Typically when there’s a large corporate legal violation or other incident which damages the reputation of the organization, one of the key factors is the failure of the Board to engage in active oversight. However, when such an event occurs, there are multiple levels of responsibility.
An independent Board investigation has found the CEO Marissa Mayer and “other senior executives failed to properly comprehend or investigate” the data breach involved the hacking of more than 500 million Yahoo user accounts. These systemic corporate failures led the Yahoo Board to cut to CEO’s pay and accept the resignation of the company’s General Counsel.
Yahoo’s senior management came in for criticism for failing to fully appreciate the consequences of the data breach, even though they were “aware that a state-sponsored actor accessed user accounts by exploiting Yahoo’s account management tool.”
The company’s lawyers came in for criticism for failing to “sufficiently investigate the breach despite having enough information to justify a deeper probe.”
Finally Yahoo’s security team was criticized because it knew data had been stolen from company user accounts but apparently failed to apprise management of this salient fact.
In light of the recently released Justice Department Evaluation of Corporate Compliance Programs, a company needs to have a much more robust and integrated approach to allegations of not only corporate wrong-doing but also issues which could negatively impact the reputation of an organization.
The DOJ Evaluation makes clear that not only should an internal investigation be properly scoped and performed with competent personnel, the investigative findings must be reported up the organizational chain. In the case of Yahoo and its 2014 data breach, it would appear that none of the basic specifications around incident investigation and reporting laid out in the Evaluation were met.
Yahoo has already had to accept a $350 million price reduction from corporate suitor Verizon Communications. If the transaction still closes, I would expect that Verizon may well clean house for this most basic corporate process failure.
Tom Fox is a Contributing Editor of the FCPA Blog. He has practiced law in Houston for 30 years. He’s the creator of the award winning FCPA Compliance and Ethics website. He is the Compliance Evangelist. His best-selling seminal book, “Best Practices Under the FCPA and Bribery Act: How to Create a First Class Compliance Program” (available from Amazon here) is widely viewed as one of the top volumes on the nuts and bolts of compliance.