The recent news that Yahoo’s general counsel had resigned following a probe of high-profile data breaches at the company has generated a great deal of discussion and concern. In the following guest post, David Fontaine and John Reed Stark take a look at the circumstances surrounding the resignation and consider the implications of and lessons from this development. David is the CEO of Kroll and its parent company, Corporate Risk Holdings, and John is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on CybersecurityDocket. I would like to thank Dave and John for their willingness to publish their article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Dave and John’s guest post.
The recent public 10-K disclosures filed by Yahoo with the U.S. Securities and Exchange Commission (SEC) have garnered a great deal of attention for laying substantial blame at the feet of Yahoo’s own internal legal department. Never before have the consequences of a cybersecurity failure been so directly left on the general counsel’s (GC’s) doorstep.
While some may view this as an exceptional case driven by its unique facts, the actions taken by Yahoo’s board and the company’s public disclosures underscore a more significant and noteworthy trend as it relates to the role of the legal function, corporate governance, in general, and cybersecurity, in particular. Namely, that cybersecurity issues continue to shift away from the IT department, not only ranking among the most important issues facing any enterprise, its management and board – but now also falling squarely under the purview and oversight of its legal department.
For GCs still trying to process Yahoo’s recent disquieting SEC disclosure (or for those GCs thinking, “There but for the grace of God go I”), this article offers three key takeaways along with some practical advice for the future.
Yahoo Inc. suffered two significant data breaches — one in 2014 that reportedly impacted at least 500 million customer email accounts and another in 2013 that reportedly affected more than one billion user accounts. As a result, the company also experienced a $350 million purchase price adjustment in its agreed acquisition by Verizon Communications Inc. and has paid $16 million in publicly reported expenses related to the incidents, including $11 million in nonrecurring legal costs.
The Content of the Disclosures
In its March 1 Form 10-K, Yahoo disclosed the results of an independent board-mandated investigation into the data breaches. Yahoo reported that the investigation identified certain failures relating to, among other things, its internal legal team’s handling of the first data breach and disclosed that its general counsel had resigned and was receiving no separation payments. The disclosure, in pertinent part, stated:
Based on its investigation, the Independent Committee concluded that the Company’s information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016. In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool. The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement. While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team …
Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident. The Independent Committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident. The Independent Committee also found that the Audit and Finance Committee and the full Board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters.
The Announced Remedial Actions
In response to these findings, Yahoo also shared certain remedial actions that had been taken:
Additionally, in response to the Independent Committee’s findings and recommendations, the Board has directed the Company to implement or enhance a number of corrective actions, including revision of its technical and legal information security incident response protocols to help ensure: escalation of cybersecurity incidents to senior executives and the Board of Directors; rigorous investigation of cybersecurity incidents and engagement of forensic experts as appropriate; rigorous assessment of and documenting any legal reporting obligations and engagement of outside counsel as appropriate; comprehensive risk assessments with respect to cybersecurity events; effective cross-functional communication regarding cybersecurity events; appropriate and timely disclosure of material cybersecurity incidents; and enhanced training and oversight to help ensure processes are followed.
Takeaway #1: The GC has emerged as the most logical and effective quarterback of data breach response.
Virtually every aspect of a data security incident response is rife with delicate and complex legal issues. The Yahoo experience and related investigative findings serve only to highlight and reinforce the critical and indispensable role of counsel. Indeed, one could argue that the Yahoo disclosures have actually set a new standard, increasing the governance and fiduciary expectations relating to the role of legal counsel when such events are encountered.
The concerns go well beyond the post-event legal consequences, such as regulatory notifications, requests and investigations; law enforcement interactions; vendor disputes and lawsuits; and potential consumer class actions. The expectation plainly is that counsel will have clear visibility into and participate in all aspects of cybersecurity planning, monitoring, reporting, and, of course, response. And, it is fair to say that internal counsel is now on notice – if there was any lingering doubt – that cyber risks fall squarely within their functional mandate.
Yahoo’s actions are not surprising because the added GC responsibilities make sense. Above all else, the legal ramifications of any cybersecurity incident or failure can be calamitous or even fatal for any public or private company. Even the most traditional realms of IT dominion such as exfiltration analysis, malware reverse engineering, digital forensics, logging review and most technological remediation measures are rife with legal and compliance issues and a myriad of potential conflicts.
For instance, after a cybersecurity incident, law enforcement, regulators, vendors, partners, insurers, customers and others may:
- Request forensic images of impacted systems;
- Demand copies of indicators of compromise;
- Mandate that their own auditors or examiners visit sites of infiltration and conduct their own audit and investigation;
- Want to participate in remediation planning;
- Seek interviews and interactions with IT personnel;
- Require briefings from a victim company’s forensic experts and data security engineers; or
- Ask to attach a recording appliance to a victim company’s network in hope of capturing traces of attacker activity, should an attacker return.
These requests raise a host of legal issues, including how exactly to respond to each request and whether any response would violate the privacy of customers; be at odds with commercial agreements; result in a waiver of the attorney-client or work product privileges; or have any other legal/compliance consequences.
Because so many incident response issues are critical to the very survival of a company, who else but the GC can oversee and direct investigative workflow, commanding the investigation and remediation for the C-suite, sharing with senior management the ultimate responsibility for key decisions, while having the responsibility and duty of reporting to the company’s board.
The Attorney-Client Privilege. Attorney involvement, awareness, leadership, and direction are not the only essentials for managing the quagmire of legal issues arising during an incident response.
GC involvement also triggers the protections afforded by the attorney-client and work product privileges, a critical component in the response to data security incidents. The involvement and direction of counsel in the context of any investigation will presumably apply to the work product produced not only directly by the legal team members but also by the outside advisors, including the digital forensic investigators engaged by internal or external counsel.
This is standard practice in the context of any other type of investigation – a cyber incident is no different. There is nothing nefarious or extraordinary about this approach, it is a time-honored and tested standard operating procedure. The involvement of counsel establishes a single point of coordination and a designated information collection point. This model enhances visibility into the facts, improves the ability to pursue appropriate leads and, most importantly, ensures the accuracy and completeness of information before it is communicated to external audiences. Otherwise, incomplete and/or inaccurate information could be released, only to have to later be corrected or even retracted.
With respect to cybersecurity undertakings, such as engaging outside experts for data security risk and assessments or penetration testing, the same caveat also applies, and the outside expert should be retained by the GC or external counsel. When the GC quarterbacks the engagement of the outside expert data security firm, the GC can ensure communication lines are properly organized, thoughtfully orchestrated, and when appropriate, protected by the attorney-client and work product privileges.
Takeaway #2: Yahoo’s actions not only signal the evolution of a new standard of care for GCs when it comes to cybersecurity but also signal a vast expansion of GC oversight.
Given the complexities involved and technological underpinning of every move, GCs cannot be kept on the sidelines during a cyber incident response – either by their own volition or because of corporate structure and culture. Most fundamentally, information security has historically been treated as the province of the IT department or other internal technology professionals. Lawyers, on the other hand, typically were not viewed as having the necessary subject matter competence to understand technology and how it works. The clear message of the Yahoo experience is that this historical perception needs to change.
Proactive Measures. GCs should view cybersecurity issues with the same healthy skepticism they employ for other areas of risk, like financial reporting, insider trading, theft, sexual harassment and other forms of corporate crisis and employee misconduct. This means asking questions of the board and the IT team while also probing cyber policies, practices and procedures as well as technological infrastructure, vendor security measures and cybersecurity governance. GCs should also play an active role in other key aspects of data security such as:
- Reporting Lines: Current reporting lines and assigned areas of responsibility should make sense and allow for transparency, candor and independence;
- IR Plans: Incident response and business continuity plans should be up to speed and up to date;
- IT Staffing and Training: IT staffing remains perhaps the largest challenge for any organization (also, a GC’s conducting of independent exit interviews of departing IT staff can reveal critical cybersecurity and incident response weaknesses);
- Cybersecurity Budgeting: Financial priorities can shift very quickly, and a one-year budgetary cycle might not be swift or agile enough to manage rapidly emerging cyber-threats;
- Training: The most significant cybersecurity vulnerability at any company will always be its employees;
- Communication Lines: Robust and clear communication channels within an organization allow executives to communicate and escalate cybersecurity risk transparently and through a designated chain of command; and
- Penetration Testing/Risk and Security Assessments: Because good pen testers with bona fide technological chops, an ethos of dedication, and a philosophy of service, can evolve to become a GC’s true trusted adviser.
Takeaway #3: Cybersecurity presents every bit, if not more risk than financial reporting failure, and should receive the same level of oversight and audit.
GCs formulating their cybersecurity oversight need look no further than the current CFO oversight paradigm for financial accounting and reporting. GCs should establish governance procedures to oversee a corporation’s cybersecurity wellness substantially similar to those that have proven effective and sufficiently flexible to assess and validate financial statement accuracy and reliability.
As cyber-attacks continue to proliferate, more and more corporate GCs will come to realize that cybersecurity risks may now even trump financial accounting risks – and not just because technology and networks touch every aspect of an enterprise. The nature, extent and potential adverse impacts of these risks demand a proportionate response.
Consider the history of oversight of financial accounting: As it became clear that corporate insiders were capable of engaging in misconduct, the active oversight and independent supervision over financial controls and governance structures similarly evolved, reducing the risk of financial fraud, fiscal misstatements and management/employee malfeasance. Along those lines, the efficacy of using independent auditors, audit committees and management certifications to deter and minimize such insider misconduct became widely understood and embraced.
Just as occurred in the financial accounting realm, old and stale governance models of data security must be modified and enhanced to address the very real, difficult to control and ever increasing enterprise threat of cyber-attacks. In practical terms, this means that, like their CFO colleagues have done in the area of financial reporting, GC should do the same for cyber, including:
- Embracing cybersecurity as an area of oversight and risk;
- Serving as quarterback for all cyber-attack incident response efforts;
- Engaging an independent cybersecurity firm to conduct an annual cybersecurity audit (just like an independent accounting firm conducts and signs off on an annual financial audit); and
- Adding cybersecurity expertise and knowledge to the GC team (just like a CFO receives additional resources commensurate with expanded duties and responsibilities, a GC should receive the same level of support).
Historically, when it comes to CFOs and the financial reporting function, the successful paradigm has been one of vigorous and independent supervision, requiring the participation of independent third parties. The same should go for GC oversight of CTOs, CIOs and CISOs, and the maxim of trust but verify should be equally operative in both contexts.
There will undoubtedly be those who view Yahoo’s actions as an aberration rather than a harbinger. Indeed, there are already a slew of reports, attributed to Silicon Valley GC’s, asserting that Yahoo’s GC fell on his sword in response to larger issues at the beleaguered and once high-flying Silicon Valley company. These same defenders might also note that adding cybersecurity to a GC’s already overcrowded (and oft unappreciated) job description is more than just unfair — it’s also wholly impracticable.
But the change is inevitable. Cybersecurity risk has elevated itself to the top of corporate agendas and the reality is that there is no one more qualified or better suited than the GC to quarterback a company’s cybersecurity planning and incident response. Moreover, GCs may soon have little choice but to take these steps, not merely to protect their companies but also to protect themselves. Given the current class action litigation landscape relating to cybersecurity issues, data security incidents not only create regulatory and other legal liability for corporations but they can also create personal liability for GCs.
For GCs worried about taking on the technical challenges of data security, there is no need to panic. Cybersecurity engagement for GCs does not mean that they must obtain computer science degrees or personally supervise firewall implementation and intrusion detection system rollouts.
By approaching cyber in much the same way they approach other areas of risk under their purview — with vigorous, skeptical, intelligent, independent and methodical administration and inquiry — GCs will not just execute upon their newfound cyber-jurisdiction, they might actually grow to embrace it.
David R. Fontaine is Chief Executive Officer of Kroll and its parent company, Corporate Risk Holdings, LLC. Previously, David held senior leadership roles and served as the Chief Legal Officer, Chief Risk Officer, Chief Administrative Officer and Corporate Secretary for several public and private companies, including Travelex Global Business Payments, Inc., American Management Systems, Inc. and Proxicom, Inc. Before moving into a corporate executive role, David, who is a graduate of Yale Law School, was a partner at the litigation firm of Miller, Cassidy, Larroca and Lewin, LLP, practicing primarily in the areas of white-collar defense and commercial litigation.
John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of numerous articles on cybersecurity and data breach response, as well as “The Cybersecurity Due Diligence Handbook,” available on Amazon.