It was widely reported a few months ago that Yahoo was the target of a sustained and successful theft of the online credentials and information of 500 million Yahoo users. The attack occurred in 2014 and was only disclosed by Yahoo two years later. Initial press coverage focused on the question of how attackers could have pulled it off and it served as yet another example of the insidious threat of cyberattacks.
Yahoo’s data theft was quickly subsumed into larger stories of cyberattacks that seem to occur with greater frequency, even though it was one of the biggest ever.
Meanwhile, the electoral cycle become more and more colored by state-sponsored data theft. The Department of Homeland Security brought to public attention an ongoing conversation in the cybersecurity industry: could our voting machines be hacked? The United States government accused the Russian government of cyberattacks to undermine our presidential election.
Yet people seem somehow numbed to the magnitude of the problem. I suspect that for many, the issues of data theft don’t register because there is no direct effect on their pocketbooks. After all, the expenses of addressing theft are usually high, but borne by the business. Costs usually come out of operating income or cash reserves, so stockholders don’t usually feel the pinch.
Costs to consumers are rarely passed on. Consider what liability a credit card holder has for charges made on his or her account after a data theft, and how differently that consumer would view the crime if it had direct and personal effect.
Yahoo may be the moment where that calculus changes.
Because Yahoo was in the middle of a sale transaction with Verizon when the news of the breach was released, the disclosure may have given Verizon some legal ammunition to reduce the amount of its offer for Yahoo.
If the purchase price for Yahoo drops, that reduction will be a loss for Yahoo stockholders. They will get less for their shares in a sale to Verizon and be directly harmed by the hack in a way that few have been. This will officially mark the moment where a data breach has a direct and immediate effect on stockholders.
With our corporate laws, the most likely remedy available to the stockholders would be to sue Yahoo’s board of directors and management. This in itself is not unique; boards get sued all the time, and generally have the benefit of insurance to pay claims that succeed.
However, in certain circumstances, such as in infamous accounting frauds like MCI, Worldcom and Enron, board members can face personal liability if they are found to be grossly negligent. When this occurs, board members have to pay damages out of their own pockets.
Even if consumers don’t care about cybersecurity, you can feel confident that stockholders will. Particularly when they lose money as a direct result.
The same way large corporate frauds in the 1990s caused boards of directors to take accounting issues more seriously, it is likely that Yahoo will have a similar effect on their interest in cybersecurity.
Yahoo may be the moment where board members appreciate that cybersecurity really does matter to them personally.
Jonathan Aberman is a business owner, entrepreneur and founder of Tandem NSI, an Arlington-based organization that seeks to connect innovators to government agencies. He is host of “Forward Thinking Radio” on SiriusXM, a business and policy program, and lectures at the University of Maryland’s Robert H. Smith School of Business.