Consequences of Yahoo Data Breaches Continue

The implications of Yahoo’s (YHOO) data breaches continue to unravel.

Last Wednesday, Yahoo filed its fiscal 2016 Annual Report, in which management made a number of significant disclosures related to the cyber security incidents. In particular, they discussed changes to their agreement to be purchased by Verizon, provided an update regarding the impacts of their cyber breaches, and disclosed remedial actions taken with regard to the cyber breaches.

Verizon Purchase Agreement

Yahoo confirmed previous reports that the Stock Purchase Agreement (SPA) would be reduced by $350 million and that Verizon and Yahoo would split the cost of “certain post-closing cash liabilities related to the data security incidents and other data breaches incurred by the Company.” This seems to imply that Yahoo may have other data breaches in addition to the three previously disclosed. They also disclosed that the SPA would be amended in order to exclude the cyber breaches from “Business Material Adverse Effect” and to extend the Closing to July 24, 2017.

Updated Impact of Cyber Incidents

Yahoo disclosed that they had spent $16 million towards their cyber incidents, of which $5 million related to forensic investigation and remediation activities, and $11 million went towards legal costs. In addition, Yahoo faces investigations from five state and federal agencies, including the SEC, FTC, US Attorney’s Office for the Southern District of New York, and two State Attorneys General, and 44 class action lawsuits (43 consumer class actions and 1 stockholder class action).

New Impact of Cyber Incidents

While most of Yahoo’s disclosure either affirmed news reports or updated previous disclosures, in this filing the company also indicated that their SOX 302 disclosure controls were ineffective.

Due exclusively to deficiencies in the Company’s existing security incident response protocols related to the 2014 Security Incident, the Company’s disclosure controls and procedures were not effective at December 31, 2016.

In addition, they concluded that their disclosure controls from quarterly periods ended December 31, 2014 through September 30, 2016 were also not effective.

The ineffective disclosure controls were due to the company’s failure to properly investigate, remediate, and communicate their 2014 data breach.

Despite the ineffective disclosure controls, Yahoo maintained that their SOX 404 internal controls were effective.

Remedial Actions & Reprimands

Yahoo’s Board of Directors conducted an independent investigation of the cyber incidents. Following the investigation, Yahoo enhanced their controls for dealing with cyber incidents, including implementing processes and procedures, conducting comprehensive training, and increasing communication.

Management was also reprimanded. The Board of Directors withheld a 2016 cash bonus from CEO Marissa Mayer, and Mayer also declined a 2017 annual equity award. Ronald S. Bell, the company’s general counsel, resigned. Bell did not receive a payment in connection to his departure from the company.

This report may put to rest some worries about the Verizon deal. Yahoo said they expect the deal to close in the second quarter of 2017. But that doesn’t mean Yahoo has nothing to worry about. As we explained in our previous blog, Yahoo still faces significant litigation risk, and the results of the company’s independent investigation coupled with the ineffective disclosure controls further the stockholder class action claims. Yahoo’s litigation may become the standard by which data breach disclosure litigation is measured.