Cyber attacks have almost become an expectation of 21st century business. From denials of service and data theft to viruses and ransomware, it seems to be simply a matter of time before a company is assailed. Some experts predict that increase in cyber incidents will unavoidably lead to spike in cyber-related litigation. Yet Audit Analytics’ review of cyber disclosure in SEC filings found that in the past five years the number of material cyber-related legal cases was virtually unchanged – six in 2012 and seven in 2016. The prevalence of breach-related disclosures was only marginally more substantial. In 2012, six companies disclosed having been the subject of some sort of cyber-breach, compared to 16 such cases in 2016.
So why hasn’t the litigation trend aligned with the cyberattacks trend? Labaton Sucharow, in their Cyber Threats and Litigation review, stated that “even some of the worst data breaches have not been accompanied by the sharp share price declines that one might expect.” Without a significant drop in the stock price, it is difficult for shareholders to claim damages and bring legal action. Further, damages incurred by the affected customers might be just as difficult to prove.
Yet, a recent series of data breaches disclosed by Yahoo provide an interesting case of stock dropping following some of the announcements. Let’s look at Yahoo’s case and see what sets it apart.
On July 25, 2016, Verizon made public its intent to acquire Yahoo for $4.8 billion. In September 2016, just two months later, Yahoo announced that over 500 million accounts had been hacked. To make the things worse, the breaches occurred back in 2014, two years before the public was alerted. This raised an immediate question: would there be any impact on the Verizon and Yahoo pending merger? According to the WSJ, Verizon stated that the company “will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities”. Three months later, in December, Yahoo disclosed two additional breaches. Together, the breaches affected over a billion accounts, which, if we consider the breadth of the impact, make it by far the largest breach in history. Following the December 14th after-hours breach announcement, Yahoo stock lost more than 6%, dropping from $40.90 to $38.40.
In January, The New York Times reported that Yahoo and Verizon were delaying the close of the acquisition from the first quarter of 2017 to “no sooner than April.” Finally, on Tuesday, the Wall Street Journal announced the acquisition price would be reduced by as much as $350 million, and Verizon and Yahoo would split the breach liability.
It is not clear how the $350 million haircut was calculated. Should we assume that $350 million is a reserve for expected cyber-related expenses (such as legal costs and potential litigation settlements)? So far, only two cyber breaches exceeded $200 million in total costs. In 2013, Target disclosed a breach that cost shareholders $291 million in expenses of which $49 million was related to the settlement of litigation. The Home Depot’s 2014 data breach cost shareholders $288 million in expenses of which $13 million were related to the settlement of litigation.
It is important to remember that in Target and Home Depot’s cases both financial and personal data was compromised. Yahoo’s breaches presumably affected only personal data.
To make sure we are comparing apples to apples, let’s take a look at eBay’s 2014 data breach that affected 145 million accounts. In July 2014, Collin Green – on behalf of all eBay users – brought a legal action alleging economic damages based on eBay’s failure to provide adequate protection of personal information and failure to timely notify customers. In defense, eBay claimed that there was no evidence that financial data (such as credit cards numbers) was compromises and no evidence that the customers incurred any actual damages. The judge appeared to agree and in 2015 the litigation was dismissed. By 2016, eBay’s legal costs related to the cyber breach reached $46 million. There was no litigation on behalf of the shareholders.
Let’s get back to Yahoo. Yahoo has two separate pending lawsuits. The first litigation was brought on behalf of Yahoo customers by Ram Olson Cereghino & Kopczynski LLP seeking damages based on Yahoo’s failure to secure its users’ data in the breach announced in September. On the surface, the nature of the suit appears to be similar to the one brought by eBay’s customers in 2014. Naturally, there are no two identical cases – for example, Yahoo had a series of three breaches and did not notify the users about the 2014 breach until late 2016 (and even that announcement came months after the Yahoo accounts information surfaced on the black market).
In September 2016, Mark Madrack, on behalf of Yahoo shareholders, brought a class action seeking damages based on Yahoo’s failure to inform investors about the data breach. As MarketWatch reported, “The Securities and Exchange Commission has opened an investigation […] as it looks into whether the tech company’s disclosures about the cyberattacks complied with civil securities laws.” This is a first cyber-related SEC investigation against a non-financial institution that we have seen; and first class action involving breach that did not compromise financial information. We will have to wait and see whether SEC investigation and renegotiated Verizon agreement add footing to this litigation.
So far, we discussed only direct costs stemming from the breaches, such as legal costs and potential settlement amounts. But what about other, less obvious costs – such as reputation damages and brand impairment? This would not be the first case. Recently, Sony Pictures recorded an impairment charge for their Pictures Segment, bringing the value of the unit from $962 million to $0. In 2014, Sony Pictures had one of the largest data breaches to date in terms of Intellectual Property. Following the breach, several highly anticipated movies were released online, substantially decreasing forecasted box office revenue. Sony recorded $41 million in “investigation and remediation” costs. Yet, arguably, hackers are to blame for a substantial part of the $962 mil impairment.
In Verizon’s July 2016 announcement, the company identified Yahoo as “one of the most popular email services globally with 225 million monthly active users.” It is too early to say whether the Yahoo security incident will prompt some of the Yahoo users to seek alternative providers.
We said more than once that the major risk with accounting related reviews is that the investigation may spread to other areas of accounting. Yahoo breach is not related to any accounting issues, yet follows the same pattern – what started as an isolated event, turned into a significant liability, with hard to predict amounts of financial and economic damages.