Yahoo's massive 2014 data breach, not revealed until September 2016, resulted in a terrible crisis PR fumble. Then a top Verizon lawyer said the news could reopen the talks and deal the telecom giant had about acquiring major assets of the Internet company.

Now there could be more bad news, this time on the legal front, depending upon ongoing investigations. If any employees knew of the problem, might that trigger the data breach notification laws of various states or federal laws? Then comes the question of whether Yahoo was diligent enough to avoid the potential for various lawsuits.

Yahoo's filing

According to a New York Times report on a Yahoo SEC filing yesterday, the company knew of a "state-sponsored" network breach in late 2014. In response to some questions, Yahoo referred to the language of the 10Q filed yesterday. Here's the explanation:

In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the Company could not substantiate the hacker's claim. Following this investigation, the Company intensified an ongoing broader review of the Company's network and data security, including a review of prior access to the Company's network by a state-sponsored actor that the Company had identified in late 2014. Based on further investigation with an outside forensic expert, the Company disclosed the Security Incident on September 22, 2016, and began notifying potentially affected users, regulators, and other stakeholders.
The Company, with the assistance of outside forensic experts, continues to investigate the Security Incident and related matters. The Company is actively working with U.S. law enforcement authorities on this matter.
As described above, the Company had identified that a state-sponsored actor had access to the Company's network in late 2014. An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users' account information had been accessed, the Company's security measures, and related incidents and issues.
In addition, the forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the Security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users' accounts or account information.

There are a few things to note:

  • Awareness of a network breach is not necessarily the same as awareness of a data breach.
  • According to a source familiar with the situation, there was apparently only one incident, not two separate ones.
  • Yahoo is more deeply investigating who knew what and when they knew it.
  • Many of the laws say that if the company either knew or should have reasonably known about a problem, it is at fault.

In other words, to date there is no evidence Yahoo has disclosed that anyone at the company knew about the data loss, even if they knew about the network breach. However, if any employees did and didn't pass the information up the organizational ladder, or stopped the information from being further passed on, Yahoo would have a potentially big problem. Let's start with the states.

State data laws

A number of states, such California, New York, and Massachusetts, have data privacy and protection laws that govern any business activities within the state, whether the companies are located there or not. Each law typically has a clause requiring reasonably prompt notification of consumers that their data had been breached.

For example, California's law says a company "shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." The disclosure must be done "in the most expedient time possible and without unreasonable delay." Massachusetts, New York, and various other states have similar laws.

States differ on exactly what lost data can trigger a breach. For some, a name might be good enough. For others, there might have to be loss of credit card or other financial account information. But, as in virtually any case of regulation and compliance for businesses, saying that an employee knew and didn't pass the information on isn't a defense. The company is still considered culpable.

Consequences also vary. In New York, a court can impose a civil remedy of $10 per consumer notification not undertaken, up to $150,000 if the company knowingly or recklessly failed. A court can also award the actual costs and losses incurred by a consumer. The Attorney General can seek injunctive relief, meaning that the court could end up forcing the company to take actions that it might not want to.

In Massachusetts, a court can fine a company up to $5,000 for each violation. That means each record of consumers within the state, not separate incident. As example, a property management firm that lost a laptop with the information of 600 people was fined $15,000, or $25 a record.

Depending on the distribution of customers within states and the penalties therein, the fines could mount up quickly. It gets even stickier as some of the 500 million people had to be from other parts of the world (the US has about 300 million people in total) like the EU, where fines can reach up to 2 percent of a company's annual revenue.

Consumer and federal actions

As with the state laws, if any Yahoo employees had knowledge of any of the data loss, there could be lawsuits, depending on the specific state and how it addresses the issue. A good guess is that in some states, law firms that specialize in class action suits would jump aboard. That would mean multiple venues in which to fight lawsuits and enough collected and large enough total figures where Yahoo couldn't count on consumers not taking action because of the costs to file a suit, particularly if they couldn't readily prove an actual financial loss from the data breach.

Then there is federal law, or, rather, laws. The FTC has brought actions against companies over data breaches. If there's financial information involved, that might trigger the Gramm-Leach-Bliley Act that governs financial services. Breaches could trigger up to $16,000 for each loss and lack of notification.

In other words, off in Yahoo's headquarters there is probably a lot of sweating in the boardroom at the moment. And that's even before how the ultimate result of the investigation, or even the potential of problems, might encourage Verizon to further push back on what it is willing to pay. All they can do now is pray that no one at the company noticed the loss of any data at the time.