There is a grave and unfortunate misperception among many business leaders who believe that when their company has had a data breach, going through a response and notification of affected individuals is optional. To the educated readers of this blog, this sounds shocking. Sadly, it is something I see on a regular basis. What is worse is that there are far too many lawyers who do not practice in this area but, out of ignorance, advise such clients that it is really not as big of a deal as we are making out of it and that they can just ignore it.
Do so at your own peril. I am confident that Yahoo has an excellent legal team and did not fall into this category but a recent article about the Yahoo breach made me think of those that I referred to above. The article discusses a recent letter that several United States Senators sent to Yahoo’s CEO where they are demanding answers on the following questions (the letter):
- When did Yahoo learn of the breach?
- How did Yahoo learn of the breach?
- What are all of the services that were affected?
- How did the incident go undetected for as long as it did?
- Why did the incident go undetected for as long as it did?
- How did Yahoo investigate the incident?
- When did Yahoo notify law enforcement or other governmental authorities of the incident?
- How did law enforcement investigate the incident?
- Did anyone within the U.S. government warn Yahoo of a possible hacking attempt by state-sponsored hackers or other bad actors and, if so, when did the warning take place?
- How does Yahoo intend to protect consumers in the future?
So, for those folks that I referenced in the first paragraph of this post, good luck. Oh, and, do you still think all of this is optional?
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.