What Yahoo's Failed Data Breach Settlement Means for Cybersecurity

Yahoo has been under the microscope for its inadequate handling of customer data for years. The company is currently facing a lawsuit for damages resulting from the 2012 data breach, just as it seemed like it was on the verge of reaching a settlement and putting the disaster behind it –  a California judge issued a harsh rebuttal and rejected the proposed settlement.

The judge said that Yahoo has a long history of failing to handle customer data properly. She said that the settlement is not at all adequate. Yahoo must either offer a more lucrative proposal to the plaintiffs or face them in court.

The ramifications for the search engine giant are potentially severe. Yahoo generated $269 million in net income in the fourth quarter of 2018. If the judge in this case feels that the proposed $50 million settlement is not enough, then Yahoo could end up paying an entire quarter’s worth of profits or more to reach a more acceptable deal.

While this is a blow to Yahoo, it could also set a much bigger precedent in the future. Other companies are going to realize that the justice system is ready to start holding them accountable for failing to adopt appropriate security measures. Companies will need to learn more about board security and take appropriate measures. 

What does the failed data breach mean for the future of cybersecurity?
This judge’s decision was unexpected. It is rare that judges intervene in proposed settlements between two parties in a civil lawsuit. They usually allow both sides to reach an amicable agreement and respect the decision, so long as it was not done under coercion.

The judge made a clear exception here. She wants to set an example for Yahoo and other companies that have neglected their duties to customers by instituting appropriate cybersecurity measures. This raises some questions that will need to be answered in due time. Some of these questions are listed below.

Will the justice system start holding companies to a higher standard if they don’t take basic cybersecurity precautions?
In the past, consumers and privacy activists have been most vocal about shortcomings with cybersecurity standards. Members of the justice system barely weighed in, unless they were delivering a finding at the conclusion of a civil lawsuit. It is very unusual for a judge to rebuke a company before the two sides have even agreed to go to trial.

This might mean that the justice system is ready to start taking a harder line against companies that don’t implement appropriate cybersecurity. Companies that don’t heed their stern rebukes might face much more expensive penalties in court.

How will smaller companies be treated?
Yahoo is a massive company that keeps records of hundreds of millions of customers. Few people have any sympathy for it after being harshly reprimanded by a judge. Their lack of sympathy will probably turn into joy after hearing the company is required to pay a massive amount of damages.

The question is whether the courts are about to set some very severe standards for smaller companies. If they start to impose extremely high fines on them, then they could cripple many small businesses.

As it is, security breaches are already a death sentence for the average small business. One study found that 60% of small businesses that suffer a security breach are forced into bankruptcy within six months.

Some business owners might think this means things couldn’t get any worse, but nothing could be further from the truth. Most small businesses are sole proprietorships that aren’t registered as limited liability company. This means that business owners are personally liable for any losses incurred by the company.

If they are forced to pay a large settlement on top of the other costs that already drove their company out of business, then they will be liable for that for the rest of their lives. 

Will stricter judicial reviews lead to clearer security guidelines?
It is still too early to tell whether this is the beginning of a new approach to handling companies that are incompetent in their duties to protect customer data. If it is the beginning of a major change, companies will have to start implementing much better security protocols.

In order to address the concerns raised by the judicial system, privacy activists and customers, they will need to seek much better clarification.

The question is whether that clarification will be timely. Regulators and judicial officials might continue to give vague guidelines, even as they start imposing stricter penalties on companies they feel are missing the mark.

Rehan Ijaz is an entrepreneur, business graduate, content strategist and editor overseeing contributed content at bigdatashowcase.com. He is passionate about writing stuff for startups. His areas of interest include digital business strategy and strategic decision making.

What’s Hot on Infosecurity Magazine?