Failure to Disclose Data Breach Costs Yahoo $35M
By Malak Doss, American University
On April 24, 2018, the U.S. Securities Exchange Commission (SEC) imposed a $35 million penalty on Yahoo—now known as Altaba—for failing to timely disclose in its public filings a severe 2014 data breach that compromised the privacy of hundreds of millions of its users. When Yahoo’s information security team discovered the data breach in December 2014, the chief information security officer reported the breach to the company’s senior management and legal teams; however, the company chose not to disclose the breach to its outside auditors or outside counsel, or in any of its public filings. The hackers continued to target Yahoo’s user database in 2015 and 2016, but Yahoo did not acknowledge the data breach until September 2016. The SEC found Yahoo’s public filings following the 2014 data breach materially misleading for failing to disclose the breach, as required by Items 303 and 503(c) of Regulation S-K. Prior to this Yahoo settlement, the SEC had never brought an enforcement action in response to a company’s failure to disclose a data breach, which demonstrates the rising necessity for public companies to implement comprehensive cybersecurity incident response plans and adequately assess risk factors and other public disclosures regarding data breaches.
Burgers, Fries, and Cybersecurity: Wendy’s and its Shareholders Settle on Cyber Reforms
By Dylan Miller, University of Pennsylvania
The Wendy’s Company and certain of its shareholders have reached a settlement in consolidated shareholder derivative action pending in Ohio, according to motion papers seeking approval of the deal. In re The Wendy’s Company Shareholder Derivative Action, No. 1:16-cv-01153 (S.D. Ohio). The derivative action arose out of a third-party criminal cyberattack at certain franchise-owned Wendy’s restaurant locations, in which malware was placed on the point-of-sale systems. Wendy’s shareholders alleged that management breached their fiduciary duties of loyalty and good faith by (1) failing to implement and enforce a system of effective internal controls and procedures with respect to data security for Wendy’s and its franchises; (2) failing to exercise their oversight duties by allegedly not monitoring Wendy’s and its franchisees’ compliance with federal and state laws; and (3) failing to cause Wendy’s to make full and fair disclosures concerning the effectiveness of Wendy’s policies and procedures with respect to data security and the scope and impact of the data breach. The settlement provides for, among other things, the following cybersecurity-focused corporate governance reforms: Wendy’s Board must create a board-level technology committee with oversight responsibilities relating to matters of Wendy’s information technology and cybersecurity; the newly-created technology committee must have an oversight role with respect to Wendy’s cybersecurity; Wendy’s must maintain its technology advisory council of franchisee representatives; and Wendy’s must either provide certain foundational security services to its franchisees, or designate an approved vendor for similar services.
SCOTUS Finds Expectation of Privacy For Driver Not Listed on Car-Rental Agreement
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor LLP
Resolving a split among the circuit courts, the U.S. Supreme Court has held that a person in lawful possession of a rental car has a reasonable expectation of privacy in that car even if not listed on the rental agreement as an authorized driver. In Byrd v. U.S., No. 16-1371, 584 U.S. __ (2018), Terrence Byrd was stopped by Pennsylvania police while driving a car rented by his friend. When police realized Byrd was not listed on the rental agreement and had a prior record, they searched the car, ultimately finding body armor and 49 bricks of heroin. The lower courts denied Byrd’s motion to suppress. The Supreme Court found that the rental contract simply allocated risk between the renter and the rentee and “that risk allocation has little to do with whether one would have a reasonable expectation of privacy in the rental car if, for example, he or she otherwise has lawful possession of and control over the car.” The Court remanded for determination of whether Byrd’s fraudulent use of a friend to rent the car rendered him “not better situated than a car thief” who lacked lawful possession of the car and whether the search was justified by probable cause.
No Right to Privacy: When a Corporation is Not a Person
By Steven W. Lee, Villanova University
A Texas state court recently held that corporations do not have a recognized right to privacy when the claim is based on appropriation of one’s name or likeness. In Doggett v. Travis Law Firm, No. 17-00098 (Tex. App. May 10, 2018), the Appellant, an attorney, used the Appellee’s law firm name and email address when conducting business outside of the firm and without permission. The Appellee brought a claim for invasion of privacy by appropriation of name or likeness because the Appellant had (1) appropriated the law firm’s name or likeness for the value associated with it; (2) the Appellant can be identified from the publication; and (3) there was some advantage or benefit to the Appellant. The trial court rendered judgment in favor of the law firm on its invasion-of-privacy claim. The Texas Appellate Court reversed, holding that no Texas authority has recognized a corporation’s right to privacy despite a corporation’s right to sue in tort. Interestingly, the court never explicitly held that the Appellee failed to meet the elements of an invasion of privacy by misappropriation claim. Rather, the court only discussed whether Texas authority recognizes a corporation’s right to privacy, not whether Texas should recognize such a right.