Legal news and trends for Canadian in-house counsel and c-suite executives
Issue link: https://digital.canadianlawyermag.com/i/813681
MAY 2017 46 INHOUSE By Renato Pontello In Closing Cybersecurity and the Yahoo experience Legal pays the price I f we were to roll the movie back several years, most boards in North America would have listed cybersecurity as low on their list of priorities. Ex- perience has shown, however, that we seriously underestimated the effect a security breach could have on a company's reputation and fortunes. Companies have since then had to pay out billions of dollars in damages for infi ltrations into their informa- tion systems. It is believed by some that the electoral re- sults in the United States were skewed and orchestrated by state-sponsored hackers. At board meetings I have attended recently, cybersecurity is very much on the minds of board members, both in their deliberations as well as in their social conversations. YAHOO CEO AND GENERAL COUNSEL The responsibility of boards and management teams to ensure that their information systems are secure is being brought home most poignantly with what is cur- rently being reported about the company Yahoo. Yahoo reported two major data breaches of user ac- count data to hackers during the second half of 2016. The fi rst announced breach, reported in September 2016, had occurred some time in late 2014 and affected more than 500 million Yahoo user accounts. A separate data breach, occurring earlier around August 2013, was reported in December 2016 and affected more than one billion user accounts. According to a Form 10-K fi led March 1, the company found that an additional 32 million accounts were compromised in 2015 and 2016 through the use of forged cookies. The intrusions allowed hackers acting on behalf of an unnamed foreign state to steal valuable personal information without the use of passwords. On March 1, Yahoo announced that its CEO, Ma- rissa Mayer, took responsibility for the theft of personal information by voluntarily foregoing her annual bonus and equity award for 2017. She asked that her bonus be redistributed to the company's employees. The Form 10-K discloses, surprisingly, that an inves- tigation led by an independent committee on Yahoo's board found that the company's information security team had contemporaneous knowledge of the 2014 breach as well as the cookie forging in 2015 and 2016. In other words, there was a multi-year delay on the part of Yahoo's management team and board in investigat- ing and disclosing the number of attacks and the extent of the potential damage done. According to the fi ling, senior executives and rel- evant legal staff were aware that a state-sponsored actor had accessed certain user accounts, and though Yahoo took certain remedial actions, the committee said se- nior executives including the legal team "did not prop- erly comprehend or investigate, and therefore failed to act suffi ciently upon, the full extent of knowledge known internally by the company's information secu- rity team." Accordingly, on the same day that the Mayer announcement was made, Yahoo announced that its general counsel and company secretary Ron Bell re- signed from the company after more than 15 years at Yahoo and almost fi ve years at the helm of its legal de- partment. Unlike Mayer, however, Bell lost his job and walked away with no severance. It is interesting that while Bell was not directly re- sponsible for IT security, his failure to ensure a timely and thorough investigation and reporting seems to have warranted his dismissal. FURTHER YAHOO REPERCUSSIONS The story since then has continued to unfold. On March 17, Yahoo announced in another regula- tory fi ling that after Yahoo sells its operating business to Verizon Communications Inc., Mayer will step down as CEO from the holding company that remains. She will leave, however, after receiving a US$23-million severance package. Besides her severance package, Mayer will gain control of stock options valued at $56.8 million, according to the fi ling. The stock will no doubt help ease the sting of losing out on her 2017 $1-million salary and stock option grant. The events at Yahoo suggest that cybersecurity is now a prominent topic in board discussions. Companies are prepared to take strong, visible steps to demonstrate that their customer's personal information is secure. The Yahoo experience, however, suggests that the lay- ing of responsibility may be uneven. It also seems to suggest that the legal department should play an im- portant oversight role as well as being key to any inves- tigation and reporting. Companies such as Yahoo are signaling that they are prepared to hold the feet of their in-house counsel to the fi re for information breaches, up to and including their dismissal, particularly where they fail to act promptly and thoroughly. IH Renato Pontello is legal counsel to Solantro Semiconductor Corp. He was formerly vice president legal, general counsel and corporate secretary to Zarlink Semiconductor Inc. He can be reached at renatopontello@ aol.com.