NEW YORK (Legal Newsline) - When Yahoo opened up about what could be one of the largest cyber attacks to date, it might have reopened what had been a done deal with a prospective buyer.
And although pending class actions cases against Yahoo might make matters worse, the company isn't willing to discuss that aspect.
Verizon had agreed to purchase Yahoo for $4.8 billion, but an attorney for the telecommunications company recently told reporters in Washington that the deal might be reworked.
There's basis that the impact of the breach "is material and we're looking to Yahoo to demonstrate to us the full impact," said Craig Silliman, Verizon's general counsel.
Although the extent of the breach is still unknown, news of it is enough to help Verizon buy Yahoo for a lower price, according to Neil Shah, a partner at Counterpoint Research.
“This gives Verizon leverage to somewhat re-engage in negotiation for the price of the purchase, as the ‘brand and trust value’ has taken a serious hit in light of this security breach and the higher value is not justified,” Shah told Legal Newsline.
“Ideally, the price of the sale will see a downward revision.”
Legal Newsline reached out to Charles Stewart, Yahoo spokesman, who would only defer to a blog post from Bob Lord, Yahoo's chief information security officer.
Yahoo "believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the [suspected] state-sponsored actor is currently in Yahoo’s network," Lord said in the blog post. "Yahoo is working closely with law enforcement on this matter."
And Stewart declined to address the pending class actions that accuse the company of failing to take "basic measures" to protect its users' data.
"We don't comment on pending litigation," Stewart told Legal Newsline.
There may be more to come but, right now, Yahoo is facing class action suits filed by plaintiffs seeking to collect damages from the company for failing to prevent the security breach and taking so long, close to two years, to uncover it.
It the future, public companies could face stiff penalties from the Securities and Exchange Commission for taking too long to disclose breaches to consumer, similar to legislation proposed by New York State Department of Financial Services, according to Bess Hinson, an associate at Nelson Mullins Riley & Scarborough’s privacy and information security practice group at the firm's Columbia, South Carolina, office.
Public companies “are going to be held responsible by the SEC,” Hinson told Legal Newsline. “I don't think the SEC has acted against a company for failing to disclose a cyber-security incident, but it has brought a couple of enforcement actions against companies for insufficient data protection.”
And that’s a big deal for a public company, Hinson said. And smaller companies aren’t getting a pass either.
“For smaller companies, they're still subject to data protection standards that may be established in their state," Hinson said. "Or they may be required to comply with those laws if they collect personal information from residents of those states.”