Recently, the Information Commissioner’s Office fined Yahoo £250,000 in connection with the cyber-attack it suffered in 2014, which resulted in the theft of over 500 million users’ data worldwide and compromised over 500,000 Yahoo UK accounts.
A quarter million pound fine is usually not cause for relief – but in Yahoo’s case, it may have been some of the better news to come its way in some time.
The penalty is considerably less than that levied by the US Securities and Exchange Commission in respect of the same incident ($35 million in April this year) or what Yahoo may have been fined had the ICO conducted its investigation under the new Data Protection Act, which allows for fines up to the higher of EUR €20 million or 4% of global annual turnover (by contrast the 1998 Act caps penalties at £500,000).
Under the new Act, the ICO will look to a number of factors when determining an appropriate penalty amount, which include:
- the nature, gravity and duration of the failure;
- any action taken by the controller or processor to mitigate the damage or distress suffered by data subjects; and
- the degree of responsibility of the controller or processor.
Based on the ICO’s commentary on the fine, the above criteria would arguably not have weighed in Yahoo’s favour.
The ICO decided that Yahoo had “failed” both to: (i) “take appropriate technical and organisational measures to protect the personal data of the relevant customers against exfiltration by unauthorised person”; and (ii) “ensure that its data processor, Yahoo! Inc., complied with” the relevant provisions of the 1998 DPA.
While the decision acknowledged that Yahoo was the victim of a “sophisticated and persistent attack, supported by the Russian Federal Security Service”, it nonetheless found there were “systematic” and “material inadequacies” in the measures Yahoo had in place to protect personal data, for which Yahoo had not provided a “satisfactory explanation”.
The ICO’s Deputy Commissioner published a blog post shortly after the penalty was announced, which clarified the ICO’s rationale (or, if you’re Yahoo, rubbed salt in the wound), noting: “the failings our investigation identified are not what we expect or will accept from a company processing significant volumes of personal data” and that a higher standard of care is expected from “well-resourced, experienced” organisations.
The US position
The focus of the SEC’s ire was less on the inadequacies of Yahoo! Inc.’s technical measures and more on the failure to disclose the breach to its investors. Yahoo! Inc. became aware of the hack in December 2014, but only came to clean to investors in September 2016 when it was in the process of closing the acquisition of its operating business by Verizon.
The SEC commented that Yahoo had failed properly to “assess its cyber-disclosure obligations…leaving its investors totally in the dark” and while it does not “second-guess good faith exercises in judgment about cyber-incident disclosure…a company’s response to such an event could be so lacking that an enforcement action would be warranted.”
Unfortunately, Verizon was similarly unimpressed by Yahoo’s communication failure and declared the late disclosure and data breach a “material adverse event” under the Stock Purchase Agreement, resulting in a $350 million (or 7.25%) reduction in purchase price.
It is clear from the Yahoo breach - and the reactions of regulators and investors to it - that how organisations prepare for, react to and communicate about data breaches will determine how well they survive the crises inevitably caused by such incidents.
For example, the ICO’s decision indicates that it opted against the maximum £500k penalty due to Yahoo’s reaction to the incident, noting that (i) Yahoo “co-operated with the Commissioner”; (ii) it took “extensive steps to notify affected users and to inform them how they could protect their accounts”; and (iii) the stolen data “did not include payment card data or bank account information”.
Further, the Deputy Commissioner’s statements emphasise the importance of having in place preventative measures:
“We accept that cyber-attacks will happen as the cyber-criminals get shrewder and more determined, the protection of data becomes even more of a challenge. However, organisations must take appropriate steps to protect the data of their customers from this threat…[they] need to do more than just shut the door. They need to lock it. Then check the locks”.
And finally – and arguably one of the most crucial learnings – Yahoo! Inc.’s response to the breach illustrates that responsibility for a cyber incident does not sit with an organisation’s IT or security team alone, but extends to the legal department and senior executives.
An independent committee of Yahoo! Inc.’s board of directors, with assistance from US firm Sidley Austin, undertook an internal investigation into the 2014 breach. The outcomes of that investigation included CEO Marissa Meyer agreeing to forgo her bonus and equity grants for that year and the resignation of Yahoo! Inc.’s long serving general counsel – both events likely driven by the investigation’s finding that Yahoo’s senior executives “did not properly understand or investigate” the attacks.
This demonstrates that an effective – and defensible - response strategy requires an integrated approach by legal, IT and management.
Unfortunately for the majority of organisations today, cyber-crises are not a possibility but an inevitability. But, with adequate preparation and mitigation, organisations may be able to prevent those crises from developing into catastrophes.