Monday 31 October 2016
Earlier this year, Yahoo Inc. (Yahoo) publicly revealed that personal information from at least 500 million user accounts was stolen by hackers.
Surprisingly, the data breach may have happened as far back as the end of 2014. Yahoo was placed in the invidious position of having to recommend that all ‘potentially’ affected users change their passwords, especially if they had not done so since 2014.
The revelation has been problematic for Yahoo to say the least. Yahoo’s reputation and brand has suffered a significant blow, adding to the company’s woes of flagging users, traffic and ad revenue.
Adverse impacts of this nature are largely expected following data breaches of high-profile companies. But what was less expected was the news that the breach’s revelation has the potential to derail a major acquisition of Yahoo.
On 25 July 2016, Verizon Communications Inc. (Verizon) agreed to buy Yahoo’s web assets for USD $4.83 billion. However, following news of the breach, Verizon has stated it has a reasonable basis to believe the data breach represents a material impact that could allow Verizon to withdraw from the deal.
These developments highlight key issues to consider during the ongoing management of a business – irrespective of whether the business is IT-related or otherwise. Equally, Yahoo’s data breach cooee reminds us that cyber security should be a consideration during M&A transactions.
Cyber security considerations for buyers
If you are looking to, or are in the process of, purchasing the assets or shares of another business or company, it would be prudent to consider whether cyber security may be an important component of the deal.
If cyber security is a key consideration for you, you might want to think about including the ability to pull out of the deal if there is a cyber security breach in the run-up to completion.
Equally, you need to consider whether you have appropriate warranties or insurance in place, in the event an adverse cyber security revelation comes to light after completion.
Cyber security considerations for sellers, or potential sellers
Yahoo’s woes are equally illustrative for businesses or companies considering entering into a M&A transaction as sellers in the near or long term.
Cyber security should not be a reactive consideration. Instituting cyber security precautions is essential for the proper management of an internet connected business.
It is claimed Yahoo CEO Marissa Mayer’s handling of cyber security issues in 2014 drove one information security head away from Yahoo to Facebook Inc., following a failed attempt to get Yahoo’s management to take a more aggressive approach to cyber security.
In previous articles, Maddocks has discussed the importance of instituting proper cyber security practices, especially if you are a director and subject to the obligations under the Corporations Act 2001 or Commonwealth entity official or Commonwealth company director.
So whether you’re the head of an IT related business, or merely hold personal information of your customers, you should always consider introducing proper cyber security precautions.
To reveal or not to reveal?
Yahoo’s decision to reveal the hack also raises the issue of whether Australian organisations should be legally compelled to disclose cyber security breaches. Currently in Australia, there are no laws compelling the disclosure of such breaches.
However, the situation is likely to change in the short term. On 19 October 2016, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 was introduced to Parliament. If enacted, the Bill would force agencies, organisations and certain other entities to provide notice to the Australian Information Commissioner and affected individuals of eligible data breaches.
As always, Maddocks will continue to monitor these and other cyber security developments.
|Rafael Perez | Lawyer
61 3 9258 3335