Typically when there’s a large corporate legal violation or other incident which damages the reputation of the organization, one of the key factors is the failure of the Board to engage in active oversight. However, when such an event occurs, there are multiple levels of responsibility.
A Wall Street Journal article detailed some of these failures regarding Yahoo’s 2014 data breach. The article didn’t present a very pretty picture of a functioning corporate structure.
An independent Board investigation has found the CEO Marissa Mayer and “other senior executives failed to properly comprehend or investigate” the data breach involved the hacking of more than 500 million Yahoo user accounts. These systemic corporate failures led the Yahoo Board to cut to CEO’s pay and accept the resignation of the company’s General Counsel.
Yahoo’s senior management came in for criticism for failing to fully appreciate the consequences of the data breach, even though they were “aware that a state-sponsored actor accessed user accounts by exploiting Yahoo’s account management tool.”
The company’s lawyers came in for criticism for failing to “sufficiently investigate the breach despite having enough information to justify a deeper probe.”
Finally Yahoo’s security team was criticized because it knew data had been stolen from company user accounts but apparently failed to apprise management of this salient fact.
In light of the recently released Justice Department Evaluation of Corporate Compliance Programs, a company needs to have a much more robust and integrated approach to allegations of not only corporate wrong-doing but also issues which could negatively impact the reputation of an organization.
The DOJ Evaluation makes clear that not only should an internal investigation be properly scoped and performed with competent personnel, the investigative findings must be reported up the organizational chain. In the case of Yahoo and its 2014 data breach, it would appear that none of the basic specifications around incident investigation and reporting laid out in the Evaluation were met.
Yahoo has already had to accept a $350 million price reduction from corporate suitor Verizon Communications. If the transaction still closes, I would expect that Verizon may well clean house for this most basic corporate process failure.
____
Tom Fox is a Contributing Editor of the FCPA Blog. He has practiced law in Houston for 30 years. He’s the creator of the award winning FCPA Compliance and Ethics website. He is the Compliance Evangelist. His best-selling seminal book, “Best Practices Under the FCPA and Bribery Act: How to Create a First Class Compliance Program” (available from Amazon here) is widely viewed as one of the top volumes on the nuts and bolts of compliance.
1 Comment
Tom, good post! A corporate train wreck like this is often depressing to unpack, because it will usually point to a badly constructed compliance program designed and managed by unqualified managers lacking true compliance subject matter expertise (SME). But at a minimum, it certainly points to some questions any experienced CCO would ask:
– What was the Board Escalation Policy? Because any Board that is serious about its oversight role wants to have a standard for ensuring that the major threats affecting their company are raised to them on an escalated basis;
– What were the company's investigation protocols? Did they have measures in place to ensure robust, complete and objective investigations?
–
Certainly it's worth asking how their compliance program measured up against the DOJ's new Evaluation benchmark tool, and certainly it is time to ask what kind of Compliance SME was part of the design and management of their compliance program, including investigations. And after the University of Michigan Ross School of Business empirical study and white paper, "Why GCs Don't Stop Corporate Crime?"- I hope the answer isn't the GC or the Legal Dept! #Ugh
Comments are closed for this article!