Yahoo faces regulatory and litigation peril from global data breach

26th September 2016. By Mike Swift and Amy Miller

Just two business days after Yahoo revealed a global data breach unprecedented in size, the Silicon Valley Internet platform already faces a flood of US lawsuits that is all but certain to continue to grow in coming days, even as regulators across the US and around the world begin to quiz the company about its security precautions and why it took so long to detect the intrusion.

By Monday afternoon, at least half a dozen proposed class action suits had already been filed in several federal district courts in Illinois and California, including in the district that includes Yahoo’s Sunnyvale, California, headquarters. The litigation tally is likely to mushroom in coming days, and the US Judicial Panel on Multidistrict Litigation will decide months from now where the consolidated case ultimately plays out.

Yahoo will be forced to prove in the coming months to the skeptical eyes of regulators in California, Washington, DC, London and elsewhere around the world — as well as to US private litigants — that it had installed state-of-the-art security that was overwhelmed by the superior forces of a state-sponsored hacker. It also will need to show that remained fully unaware of that intrusion until last week.

US Senator Mark Warner, a Virginia Democrat who is a co-founder of the bipartisan Senate Cybersecurity Caucus, on Monday asked the US Securities and Exchange Commission to investigate whether Yahoo fulfilled its obligations under federal securities laws. The SEC has authority to fine companies that don’t disclose the extent of data breaches.

While state attorneys general, whose offices enforce state data breach laws in the United States, generally declined to comment on any ongoing investigations, California and Massachusetts both acknowledged Monday they are questioning Yahoo about the breach.

“We are aware of this matter and have reached out to Yahoo to learn more about the circumstances surrounding the breach. We will be closely monitoring this situation as it is a priority of our office to ensure the security and privacy of Massachusetts residents’ personal and financial information,” said Emalie Gainey, spokeswoman for Massachusetts Attorney General Maura Healey.

The US Federal Trade Commission also declined to comment Monday, with a spokesman saying that the agency’s investigations are nonpublic and the FTC couldn’t confirm or deny the existence of a probe.

The private US suits allege a long list of laws broken by Yahoo, including privacy claims under the federal Stored Communications Act and the California Constitution, as well as violations of state statutes such as California’s Unfair Competition Law and the Illinois Computer Fraud and Abuse Act.

“Despite the fact that the attack took place in late 2014, Yahoo was so grossly negligent in securing its users’ personal information that it says that it did not even discover the incident until the summer of 2016,” a suit filed Friday in San Jose, California, alleges. “In other words, Defendant’s misconduct was so bad that it evidently allowed unauthorized and malicious access to Plaintiff’s and the Class’s personal information on Defendant’s computer systems to continue unimpeded for nearly two years.”

“Circumstantial evidence suggests that certain Yahoo insiders did know of the breach long before it was disclosed, but hid it from the public until after a $4.8 billion sale of the Company to Verizon was announced in July 2016,” concluded the suit, filed by New York resident and Yahoo user Ronald Schwartz.

Beyond those judicial and regulatory problems, Yahoo will also face the individual judgment of several hundred million users, most of them outside of the US, who may choose to desert the already troubled company for competitors such as Google, Microsoft or Facebook.

Unprecedented combination

A combination of factors, rather than any one individual attribute, makes the Yahoo breach such an unprecedented event. The breach affected as many as 500 million accounts on a global communications platform, an intrusion created by a state-sponsored actor that went undetected from 2014 until last week, according to Yahoo.

Individually, none of those attributes are firsts. Global Internet platforms, such as LinkedIn in 2013, have been compromised before. Breaches of the computer systems of large organizations such as the Target retail chain and the Anthem healthcare network have exposed the personal data of 100 million people or more.

State-sponsored actors have broken into computer networks, such as North Korea’s intrusion, according to the Obama administration, into the computer systems of movie studio Sony Pictures.

“When you’re a nation-state, like the Chinese, the Russians, the Romanians or the Vietnamese, these people are really smart, and they are incredibly persistent,” data breach expert Larry Ponemon, chairman of the Ponemon Institute, told MLex. “If they want to get inside, they can’t be stopped.”

And while it took Yahoo about four times longer than the 188-day average for a tech company to discover its systems have been breached, that delay isn’t without precedent, Ponemon said. After entering a computer system, intruders frequently lie dormant for months, even years, during which time they are essentially impossible to detect.

Litigation risk

Yahoo will doubtlessly make all those arguments as it defends itself in US court and to regulators around the world. UK Information Commissioner Elizabeth Denham said Friday that “the US authorities will be looking to track down the hackers, but it is our job to ask serious questions of Yahoo on behalf of British citizens, and I am doing that today.”

In many previous breaches, including those of LinkedIn, Target and Sony, class action plaintiffs’ lawyers found ways to press expensive litigation forward. In addition to the resignation of its chief executive officer, Target ultimately paid more than $95 million to settle litigation brought by consumers, banks and other financial institutions. That breach affected about 110 million people, including exposing the payment card information of about 40 million US consumers.

In the US legal system, plaintiffs are generally required to allege that they have suffered actual, not just potential, harm in order to gain standing to sue.

In some past data breach cases, companies have been able to argue successfully that if plaintiffs haven’t suffered harm and can’t show actual fraud or identity theft, they lack standing to sue. But at least three recent federal appeals court decisions have cracked open the door, finding that fear of potential future harm can be sufficient to establish standing to sue. Those rulings could make it easier for data breach cases against Yahoo to survive in district court.

Plaintiffs have to be able to link the particular data breach to an injury, said Brenda R. Sharton, who chairs the business litigation and the privacy and cybersecurity practices at Goodwin in Boston.

“That’s becoming harder and harder to do when there are so many breaches. That may make it harder for the plaintiffs in the Yahoo cases,” she said.

Ominously for Yahoo, at least one plaintiffs’ lawyer who has sued the company says there is already evidence that his clients have suffered concrete harm.

“We’ve had a number of clients who have had unauthorized access to their financial information that they didn’t understand, and they had no explanation for it,” said David Casey, a San Diego lawyer whose clients sued Yahoo Thursday in the Southern District of California.

“What we found that’s kind of unusual is the anger people are feeling, because of the delay of time for a few years” before Yahoo revealed the breach, Casey said.