Meanwhile back in the EU, two data protection authorities have announced they’ll be looking into Yahoo’s breach-acopalypse. Calling the scale of the attack “staggering”, the UK’s Information Commissioner’s Office (ICO) has signaled they’ll be conducting an investigation. By the way, the ICO rarely comments this way on an on-going security event.
In Ireland, where Yahoo has its European HQ, the Data Protection Commissioner is asking questions as well.
And here in the US, the FBI is getting involved because the Yahoo attack may involve a state actor, possibly Russia.
Under the Current Laws
One of the (many) stunning things about this incident is that Yahoo knew about the breach earlier this summer when it learned that its users’ data was for sale on the darknet.
And the stolen data appears to have come from a hack that occurred way back in 2014.
It’s an obvious breach notification violation.
In the US, the only federal notification law with any teeth is for medical PII held by “covered entities”— insurance companies, hospitals, and providers. In other words, HIPAA.
So there’s little that can be done at the US federal level against the extremely long Yahoo delay in reporting the breach.
In the states, there are notification laws — currently 47 states have them — that would kick in but the thresholds are typically based on harm caused to consumers, which may be difficult to prove in this incident.
The notable exception, as always, is California, where Yahoo has its corporate offices in Sunnyvale. They are one of the few that requires notification on just the discovery of unauthorized access.
So Yahoo can expect a visit from the California attorney general in its future.
One might think that the EU would be tougher on breaches than the US.
But under the current EU Data Protection Directive (DPD), there’s no breach notification requirement. That was one of the motivations for the new General Data Protection Regulation that will go into effect in 2018.
If You Can’t Keep Your Head About You During A Breach
Yahoo may not be completely out of the legal woods in the EU: the DPD does require appropriate security measures to be taken — see article 16. So in theory an enforcement action could be launched based on Yahoo’s lax data protection.
But as a US company with its principle collection servers outside the EU, Yahoo may fall beyond the DPD’s reach. This is a wonky issue and if you want to learn whether the current DPD rules cover non-EU businesses, read this post on the legal analysis.
And this all leads to why the EU rewrote the current data laws for the GDPR, which covers breach notification and “extra-territoriality” — that is controllers outside the EU — as well as putting in place eye-popping fines.
Yeah, you should be reading our EU data regulations white paper to get the big picture.
If the GDPR were currently the law — the GDPR will go in effect in May 2018 — and the company hadn’t reported the exposure of 500 million user records to a DPA within 72 hours, then it would face massive fines.
Doing the GDPR Breach Math
A violation of GDPR’s article 33 requirement to notify a DPA could reach as high as 2% of global revenue
Yahoo’s revenue numbers have been landing north of $4.5 billion dollar in recent years.
In my make-believe scenario, Yahoo could be paying $90 million or more to the EU.
And yes I’m aware that Verizon with over $130 billion in revenue is in the process of buying Yahoo.
Supposing the acquisition had already gone through, then Verizon would be on the hook for 2% of $134 billion or about $268 million.
There’s lesson here. Large US and other multinational companies with a significant worldwide web presence should be planning now for the possibility of an epic Yahoo-style breach in their post-2018 future.