Abstract
On September 22, 2016, Yahoo! Inc. ("Yahoo") announced that a data breach and theft of information from over 500 million user accounts had taken place during 2014, marking the largest data breach ever at the time. The information stolen likely included names, birthdays, telephone numbers, email addresses, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers. Yahoo further disclosed its belief that the stolen data "did not include unprotected passwords, payment card data, or bank account information." Just two months before Yahoo disclosed its 2014 data breach, it announced a proposed sale of the company's core business to Verizon Communications. Then, during mid-December 2016, Yahoo announced that another 1 billion customer accounts had been compromised during 2013, a new record for largest data breach.
Social media and electronic commerce websites face significant risk factors, and an acquirer may inherit cyber liability and vulnerabilities. The fact pattern in this announced acquisition raises a number of important corporate governance issues: whether Yahoo's conduct leading up to the data breaches and its subsequent conduct constituted a breach of the duty to shareholders to provide security, the duty to monitor, the duty to disclose, or some combination thereof the impact on Verizon shareholders of the acquisition price renegotiation and Verizon's assumption of post-closing cyber liabilities; and whether more drastic compensation clawbacks for key Yahoo executives would be appropriate. Cybersecurity remains a threat to all enterprises, and this Article contributes to the corporate governance literature, particularly as it applies to mergers and acquisitions and the management of cyber liability risk.