Yahoo would be liable to pay a $198m fine were GDPR already enforced
At the dawn of the internet, Google and Yahoo were in stiff competition for search dominance.
Many think the former’s success was due in part to its name becoming a ubiquitous verb for searching online. But decades on, semantic development has finally caught up with Yahoo. Its name is now synonymous with bad data practice.
In both 2013 and 2014, the company was responsible for the biggest data breach in history, affecting 1bn and 500m accounts respectively. It faces class action lawsuits from disgruntled users over its failure to notify them of a cybersecurity breach. As context, a similar case involving retailer Target was settled for $39m last year.
But class action lawsuits will be the least of businesses’ worries once the EU’s General Data Protection Regulations (GDPR) are enforced in a little over 18 months. Under the new regulations there are myriad reasons a fine could be imposed, three of which Yahoo has violated. If an EU citizen’s data is breached; if it transpires that the systems in place were not GDPR compliant; or if the business fails to notify users within 72 hours, it can be fined 4 per cent of its global group revenue or €20m, whichever is greater.
There’s no scope for retroactive prosecution under GDPR, so Yahoo is off the hook regarding these breaches. But analysing the consequences hypothetically, as if it was already enforced, is an interesting way to understand just how far reaching GDPR is.
You can't run away from a data breach! (Source: Getty)
Yahoo’s 2015 revenue was $4.9bn, meaning that the hypothetical 4 per cent fine would be $198m per breach. Not company-killing money for a behemoth, but certainly impactful. Pricing in such heavy fines and lawsuits to results would knock profit margins off course, likely spooking investors, and resulting in further losses. The reputational damage could take years to rectify, if at all.
Yahoo said it discovered the first breach in July. It didn’t notify Verizon, which is in the process of acquisition, until September. In the US, there are notification laws – currently 47 states have them. But the thresholds are typically based on harm caused to consumers, which may be difficult to prove in this incident. Under GDPR a business has 72 hours to report a breach to those affected, otherwise, again, it will face a penalty.
Quite how the fines will be enforced is presently unclear, according to Paul Glass, partner in the data protection team at Taylor Wessing. “Regulators aren’t engaged with how they would price a fine like this, or what the process would be”, he says. “But if I was to speculate, there would be a draft penalty notice, which goes to Yahoo, with an indication of the level of fine – something like the early settlement regime similar to the FCA. I think that there would probably be some sort of room for negotiations.”
To agree an early settlement could work in favour of a business looking to quickly rectify and protect its reputation the best it can. Sitting on a breach like Yahoo did certainly makes you look suspicious.
Verizon is in the process of acquiring Yahoo for $4.83bn, but is exploring options to either cancel or renegotiate the price following further details of the breach. Verizon said it will "review the impact of this new development before reaching any final decision". But had the acquisition been finalised, would it be responsible for Yahoo’s breach? Under GDPR the so-called data controller is liable, “which would be Yahoo,” says Glass. “Post acquisition it would continue to be, unless it changes how it manages data.”
But like Myspace before it, Yahoo is being purchased, in part, for its plethora of user data, as well as its stake in Alibaba and Yahoo Japan. It’s likely that if Verizon sees the acquisition through, it will become the data controller, and therefore liable in the future. In this hypothetical model, had the breach been under Verizon, based on revenues of $131.6bn last year, a 4 per cent fine would make it liable for $5.2bn.
While hypothetical, it paints a picture of things to come. If a multinational that deals with consumer data as a core function of its business can’t get on top of its security and compliance, what hope do smaller businesses have?
The Yahoo breach should be a wake up call to businesses of all scopes and sizes. Research out yesterday from Veritas surveyed over 2,500 senior technology decision makers across the globe, and found that more than half of organisations have failed to begin any kind of preparation to meet even the minimum standards of GDPR.
Businesses should be adhering to GDPR as best practice. There is no excuse for poor data management – you can’t just blame Russia and hope it all blows over. GDPR is just 18 months away, and unpreparedness, while not on a Yahoo scale for most, could cost your business dearly. The fines are heavy, but the long lasting reputational damage could be a killer. Don’t “Yahoo it”.