In House - The FindLaw Corporate Counsel Blog

Yahoo's GC Takes the Fall for Data Breach

Yahoo has wrapped up its investigation into the 2014 data breach that saw 500 million accounts compromised. Now the heads have started to roll, but they're not the heads you might have expected.

Yahoo general counsel Ronald Bell seems to have taken the blame for the hacking, resigning on Wednesday after the investigation concluded that his legal team had enough information to justify further investigation but did not take action.

Knowledge of the Hacks, but No Action

The security breaches at Yahoo were the largest ever recorded, according to CNBC. (That was, until Yahoo announced just a few weeks later that a separate breach compromised more than one billion accounts in 2013.) The 2014 breach, which was first reported in 2016, was known to at least some Yahoo employees at the time, according to the company.

"In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company's account management tool," Yahoo said in a recent regulatory filing. "The 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident."

The committee investigating the breach said that the company had not intended to suppress information about the breaches, but that executives should have taken more action when the breaches were first discovered. The legal team was largely responsible for that failure, according to the report. The "Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it."

Should Bell Be Blamed?

Some questioning whether Bell is the appropriate fall guy in this instance. Recode, which first broke news of the hacks, writes:

So when is the lawyer the one who gets dinged for hacking screw-ups? Never. Let's be clear, most people inside Yahoo think Mayer and the board should have shouldered the bulk of the blame for the breach.

Still, if Yahoo's GC had information on the breach and decided to ignore it, there's no question that he should be held accountable. Perhaps, though, he shouldn't be the only one. For her part, Marissa Mayer isn't moving on without a slap on the wrist. The embattled CEO will be forgoing her annual bonus and potential stock awards.

Related Resources: