On September 22, 2016 Yahoo Inc. reported that it suffered a data breach affecting 500 million of its approximately 1 billion user accounts. According to a press release issued by the company, stolen information "may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers".1 This data breach apparently occurred in late 2014 and Yahoo believes it was perpetrated by a "state-sponsored actor".
Besides the inevitable regulatory and class action fallout, what makes this interesting from a legal perspective is that Yahoo happens to be in the throes of a 4.8-billion (U.S.) asset acquisition by Verizon, which is scheduled to close by early next year.2 According to The Globe & Mail, Verizon was notified of the breach in the two days prior to Thursday’s announcement. We suspect that this cyberbreach incident will have a significant impact on that transaction.
How can purchasers protect themselves against cyberbreach issues when acquiring target companies? There is no silver bullet, but, as part of the due diligence process in assessing a potential acquisition, in today’s cyberbreach environment purchasers should at least be conducting detailed investigations of the target’s information security procedures and practices. Initial enquiries include the following types of investigations:
Wherever possible, in transactions today purchasers will want to build in to their agreements of purchase and sale risk allocation provisions in the form of representations and warranties, indemnities and holdbacks that will protect the purchaser against the costs of cyberbreaches, whether discovered before or after closing. The advantages of a separate indemnity in respect of cyberbreaches are that the indemnity can be excluded from the various categories and limits of liability in the deal, it can be crafted so as to apply regardless of whether there has been a disclosure of known cyberbreaches, and it can be negotiated to apply to previously unknown cyberbreaches discovered post closing. Purchasers should also build in, as a condition of closing, the absence of any cyberbreaches prior to closing.
In the public markets, incidents of this nature could easily derail a transaction. In the Verizon deal, Verizon has agreed to purchase Yahoo’s operating business, subject to "customary closing conditions, approval by Yahoo’s shareholders, and regulatory approvals."3 One wonders how comfortable the Yahoo shareholders will be in approving this transaction, if the agreement of purchase and sale provides for significant penalties as a result of the cyberbreach. Alternatively, will Verizon be prepared to proceed with the transaction if the agreement provides a mechanism to terminate the deal in the event of an incident such as this?
To do business today is to be connected to the Internet. Connection to the Internet provides the opportunity for cyberbreach and, unfortunately, cyberbreach is no longer an isolated incident. Asking probing questions and conducting thorough due diligence concerning a target company’s cyberbreach experiences, policies, practices and pending actions is no longer unusual; it just makes good business and legal sense.
1 Yahoo Inc., “An Important Message to Yahoo Users on Security”, (September 22, 2016), view article online.
2 The Globe and Mail, “Yahoo says ‘state-sponsored actor’ hacked 500 million user accounts”, (September 22, 2016), view article online.
3 Verizon Communications Inc., “Verizon to acquire Yahoo’s operating business”, (July 25, 2016), view article online.