In this week’s episode (#131): a shareholder lawsuit targeting Yahoo! executives was settled quietly. But it could have big implications for the C-Suite at breached firms. Also: as the US pursues criminal charges against Huawei for corporate espionage, we look at one of the federal government’s most potent tools to stop the transfer of sensitive IP: the Committee on Foreign Investment in the US.
The C-Suite’s Bitter Pill
This week, U.S. District Court judge Lucy Koh slapped down a proposed settlement of a class action lawsuit filed against Yahoo! (now part of Verizon Media) over a 2013 hack that exposed data on billions of its users. It’s just the latest twist in the saga of the once great search giant, who fell victim to hackers and then – astoundingly – conspired to keep the breach a secret for years. But another Yahoo! lawsuit that was quietly settled late last year may have far bigger long term consequences for breached private sector firms and their executives.
That case, a so-called “derivative lawsuit,” was filed on behalf of Yahoo! shareholders against the company’s executives, including former CEO Marissa Mayer. The suit alleged that they breached their fiduciary duties in the reckless handling of customer data. The result: a $29 million settlement, including $11 million in attorneys’ fees. The balance, some $18 million will go to Yahoo or, as it is now known, Altaba, part of Verizon. (PDF)
While that might not sound like much, our first guest on the podcast this week notes that derivative suits are notoriously hard to win and that, even when they are won, any cash settlement in a derivative suit beyond attorneys fees is exceedingly rare.
What does the success of the suit mean for the heads of other companies that are the victims of sophisticated hacks? Craig Newman, the head of the data privacy practice at the New York law firm of Patterson, Belknap, Web and Tyler dropped in to the Security Ledger studios to talk about the derivative suit against Marissa Mayer and the other Yahoo! executives and its ramifications.
CFIUS Interest in Cyber Deals Grows
As hearings on Capitol Hill confirmed this week, cyber offensives by U.S. adversaries like Russia, China, Iran and North Korea are at the forefront of U.S. foreign policy.
And, in the background of those hearings was evidence of a more muscular U.S. response, as prosecutors at the Department of Justice filed criminal charges against Huawei Technologies Co., China’s largest technology company, alleging it stole trade secrets from an American rival and committed bank fraud by violating sanctions against doing business with Iran.
The move is just the latest in a series of actions the Trump Administration has taken to curb the influence of foreign technology firms deemed a threat to US security. Among the other targets: Russian security software firm, Kaspersky Lab. (Check out this Security Ledger podcast to hear more discussion of the U.S. Government’s case against Kaspersky.)
Less noted is the growing use of one of the U.S. government’s most potent tools: CFIUS – the Committee on Foreign Investment in the U.S., an obscure interagency group that assess the national security implications of investments by foreigners in U.S. businesses.
Cyber security has long been an area of interest for CFIUS, dating back to the Committee’s intervention in a planned acquisition of the US firm Sourcefire by the Israeli security giant CheckPoint in 2006. But as cyber security moves to the center of US foreign policy, the reach of CFIUS reviews has expanded: blocking transactions such as the planned acquisition of the firm MoneyGram to China’s Ant Financial last year over concern about the acquisition of US consumer banking and market data.
How is the evolution of cyber risk effecting CFIUS reviews? To talk about that, we invited Luke Tenery, the Senior Managing Director and head of the cyber security practice at the firm Ankura in to the security ledger studios to talk about it.