Monday, January 30, 2017

Yahoo Data Security Breach and Merger Agreement with Verizon

July 23, 2016, Yahoo and Verizon entered into a Stock Purchase Agreement (https://www.sec.gov/Archives/edgar/data/1011006/000119312516656036/d178500dex21.htm). Months after, but prior to the closing, Yahoo publicly announced that data associated with at least 500 million user accounts had been stolen in 2014. The data included customer names, email addresses, phone numbers, dates of birth, passwords and security questions and answers.

Within days of the announcement, several class action lawsuits were filed against Yahoo claiming that the company intentionally or recklessly failed to protect user data in violation of various state and federal laws, including the Federal Trade Commission Act and California privacy statutes.

Assuming you were the corporate fiduciary looking to minimize your risk of personal liability, you should consider the following when contemplating your next merger or acquisition:

One - Choose the Right Deal Structure

VZ seems to be trying to acquire Yahoo to obtain its proprietary advertising and content assets, but not other underperforming aspects of Yahoo's business. Yet, VZ structured the transaction as a stock acquisition and not as an asset sale. By acquiring all of Yahoo's stock, VA will acquire all of its liabilities, including those associated with the data security breach that occurred in 2014. When evaluating a transaction, fiduciaries should consider whether an asset sale or stock sale makes more sense given the momentum behind the transaction. If the transaction is driven by discrete assets, carving out and purchasing only the desired assets and excluding explicitly any data (and all liabilities) associated with the other assets would make sense.

Two - Consider Stripping Knowledge and MAE Qualifiers in IP / Data Reps

In order to address data breach liabilities, the purchase agreement between Yahoo and VZ included the following rep under Section 2.16 Intellectual Property:

"(p) To the Knowledge of Seller, there have not been any incidents of, or third party claims alleging, (i) Security Breaches, unauthorized access or unauthorized use of any of Seller’s or the Business Subsidiaries’ information technology systems or (ii) loss, theft, unauthorized access or acquisition, modification, disclosure, corruption, or other misuse of any Personal Data in Seller’s or the Business Subsidiaries’ possession, or other confidential data owned by Seller or the Business Subsidiaries (or provided to Seller or the Business Subsidiaries by their customers) in Seller’s or the Business Subsidiaries’ possession, in each case (i) and (ii) that could reasonably be expected to have a Business Material Adverse Effect. Neither Seller nor the Business Subsidiaries have notified in writing, or to the Knowledge of Seller, been required by applicable Law or a Governmental Authority to notify in writing, any Person of any Security Breach. To the Knowledge of Seller, neither Seller nor the Business Subsidiaries have received any notice of any claims, investigations (including investigations by a Governmental Authority), or alleged violations of Laws with respect to Personal Data possessed by Seller or the Business Subsidiaries, in each case that could reasonably be expected to have a Business Material Adverse Effect."

*** Knowledge ***

As reported by media, Yahoo had been unaware of the breach for over two years. The late discovery is not uncommon since most hacks rely on malicious codes that enter a network disguised as a mundane attachment and then sits silently until activated, days, weeks, months or even years later. It is very plausible for a buyer to acquire a business, only to suffer a host of post-closing consequences of a data breach facilitated by bugs implanted pre-closing. Had Yahoo and VZ closed the transaction prior to the discovery of the data breach, VZ would have inherited significant data breach liabilities, but would have had limited recourse against Yahoo because Yahoo technically did not breach the reps under Section 2.16(p) of the purchase agreement.

*** MAE ***

In the case of data security breaches, it is often very difficult, if not impossible, to quantify whether an incident will have a material adverse effect until a significant amount of time has passed after closing. The duration of lawsuits, magnitude of fines, full impact of reputational damage, and cost of internal remediation and revamping of security protocols and systems can remain largely unknown for an extended period of time.

Every data security breach is unique and the Yahoo breach does not seem to involve credit cards or issuing banks, two factors that may significantly increase the cost of remedy. Termination of the purchase agreement for MAE or renegotiation of the purchase price seem to be one of the limited options that the parties may have, but neither party would know the full scope of what is being renegotiated. Thus, reaching an agreement may prove quite elusive.

Setting threshold in the definition of MAE in the context of a data breach might be helpful to specifically delineate the parties rights and remedies such as an event involving fewer than 50,000 accounts except for any event involving any unauthorized disclosure of or access to PHI.

Consider setting a separate escrow pool for data security breaches.

Three - No Substitute for Thorough and Affirmative Due Diligence

Buyers should insist on provisions in the purchase agreement that allows 3rd party testing of target's technology and systems for identifying latent date breach issues and significant vulnerabilities, similar to those Phase I and II testing for environmental liabilities, including rights to conduct additional extensive testings upon discovery of potential issues to fully understand the scope of the problem and the magnitude of the potential liabilities.

No comments:

Post a Comment