Last week, Yahoo (now reborn as Altaba after Verizon’s acquisition) announced a settlement with the SEC over misleading investors regarding the biggest data breach in known history. The crime: not revealing it in a timely manner. It was one of the many lawsuits the company is fighting currently as a result of the data breach.
The final settlement is for $35 million.
Before that, in March, the company also settled a lawsuit for $80 million. As noted by biglawbusiness.com, that would be the first instance of a security fraud lawsuit tied to a data breach that was successfully won by plaintiffs.
The Tides are Not Turning
Over the past ten years (or possibly longer), most if not all lawsuits revolving around a data breach were tossed out of courts for not having “standing.” That is, it couldn’t be shown that a data breach was directly tied to a harm… if there was any harm at all. So, the cases were tossed out of court.
For example, nearly all courts ruled that having your personal information stolen in of itself was not an actual harm. So, if you were suing a company merely because they were hacked and your information was stolen, forget about it. No standing.
(Call the same information a client list, and switch a company’s status from defendant to plaintiff, though, and suddenly it has value and hence standing in court. The prosecution of client list theft is quite the business in legal circles. The irony).
Returning to the topic at had, even if you were eventually harmed per the courts’ definition – due to identity theft, phishing attempts, etc. – data breach victims still couldn’t see their day in court because the link between the data breach and their being victimized is tenuous. With so many companies losing personal information left and right, it’s virtually impossible to show that your personal torments are tied to a particular data breach.
So, these latest legal results seem to indicate, if certain headlines are to be believed, that companies are sensing that the courts will change their stance. But that’s not the case at all.
After learning of the data breach, Verizon knocked off $350 million from the original acquisition offer for Yahoo. This means that shareholders of Yahoo stock received, as a group, $350 million less than they could have. That’s not chump change.
As a result, it could be argued, and it has, that the data breach was material information that could affect a stock’s market price, and that it was not revealed in a timely fashion.
Not revealing pertinent information in a timely fashion is illegal for companies listed in stock markets. It is this illegality that the courts would have ruled on. Yahoo/Altaba, knowing they were licked, offered a settlement in both cases. So, what you’re seeing here is not a watershed moment but more of the same.
If we were to look for a silver-lining, maybe it’s that companies now know how bad things can get if they don’t go public over a massive data breach within a reasonable amount of time. Do it fast enough and all you have to deal with is a bunch of lawsuits that won’t go anywhere. Delay and hide, and you get the same plus lawsuits that will cost you big.
Related Articles and Sites: