with significant unforeseen liabilities. There are tools to address the risks associated with data, but they must be thoughtfully considered and implemented by the board. The failure to do so will increasingly leave fiduciaries exposed to personal liability, often in the form of an expensive and distracting shareholder class action.

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security