One of The Red Flag Group’s 23 identified risk areas is data security. That risk is becoming more ever-present, particularly for United States companies. However, we now have the intersection of data security risk and reputational risk, and all tied up in a huge corporate acquisition. As reported by the Financial Times last week, the United States internet company Yahoo has revealed that ‘phone numbers, birth dates and certain security details’ belonging to more than 500 million accounts were accessed by ‘state-sponsored’ hackers in late 2014. The breach represents the largest in history.
As devastating as this news was, there were two other factors that made this announcement potentially catastrophic for the company. The first is that the company had finally been able to sell itself to Verizon following years of dwindling corporate earnings, with a deal inked in July for US$4.8 billion.
Secondly, and perhaps more importantly, the news came only 10 days after a filing with the United States Securities and Exchange Commission (SEC) in which ‘Yahoo had said it had no knowledge of ‘any incidents’ of ‘security breaches, unauthorised access or unauthorised use’ of its IT systems’. The problem with this final statement to regulators is that the same FT article noted that the allegations had first surfaced in July. According to the article, Yahoo had been investigating them since that time and [CEO] “Marissa was aware absolutely – she was aware and involved when [the allegations] surfaced in July”.
This puts both Yahoo and Verizon in a very difficult position. For Yahoo, the SEC has been very aggressive towards companies that it deems to be slow disclosing data security breaches. The article quoted former National Security Agency (NSA) general counsel Stewart Baker saying: “The SEC is going to want to know exactly what they knew and when they knew it.”
Verizon will have to determine if Yahoo’s failure to inform it about the data breach is a material misrepresentation, assuming it has standard reps and warranties in the acquisition agreement. This would void the purchase. Verizon might also have to determine whether the value of Yahoo has even further diminished due any potential regulatory penalties, shareholder lawsuits, and stock price falls resulting from a loss in investor confidence.
All of this reinforces the need for a robust review of your risk profile in all phases of your corporate existence. Furthermore, if you are engaging in a major acquisition, you had better take a very long and hard look at your reps and warranties in the event that something this catastrophic is suddenly announced.