Those looking to affix a hard cost to a data breach now have new figure to help calculate it, and a big one after Verizon Communications Inc. announced it will pay $350 million less to purchase Yahoo Inc.
Verizon and Yahoo made the announcement after Yahoo disclosed two of the biggest security breaches in history following making a deal for a $4.8 acquisition by the U.S.-based telecommunications firm. Following the disclosure of the breaches that affected more than 1 billion users, some shareholders were concerned that the deal was under threat or would be subject to a more major discount before the deal closed. But the announcement from the two companies indicates the deal is still full steam ahead and includes comments reassuring investors won’t see any sudden reversals.
“We can now move forward with confidence and certainty,” says Yahoo CEO Marissa Mayer in a press release. “I’m incredibly proud of our team’s strong product and financial execution in 2016, setting the stage for a successful integration.”
Yahoo and Verizon will share the costs and liabilities that arise as a result of the breach’s fallout. Yahoo will be responsible specifically for 50 per cent of any cash liabilities related to government investigations and third-party litigation, and 100 per cent on the hook for any shareholder lawsuits and Security Exchange Commission investigations.
For CISOs, the readjusted terms of the deal are likely of interest because it demonstrates how the market puts a real cost on data breaches. While everyone generally agrees that a business summers some sort of hit to reputation and real costs related to operational recovery and potential lawsuits, there’s no definitive cost associated with data breaches. In a study conducted June 2016 and sponsored by IBM Corp., the Ponemon Institute reported on its findings of breaches suffered by 383 companies across 12 countries. That paper finds that the average cost per lost or stolen record is $158.
In a study conducted June 2016 and sponsored by IBM Corp., the Ponemon Institute reported on its findings of breaches suffered by 383 companies across 12 countries. That paper finds that the average cost per lost or stolen record is $158. If that number was used to judge the cost of the Yahoo breach of more than 1 billion records, then the cost would be dozens of times higher than Verizon’s purchase price of the entire operating business. With the $350 million discount, Verizon is valuing the cost per lost record at about $2.86. But Yahoo shareholders are only having to pay 37 cents per share as a result of the discounted price.
The biggest consequence to organizations that experienced data breaches in the Ponemon study was lost business as a result of lost customer trust. So far, Yahoo says that its users have remained loyal. If the announced data breaches don’t cause Yahoo’s numbers to go down, then there’s reason to believe that it wouldn’t hurt its stream of advertising revenue. Also, Yahoo is not in a regulated industry such as healthcare or financial services, which have the highest costs related to data breaches, due in part to fines. According to the Ponemon study, the average cost of a data breach in the technology industry is $145 per record.
Still, the fact that Yahoo is on the hook for any legal costs that arise should be considered. And Ponemon says that the longer the breach takes for the organization to address, the more costly it tends to be. In Yahoo’s case, the breaches actually occurred in 2013 and 2014, but weren’t disclosed until late last year. Also, companies based in the U.S. have the highest average costs related to data breaches.
The acquisition deal was first struck July 23, 2016 and is now expected to close in the second quarter of this year.