By Ashley Russo
In 2014, half a billion Yahoo user accounts were hacked, compromising customer’s names, email addresses, telephone numbers, birth dates, passwords, and other private information. However, no public mention was made of this until just last month. This lack of communication has government officials, legal experts, and civilians who were affected by this extremely disturbed. It is bad enough for this kind of cyber-attack to occur, but to take more than two years to report on it is unacceptable. According to Florida law, notification of a breach must be made within a reasonable time frame, which is usually within thirty days.
Within days of making the announcement, Yahoo faces six lawsuits, with more expected to follow. Currently, some of these lawsuits include consumer class action suits with claims of gross negligence for failing to protect customers, and failing to promptly notify them so that they could take steps to avoid identity theft. With these claims, Yahoo’s lawyers will face difficulty in arguing that most customers were not actually harmed in the hack, for information as personal as bank, credit, and debit card information may have been compromised. After the announcement of the cyber-attack, consumers have had to pay out of pocket to freeze their credit and debit accounts.
Yahoo is currently an undergoing investigation into the data breach. They claim that they detected the breach in the summer of 2016 after conducting a security review. Following major cyber-attacks at several other companies in the past few years, most notably Target and Home Depot, and facing huge monetary losses over the past several years, Yahoo should have been more careful with their disclosure of this event. Yahoo claims that it cooperated with the FBI’s warning of the hacking, however, lawyers who have been assigned to represent consumers in these lawsuits claim that they look forward to countering Yahoo’s argument that it had to postpone customer notices pending the FBI’s investigation.
With the investigation of the cyber-attack, questions have been raised as to exactly who was behind it, and where the attack came from. Yahoo said that the 500 million accounts that were hacked in 2014 came from a “state-sponsored actor.” According to experts, these attacks frequently come from foreign countries. However, experts in the cyber security field raise the point that this type of hack could occur from negligence within the company, or even simple human error. This could occur when employees fail to safeguard information, or when companies have not created policies and procedures to maintain the privacy of their customer’s or client’s personal information.
Allegations have also been made that Yahoo CEO, Marissa Mayer, may have known about the breach in July, just as the company was completing its $4.8 billion sale to Verizon. Six senators have already brought this to the attention of the Senate Cyber-Security Caucus, urging its chairwoman to look into whether Yahoo was in violation of federal securities laws for their negligence.
Due to this time lapse between the hacking and the disclosure of the incident, Yahoo is now in a vulnerable place, especially according to lawyers in the cyber-security field. It seems as though Yahoo may have waited a bit too long before disclosing the cyber attack, for at this point, if someone’s personal information was taken, it has already been used by the hacker.
Student Bio: Ashley is a current 2L at Suffolk University Law School. She is a Staff Member on the Journal of High Technology Law, President of the Environmental Law Society, and Vice President of the Suffolk Public Interest Law Group. She holds a B.A. in History and Political Science from Hobart and William Smith Colleges.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.
