Data Risk Analysis: The Yahoo Example

The cost of data breaches directly affects the cost-benefit analysis when companies are planning their budgets.  Studies on the average and median costs of breaches can play a significant role in guiding this analysis.  A study that reports these costs as being generally low, therefore, is likely to be cited as reason to deemphasize the importance of securing networks, databases, and all the sensitive information therein.  While there have been a few of these recently, a new report by Deloitte Advisory Cyber Risk Services claims that businesses have been severely underestimating the total cost of cyber attacks; that between 75 and 95 percent of the costs aren’t immediately apparent, only coming back to bite them later on.  A recent article at CSOOnline does an excellent job of explaining and accounting for the disparities among the different studies.  The immediate costs are things like consumer protection, breach notifications, legal fees, PR efforts, and the like.  Down the line, however, additional losses may factor in: lost revenues and consumer trust, higher insurance premiums, security restructuring, and also a plunge in brand value.

A couple of scenarios in the Deloitte study showed a leap in total expenses from $59 million to nearly $1.7 billion, and $26 million to over $3.2 billion, when these other delayed factors came into play.  Perhaps the clearest example of this, though, is the potential $1 billion drop in value for Yahoo due to its 2014 data breach.  Brought to light last month, the incident now has Verizon, who had agreed to purchase Yahoo just before the news broke, was seeking a $1 billion discount in negotiations.

This story actually escalated late last week, as Verizon stated that it has a “reasonable basis” to believe the breach represents a sufficient material impact to allow them, currently in the midst of preliminary briefings from Yahoo, to withdraw from the deal completely.  The withdrawal would be based on a material adverse clause in the deal, which allows the company to renege if an incident “reasonably can be expected to have a material adverse effect on the business, assets, properties, results of operation or financial condition of the business.”  In this case, the potential financial loss would skyrocket from $1 billion to $4.23 billion—the total value of the original purchase.

On top of the lawsuits Yahoo will be facing, now there is even an online campaign to convince people to delete their accounts.  Called ‘Fight for the Future’, this digital rights group is backed by Yelp (one of Yahoo’s competitors) and is encouraging users to abandon the “sinking ship.”

Ultimately, while every company will face their own situation in the event of a breach, the mire engulfing Yahoo right now should serve as a warning.  Beyond the immediate remediation and technology costs, organizations need to consider other impactors during security analysis, and plan accordingly.