In an unprecedented move, Yahoo has placed a significant amount of blame on the company’s legal department for its handling of the massive 2014 data breach that affected over 500 million accounts. An independent Board level review found that Yahoo senior executives failed to “properly comprehend or investigate” the 2014 data breach and found serious deficiencies concerning the management and reporting of the crisis.
The company’s actions underscore a significant trend as it relates to the role of the legal department concerning cybersecurity risk. This trend continues to shift cybersecurity issues from the IT department to the legal department.
The consequences of this failure were felt both economically and politically. Economically, the company took a $350 million hit on its sales price to Verizon. Yahoo has also reported $16 million in expenses relating to the incident. Politically, Yahoo’s General Counsel, Ron Bell, resigned with no separation payments due to the data breach controversy.
According to a March 1 filing with the U.S. Securities and Exchange Commission, Yahoo reported that senior executives at Yahoo, including members of its legal department, “had sufficient information to warrant substantial further inquiry in 2014” regarding a breach of the company’s networks, but “they did not sufficiently pursue it.” The failure to disclose the 2014 data breach for almost two years raise serious questions about the company’s incident response and disclosure practices.
In response to the independent committee’s findings, Yahoo has implemented or enhanced its technical and legal information security incident response protocols, escalation policies, comprehensive risk assessments, communication plan and training and oversight.
Yahoo’s experience highlights the fact that the General Counsel must play one of the most critical roles in a high-profile Data Security event. It can be argued that going forward, legal departments have a fiduciary duty to develop, execute and lead a governance program that addresses regulatory notifications, information requests and investigation protocols. In the new world order, the General Counsel must have a significant oversight role with all the necessary authority to ensure the company develops appropriate proactive measures prior to an incident and a leadership position after an event has occurred.
The risk to the legal department is now clear. It is critical that the General Counsel embrace cybersecurity oversight and a leadership position during an incident response. The legal department must now be involved in the development of incident response plans, budgets, training, communication and escalation protocols and security assessments designed to determine current vulnerabilities and required remediation.
Proactive cybersecurity readiness has traditionally been the purview of the IT department. The Yahoo event has changed that. A yearly independent cybersecurity assessment of the organization’s readiness needs to be performed and signed off on in a similar manner to how an organization handles its annual financial audit.
Since the technical aspects of IT related functions during an incident response investigation has potentially significant legal consequences, these functions need to be guided and supervised by the legal department so as to not inadvertently waive attorney-client or work product privileges or impact other legal and compliance requirements. The involvement of outside counsel, managed by the legal department, provides further privilege protections and streamlines coordination between outside experts and internal resources.
In-house lawyers need to be able to clearly communicate risk through a chain of command. It is critical to ask questions of the board and IT staff to determine the company’s Data Security readiness, identify gaps and fill those gaps with the necessary policies, procedure, documentation, training, response plans and a third-party vendor support ecosystem.