Get the DealBook newsletter to make sense of major business and policy headlines — and the power-brokers who shape them.
Shareholders haven’t been successful in holding companies accountable for data breaches.
That changed in the first month of 2019.
The former officers and directors of Yahoo agreed to pay $29 million to settle charges that they breached their fiduciary duties in their handling of customer data during a series of cyberattacks from 2013 until 2016. Three billion Yahoo user accounts were compromised in the attacks. The settlement ended three so-called derivative lawsuits filed in Delaware and California against the company’s former leadership team and board, including Marissa Mayer, Yahoo’s former chief executive. Insurance coverage will pick up the tab.
The settlement, approved this month by a Superior Court judge in Santa Clara, Calif., marked the first time that shareholders have been awarded a monetary damages in a derivative lawsuit related to a data breach. There have been very few breach-related derivative lawsuits, and all had been dismissed by the courts or settled without a payment to the shareholders.
A derivative lawsuit is a legal mechanism that gives the owners of a company — the shareholders — a way to hold corporate directors and management accountable for their actions. Shareholders file a claim on the company’s behalf, with any money recovered going to the corporation, not the individual shareholders, because the violation harmed only the organization.
Under the Yahoo settlement, the lawyers walk away with about $11 million in fees and expenses, with the remaining $18 million paid to Yahoo, now called Altaba after Verizon acquired Yahoo’s internet business in 2017.
A $29 million settlement might seem trivial for a company that has a market capitalization of $38 billion. But it signals that director and officer liability for cybersecurity oversight is entering new and potentially perilous territory. That is especially so in cases like Yahoo’s, in which shareholders allege egregious misconduct at the highest levels of an organization.
Those allegations might explain why the Yahoo case was settled.
Insurers don’t typically cough up tens of millions of dollars to settle derivative cases, which can be tough for shareholders to win. They must show that board members breached their fiduciary responsibilities by consciously disregarding their duties. The chief justice of the Delaware Supreme Court has called these claims “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.”
The parties jointly told the court that the settlement was fair, in the best interest of all parties, and that a series of data security improvements have been worked out to minimize the chances that this will happen again. But the facts of the case most likely led the insurers to conclude that their exposure could be greater than the settlement.
The reason is that the actions alleged in the lawsuit are outrageous. The nearly 120-page complaint — which is heavily redacted — reads at points more like a criminal indictment than a lawsuit. It accuses Yahoo’s former leaders of engaging in an elaborate, yearslong plot to cover up hacks going back to 2013 and conducting a “sham” investigation to “conceal the largest hacking incident in U.S. history.”
Yahoo was a pioneer of the internet era, and the core of its business was providing ways for users to communicate with one another confidentially. Yet Yahoo failed miserably at this fundamental mission, according to the shareholders’ complaint. The expectations for consumer privacy and data security are far different for an internet company than a corner hardware store. The insurance carriers clearly understood this fact.
The company’s settlement with the Securities and Exchange Commission in April provided further fodder to justify a settlement. The S.E.C. tagged Altaba with a $35 million penalty for failing to make a timely disclosure of the data breach, the commission’s first action for a cybersecurity disclosure violation.
But it’s the details of the S.E.C. settlement that most likely proved the most troubling for the insurers. According to the S.E.C., “In late 2014, Yahoo had learned of a massive breach of its user database that resulted in the theft, unauthorized access or acquisition of hundreds of millions of its user’s personal data.” The agency further alleged that “Yahoo senior management and relevant legal staff did not properly assess the scope, business impact or legal implications of the breach” and “did not share information regarding the breach with Yahoo’s auditors or outside counsel.”
Yahoo didn’t disclose the breach until September 2016, when it was negotiating the sale of its internet business to Verizon. Although the transaction was completed, the acquisition price was lowered by $350 million to $4.48 billion. That made for bad optics, a fact that the insurers probably recognized.
Any company that figured it had little to fear from shareholders after a breach should now think twice. And in the meantime, this is definitely not the time to cut back insurance for officers and directors.