While preparing for an upcoming presentation for in-house lawyers on data security, I dusted off the events of three months ago, when Yahoo! Inc. unceremoniously fired its general counsel on March 1st, the very same day it filed its 10-K for fiscal year 2016. Yahoo’s 10-K disclosed the contemporaneous dismissal as a “Management Change” resulting from its Board of Directors’ Independent Committee investigation into Yahoo’s immense 2013-2014 data breaches, which were not disclosed until 2016. Unlike prior mega-breaches, in which the head of IT or the CEO was let go (Target, Sony), Yahoo singled out its lead in-house lawyer for firing … without separation compensation of any kind.
Henceforth, whether fairly or not, March 1 will be known as In-house Counsel Data Security Awareness Day – because it’s now clearer than ever before that in-house lawyers must take a hands-on approach to breach response, breach response readiness, and data security generally.
Huge breaches, huge repercussions
The Yahoo breaches were indeed massive, impacting over 1.5 billion account holders. And the resulting costs are similarly huge: $16 million in out-of-pocket response costs in fiscal year 2016, which is a mere down payment on such future liabilities, given the scores of putative class actions, along with shareholder actions and a derivative suit, currently pending, on top of SEC, FTC, and federal and state AG office investigations, and all without Yahoo having cyber insurance coverage. Beyond that, the imbroglio triggered a renegotiation of the Verizon deal to purchase Yahoo, lowering the purchase price by $350 million.
Failure to communicate & coordinate
What galled the Independent Committee was that the full extent of what Yahoo’s information security team knew back in 2014 was not effectively understood and acted upon by Yahoo’s management:
[A]s of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team….
[t]he Committee [also] found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident. The Independent Committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident. The Independent Committee also found that the Audit and Finance Committee and the full Board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters.
In response to the Independent Committee’s findings, the Board, after firing the GC and stripping compensation elements from the CEO, also directed Yahoo’s management to overhaul its technical and legal protocols for critical security incident response, to better ensure:
- escalation of cybersecurity incidents to senior executives and the Board of Directors;
- rigorous investigation of cybersecurity incidents and engagement of forensic experts as appropriate;
- rigorous assessment of and documenting any legal reporting obligations and engagement of outside counsel as appropriate;
- comprehensive risk assessments with respect to cybersecurity events;
- effective cross-functional communication regarding cybersecurity events;
- appropriate and timely disclosure of material cybersecurity incidents; and
- enhanced training and oversight to help ensure processes are followed.
Security starts in Legal
Not to pile on … but the lessons of Yahoo focus solely on the Legal Department’s role in critical security incident response, which is of couse important, yet is only one of the six elements of an organization’s reasonable information security program. All six elements are important, and Legal has an indispensable role to play in each of them. Here are those six elements of multidisciplinary activity for the overall organization, with bullets under each for the high points of what in-house counsel should focus on under each element:
IDENTIFY: Identify information to be protected
- Determine what legal, regulatory, and contractual information security schemes apply.
- Confirm what information must be protected.
ASSESS: Assess threats, vulnerabilities, and risks
- Confirm the required scope of the assessment per applicable legal, regulatory, and contractual security requirements.
- Contribute to identification and understanding of risks.
SAFEGUARD: Establish policies and controls; train; and test
- Confirm legal, regulatory, and contractual requirements for security controls.
- Collaborate in development of and approve policies.
- Ensure up-to-date, legally validated retention schedule.
- Review legal sufficiency of controls.
CONTRACT: Select, contract with, and oversee third parties
- Determine legal, regulatory, and contractual requirements for security in third-party relationships.
- Assess and identify risks.
- Ensure effective contract terms for risks.
- Collaborate in establishing processes for due diligence in selection and oversight.
RESPOND: Establish response readiness and respond to incidents
- Develop (under privilege) and establish the Critical Security Incident Response Plan (which is different from IT’s security incident response plan).
- Select and qualify response service providers (legal, forensics, crisis communications, notifications …).
- Orient/train participants.
- Coordinate plan execution in actual critical security incidents/breaches, maintaining attorney/client privilege.
ADJUST: Review and update the program
- Recognize changes in legal, regulatory, and contractual requirements for security.
- Recognize changed business circumstances triggering need for adjusting the security program.
- Collaborate in security program adjustments.
This is a lot to add to the already crowded plates of in-house counsel. But Yahoo is a tipping point. Going forward, in-house Legal will be under increased scrutiny for its leadership on data security, and for whether Legal has fulfilled its vital roles before, during, and after critical security incidents.
Because now that Security starts in Legal, it’s up to Legal to ensure it doesn’t end there too – as it did at Yahoo.