After Yahoo GC's exit, are in-house counsel jobs at risk over cybersecurity?
Is the departure of Yahoo legal chief Ron Bell a wakeup call for in-house lawyers?
March 06, 2017 at 06:48 AM
5 minute read
The original version of this story was published on Law.com
Yahoo has had a tough run in the wake of the 2016 public disclosure of two massive data breaches that took years to disclose – one in 2014 that impacted at least 500 million customer email accounts and another in 2013 that affected more than one billion user accounts.
As a result, the company took a $350m (£285m) price cut in its planned acquisition by Verizon and has paid $16m (£13m) in publicly reported expenses related to the incidents, including $11m (£9m) in non-recurring legal costs.
On Wednesday (1 March), the breaches hit home for the legal department in a major way, when the company announced in a filing with the US Securities and Exchange Commission that general counsel Ron Bell is leaving the company, after the release of the results of an independent investigation into the breaches.
It seems Yahoo's legal department is getting a great deal of the blame for the company's cybersecurity problems, and lawyers working on cybersecurity issues – though not for Yahoo – believe the incidents, as well as the consequences for Bell, should serve as a wakeup call for in-house lawyers.
According to Wednesday's disclosures, Bell resigned from his general counsel role effective immediately with "no payments…in connection with his resignation". Yahoo explained in the filing that certain senior executives at the company, as well as members of its legal team, "had sufficient information to warrant substantial further inquiry in 2014" about a hack by a state-sponsored actor, but "they did not sufficiently pursue it".
Many have questioned why Bell would take the fall for his company here. Vijaya Gadde, general counsel at Twitter, tweeted that while she didn't know what happened at Yahoo, "it's easy to blame the lawyers". She added: "I also know that Ron Bell is a good lawyer."
But invariably, someone will have to own responsibility for this, according to Al Saikali, partner and chair of the privacy and data security practice at US law firm Shook Hardy & Bacon. While it may be the case that Bell was not directly involved in the missteps, "he's the head of the legal department at the end of the day", said Saikali, adding: "If the legal department makes a recommendation that's incorrect, he's the captain of the ship and he'd take the fall for it."
Bell's resignation in connection with the data breaches should be a signal to in-house counsel that jobs may be on the line as a result of cybersecurity issues, said Edward McAndrew, a partner at Ballard Spahr and co-leader of the US firm's privacy and data security group. "In-house counsel are often best positioned to play leading roles in cyber-incident response, but they are often on the sidelines," he said. "And that's not a viable model anymore for anyone who wants to keep their job."
But just because general counsel and their in-house colleagues have to step up, that doesn't mean dealing with a breach and its aftermath is at all simple, cybersecurity lawyers say.
There are a number of complexities that in-house counsel have to grapple with when dealing with a potential hack, said Saikali. A forensic investigation doesn't always reveal with certainty what information was accessed, for instance, and "you don't want to scare people with unnecessary notice", he explained.
And if notice is required to consumers, he added, the legal team is then going to be "dealing with a patchwork of state data breach notification laws that govern notification".
But there are steps in-house counsel can take to avoid being targeted when there's a breach, said McAndrew. "The in-house lawyer who is trying to protect himself or herself needs to be able to clearly communicate and have channels available to them to escalate these issues within the legal department and within the organisation," he said. "You need to be able to communicate risk through a chain of command, to be sure decision makers have all the information."
The general counsel should be asking questions of the board and the IT team to figure out what the status of the company is when it comes to data security, said Denver Edwards, a principal at law firm Bressler Amery & Ross. "What policies are in place?" he asked. "How engaged is the board when it comes to data security? What are vendor relationships like?"
"You'd be negligent at this point if you don't have an incident response plan on what to do when there is a breach," Edwards added. "And the general counsel, if he or she is aware of a breach of this magnitude, must go to the board and engage them right away and have the incident response plan triggered."
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
FTC Settles With Security Firm Over AI Claims Under Agency's Compliance Program
6 minute read
People and Purpose: AbbVie's GC on Leading With Impact and Inspiring Change
7 minute read
'You Can’t Do a First Draft of Common Sense': Microsoft GC Jon Palmer Talks AI, Litigation, and Leadership
Contract Software Unicorn Ironclad Hires Former Pinterest Lawyer as GC
2 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
