The Legal Ramifications of Security Breaches for Large Companies
Recent security breaches experienced by high-profile companies—even those with in-house General Counsel, such as Yahoo—have many companies realizing that it may be necessary to work with experienced outside counsel on corporate law issues in order to ensure that a company is fully protected from the legal repercussions that a potential security breach could bring.
According to the company’s 10-K, information such as names, email addresses, birth dates, passwords, security questions and answers, and phone numbers were stolen from approximately 500 million user accounts during one of three security incidents between 2013 and 2016. The data breaches allowed hackers to access data for hundreds of millions of Yahoo users in 2013 and 2014; however, the company waited until 2016 to notify its users of the breach, arguably placing their personal and confidential information at risk.
According to a Yahoo filing in early March, the company’s legal team, specifically, had sufficient information to warrant substantial inquiry several years ago, and they failed to sufficiently pursue it.
Yahoo’s General Counsel has now resigned as a result, and both the Federal Bureau of Investigation and Securities and Exchange Commission are reportedly investigating the breaches.
Data Breach Notification Laws
Under most data breach notification laws, there is a legal obligation to notify affected individuals when unauthorized access of these elements occurs. These laws are specific to each state; however, most follow the same basic tenet that requires companies to immediately disclose a data breach to customers (usually in writing).
In this instance, Yahoo’s legal team reportedly had enough information to conduct a further inquiry back when this was initially discovered in 2014. However, they did not sufficiently pursue it, and in failing to do so, the company was inadequately advised with respect to the legal and business risks associated with the incident.
Important Steps to Minimize Risks
Many are now wondering whether this incident will permanently affect how companies approach data breach incidents in the future and, specifically, how the role of General Counsel within the company can help prevent legal violations like these. While some have commented that legal departments may seek to avoid any involvement in breach response or investigations of data breaches, it is likely that this won’t be a practical option for in-house corporate counsel.
In fact, there are steps that corporate counsel can take to minimize risks for a company; steps such as:
- Engaging outside counsel skilled in privacy and data security law, and in preparing companies for data incidents;
- Preparing written protocols so that the investigation process is clear; and
- Retaining a forensic firm to ensure that resources are available to begin an investigation right away and apply the attorney-client privilege effectively.
Experienced Corporate Attorneys Providing In-House Counsel Services
At Cloud Willis & Ellis our experienced Birmingham corporate law and business litigation attorneys have assisted business clients in resolving a broad spectrum of issues such as the legal ramifications of a security breach. We specifically provide general counsel services, taking on responsibilities that are expected of in-house legal counsel. Contact our office today to receive guidance on how we can help you and your business.