Reprinted with permission from the June 22, 2018 issue of The Legal Intelligencer. © 2018 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.
As former SEC Commissioner Luis Aguilar aptly stated: “boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.” The statistics on data breaches echo the commissioner’s message: 2017 saw an 88 percent increase in the amount of compromised records compared with 2016. All companies in today’s economy rely on digital assets to conduct business. Companies collect and store personal data about users for payment, marketing and analytics purposes. Business-to-business and business-to-consumer companies alike collect sensitive data about employees and their families for payroll and benefit administration. Moreover, companies’ confidential information, transaction information and trade secrets are contained in electronic records which, if compromised, could severely affect the business’ value.
Equifax’s breach and Facebook’s Cambridge Analytica scandal highlight cybersecurity’s increasing link to reputation. Additionally, government agencies like the SEC and FTC are paying close attention to cybersecurity issues. The FTC, which has brought over 50 cybersecurity lawsuits, compiled all of its enforcement messages into its “Start with Security” guidance—essential reading for all businesses.
Verizon’s acquisition of Yahoo, and Yahoo’s settlement with private litigants and the SEC underscores the importance of cybersecurity as a critical component of the diligence process in M&A transactions.
In July 2016, Verizon and Yahoo entered into a purchase agreement whereby Verizon would acquire Yahoo’s business for $4.83 billion. Soon after, a hacker claimed to have obtained Yahoo user data. After Yahoo conducted an investigation, it publicly disclosed that in late 2014 it suffered a data breach affecting at least 500 million accounts (2014 security incident). Yahoo initiated its investigation of the 2014 security incident on July 30—seven days after the purchase agreement had been signed—and did not inform Verizon about the breach until nearly two months later. In December 2016, Yahoo announced its discovery of a separate security breach that occurred in August 2013 and affected more than one billion accounts (2013 security incident).
By the end of 2016, an independent committee investigation by Yahoo’s board found that “the company’s information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016. In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts … ,” Yahoo! Inc., Form 10-Q, at 47 (March 1, 2017). Additionally, “the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it.”
During the process, Verizon assessed the effect of the 2013 and 2014 security incidents on Yahoo’s business to decide whether to reduce the purchase price or walk away from the deal. When the dust settled, Verizon negotiated a $350 million price reduction and a liability-sharing arrangement with Yahoo.
The Yahoo acquisition presents several lessons to M&A acquirers during the diligence phase:
Aside from its troubles with Verizon during the acquisition, Yahoo faced consequences from its mishandling of the security breaches from government agencies and private litigants. Following the breaches, both the FBI and the Senate investigated Yahoo. This year, Yahoo agreed to a proposed $80 million settlement for a securities fraud class action, and a $35 million settlement with the SEC, both related to lack of public disclosure regarding its security incidents. The SEC settlement follows the SEC’s February 2018 interpretive guidance on public company cybersecurity disclosures, which many view as evidence of the commission’s increasing focus on data security since its original October 2011 cybersecurity guidance.
Due diligence may also avoid the threat of recent FTC settlements, which have required companies with cybersecurity failures to implement comprehensive overhauls to their privacy and security programs and be subject to regular independent audits for up to 20 years, in addition to monetary penalties. In many cases, the costs of two decades of regulatory scrutiny outweigh any one-time fine.
Finally, cybersecurity blunders take a toll on a company’s market value. Studies by Comparitech and the Ponemon Institute indicate that shares of companies that suffer a breach typically drop between 0.5 percent and 5 percent immediately following announcement of the breach, and over time tend to underperform when compared against the broader market (e.g., the stocks analyzed by Comparitech underperformed the NASDAQ by an average of 7.33 percent per year after the breach announcement, and 41.6 percent after three years). Ponemon’s study found that 31 percent of customers surveyed terminated their relationship with organizations that notified them of data breaches, and 65 percent lost trust in such organizations. Beyond impacts on value, revenue and potential shareholder derivative suits, the operational consequences can be costly as well: following Target’s 2013 data breach (after which its stock price dropped 11 percent and profit dropped 46 percent during the subsequent quarter), it invested over $100 million in data security improvements such as chip-card implementation and another $61 million in other breach-related expenses.
Cybersecurity Diligence Priorities
As illustrated by the Yahoo acquisition, cybersecurity diligence is a critical component of every deal. A buyer’s diligence process should be structured to assess the following:
Buyers should also supplement their diligence with tools available at the documentation stage, mitigating their risk through representations and warranties, indemnification provisions, and constructing appropriate baskets and caps. After closing, the buyer should prioritize investment in compliance and manage risk through cyberliability insurance.
As data breaches and subsequent lawsuits increase, and as data collection and digital assets become ubiquitous components of all companies’ businesses, so too should diligence into a target’s protections for those valuable digital assets. Increasing regulatory scrutiny only magnifies that point, and assessing the target’s legal compliance adds yet another priority that buyers must examine during their deal-making processes. Perhaps the most important lesson buyers can take from the Yahoo acquisition is that they rely on the seller’s internal cybersecurity procedures at their own risk. In kicking the tires on a potential target, the buyer must ask all the right questions to reduce its own risk. If not, post-acquisition compliance issues will contaminate the combined enterprise.
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.