Last Week in Tech Law & Policy, Vol. 36: Another Yahoo! Data Breach? Personal Consumer Information and the U.S. Government’s Intelligence Collection Practices

(by Zachary Goldberg, Colorado Law 2L)

Apparently Yahoo waited two full months to disclose to its customers the largest consumer data breach in history, which Yahoo officials claim went undetected for two full years

On September 22, 2016, Yahoo officials announced that 500 million of its customers’ email accounts were hacked in 2014. The Yahoo security team believes that “state-sponsored hackers” somehow managed to penetrate Yahoo’s system to target its email users’ identifying information, passwords, and security question responses. At this stage in their investigation, Yahoo officials have not indicated precisely when they discovered the breach, and they know neither specific details as to who orchestrated it, nor how they gained access to Yahoo’s email system.

Verizon’s offer this past July to purchase Yahoo’s core business raises questions as to Yahoo’s possible impetus to delay in disclosing the 2014 breach, as well as the impact that Yahoo’s security problems being under the media spotlight may have upon the completion of the Verizon takeover deal. On September 9, 2016, Yahoo submitted a filing to the SEC in which it disclaimed any knowledge of any incident that could negatively impact the Verizon deal. An anonymous report that Yahoo learned of the breach in July of 2016, possibly even before striking its deal with Verizon, casts even greater suspicion over Yahoo’s tardy breach disclosure. Negative press about Yahoo’s cybersecurity promises to continue flowing well into the future, as Yahoo’s customers are building momentum toward launching a class-action suit, alleging Yahoo’s gross negligence with respect to customer privacy and data security.

New information is coming to light regarding another “data breach” affecting Yahoo customer email accounts

Yahoo itself may have orchestrated another massive “data breach,” at the behest of the United States Government. Yahoo employees reported to Reuters that either the NSA or FBI requested that Yahoo create a custom software program to scan all Yahoo customers’ incoming emails in search of a specific, ostensibly terrorism-related word or phrase. Yahoo has neither confirmed nor denied its involvement in this “Secret Agreement” with the NSA or the FBI. However, if the Reuters report is true, the episode would be the first known bulk search of all incoming customer emails by a U.S.-based internet company.

Confirmation of Yahoo’s willingness to acquiesce to the NSA’s request would increase strain on the company itself, but also might discourage Verizon from completing its pending purchase of Yahoo. If, in fact, the federal government is in the practice of pressuring internet companies to create bulk-search software programs and use them to screen millions of people’s incoming emails, whether in the name of national security or otherwise, the resulting constitutional and legal privacy implications of are bound to spur controversy.

Potential regulatory and policy implications

The 2014 breach and the purported Secret Agreement combine to produce complex regulatory and policy questions. With respect to breach response, the SEC issued a guidance to companies such as Yahoo demanding that they notify the SEC of any breach capable of potential negative business impact, yet the SEC has not taken action against Yahoo or any other company in relation to this disclosure mandate.

Some executive branch officials, including the Secretary of Commerce, have adopted the SEC’s hands-off approach for fear that enforcement against companies for non-disclosure of such breaches might dissuade penalized companies from cooperating with the government. Conversely, the views of proponents of harsh sanctions against companies who fail to disclose material breaches might align with those of critics of Yahoo’s ostensible Secret Agreement, at least to the extent that such ostensibly overreaching requests by the government that may unduly compromise customer privacy and data security may not merit full cooperation.

Section 702 of the 2008 Foreign Intelligence Surveillance Amendments Act (FISAA), to an uncertain and widely debated extent, authorizes intelligence agencies to gather any data that electronically crosses the U.S. border, without being required to obtain a warrant. This includes emails, cellphone conversations, photographs, and text and instant messages.  While these Section 702 surveillance powers are set to expire in late 2017, the Obama administration and members of congress with similar views on national security oppose allowing these powers to expire at a time when terrorist threats are increasing.

As a result of Yahoo’s purported disclosure delay, Congress may be poised to act where the SEC has not. Calls for a uniform national data breach notification standard to supplant the patchwork notification laws in 47 states have grown louder in the wake of the Yahoo breaches.

To what extent, and with what degree of haste, should custodians of customer information such as Yahoo be required to disclose privacy and data breaches? What government entity or entities should be charged with enforcing such a disclosure mandate? What measures and degree of force should such entity or entities use in carrying out such enforcement, and what policy concerns should guide them in this quest? How much latitude should companies like Yahoo have in resisting requests by the NSA or the FBI to engage in conduct that compromises the privacy and information security of their customers, and what is their culpability level in the event that they comply with such requests? Is sunsetting the government’s broad authority to search private communications despite the prevalence of terrorism a good idea, and will doing so materially bolster the privacy and information security of U.S. citizens?