Yahoo has had a tough run in the wake of the 2016 public disclosure of two massive data breaches that took years to disclose – one in 2014 that impacted at least 500 million customer email accounts and another in 2013 that affected more than one billion user accounts.

As a result, the company took a $350m (£285m) price cut in its planned acquisition by Verizon and has paid $16m (£13m) in publicly reported expenses related to the incidents, including $11m (£9m) in non-recurring legal costs.

On Wednesday (1 March), the breaches hit home for the legal department in a major way, when the company announced in a filing with the US Securities and Exchange Commission that general counsel Ron Bell is leaving the company, after the release of the results of an independent investigation into the breaches.

It seems Yahoo's legal department is getting a great deal of the blame for the company's cybersecurity problems, and lawyers working on cybersecurity issues – though not for Yahoo – believe the incidents, as well as the consequences for Bell, should serve as a wakeup call for in-house lawyers.

According to Wednesday's disclosures, Bell resigned from his general counsel role effective immediately with "no payments…in connection with his resignation". Yahoo explained in the filing that certain senior executives at the company, as well as members of its legal team, "had sufficient information to warrant substantial further inquiry in 2014" about a hack by a state-sponsored actor, but "they did not sufficiently pursue it".

Many have questioned why Bell would take the fall for his company here. Vijaya Gadde, general counsel at Twitter, tweeted that while she didn't know what happened at Yahoo, "it's easy to blame the lawyers". She added: "I also know that Ron Bell is a good lawyer."

But invariably, someone will have to own responsibility for this, according to Al Saikali, partner and chair of the privacy and data security practice at US law firm Shook Hardy & Bacon. While it may be the case that Bell was not directly involved in the missteps, "he's the head of the legal department at the end of the day", said Saikali, adding: "If the legal department makes a recommendation that's incorrect, he's the captain of the ship and he'd take the fall for it."

Bell's resignation in connection with the data breaches should be a signal to in-house counsel that jobs may be on the line as a result of cybersecurity issues, said Edward McAndrew, a partner at Ballard Spahr and co-leader of the US firm's privacy and data security group. "In-house counsel are often best positioned to play leading roles in cyber-incident response, but they are often on the sidelines," he said. "And that's not a viable model anymore for anyone who wants to keep their job."

But just because general counsel and their in-house colleagues have to step up, that doesn't mean dealing with a breach and its aftermath is at all simple, cybersecurity lawyers say.

There are a number of complexities that in-house counsel have to grapple with when dealing with a potential hack, said Saikali. A forensic investigation doesn't always reveal with certainty what information was accessed, for instance, and "you don't want to scare people with unnecessary notice", he explained.

And if notice is required to consumers, he added, the legal team is then going to be "dealing with a patchwork of state data breach notification laws that govern notification".

But there are steps in-house counsel can take to avoid being targeted when there's a breach, said McAndrew. "The in-house lawyer who is trying to protect himself or herself needs to be able to clearly communicate and have channels available to them to escalate these issues within the legal department and within the organisation," he said. "You need to be able to communicate risk through a chain of command, to be sure decision makers have all the information."

The general counsel should be asking questions of the board and the IT team to figure out what the status of the company is when it comes to data security, said Denver Edwards, a principal at law firm Bressler Amery & Ross. "What policies are in place?" he asked. "How engaged is the board when it comes to data security? What are vendor relationships like?"

"You'd be negligent at this point if you don't have an incident response plan on what to do when there is a breach," Edwards added. "And the general counsel, if he or she is aware of a breach of this magnitude, must go to the board and engage them right away and have the incident response plan triggered."