Large-scale data breaches of big corporations are becoming an almost weekly event. Despite the regularity of these breaches, the true extent of the legal and financial consequences for these companies and their executives and shareholders remains unclear. For instance, the 2014 cyber-attack on Target did force the then CEO, Gregg Steinhafel, to resign, but a shareholder derivative lawsuit filed against certain directors and officers due to the breach was ultimately dismissed. A shareholder derivative suit against Home Depot – brought as a result of a data breach – was similarly dismissed this past December.
Courts remain reluctant to hold companies, and their officers, directors, and executives liable for data breaches or cyber-attacks, but most cyber security experts believe it is only a matter of time before they do. While the limits of legal liability for a cyber-attack are still up in the air, the aftermath of the recent cyber-attack on Yahoo demonstrates that financial consequences can be drastic for a company, as well as its executives and shareholders.
Yahoo publicly announced it was hacked in September 2016, and since then the company and its executives have been dealing with the backlash. This past Wednesday, CEO, Marissa Mayer, announced she will give up her 2017 bonus – a bonus worth nearly $14 million (in cash and stock). Yahoo’s top lawyer, Ronald Bell, also resigned on Wednesday, seeming to take responsibility for the data breaches.
The data breach has also affected Yahoo’s talks with Verizon Communications regarding the sale of Yahoo’s internet business. Last month, Yahoo agreed to reduce the purchase price by $350 million as a direct result of the breach. While the deal is still expected to close this year, the harm to Yahoo’s shareholders is obvious.
Bottom line, cyber-attacks and data breaches can have severe consequences for companies and their shareholders and may even lead to legal liability for the directors, officers and executives. Companies need to be proactive in developing measures to prevent cyber-attacks, as well as contingency plans in the event a breach does occur. Contact KJK’s cyber security attorneys for additional information or guidance.