12.22.2016

Short Rebuttal to “Why Verizon Can’t Quit Yahoo”

Well, I don’t usually spend my free time writing point by point rebuttals of New York Times articles written by laypeople, but… I took a break from wrapping Christmas gifts, so here goes:

Please first read this:


Let me begin by saying I will not address at all any information that is not publically available, so please feel free to keep reading without any concerns about running afoul of the SEC or your employer, or whomever.

The article looks to suggest all of this speculation is taking place because: “All of these people are buying into the easy narrative that Yahoo is a loser in the tech industry, unable to keep up with the likes of relative newcomers like Snap.”

Well, I will make no comment on Snap. I will say that it is not an easy narrative.

The writer compares the scenario to the hacking of the DNC, by saying: “ At this point in history, there have been repeated digital thefts of information, including from the Democratic National Committee.”

However at least one of the hackings that has allegedly taken place with regard to Yahoo involves an issue with authentication; “counterfeit cookies” so to speak. Is this what happened with the DNC? Further, the DNC is a non-profit, and Yahoo is a for profit entity. Reread this last sentence because it is an extremely relevant distinction since we are in the M&A area. It would be more appropriate, if making comparisons for the purpose of making an argument to support the writer’s above contention, to only make comparisons to other for profit (and public) entities.

The writer then goes on to go over Yahoo’s numbers from the last quarter, but again, in the M&A space what is relevant is that there are “changed circumstances” at least in terms of disclosure and risk (ie compliance regarding notice and disclosure of these breaches).

The writer goes on: “Under the parties’ acquisition agreement, Verizon can terminate only if there is a so-called material adverse effect to Yahoo.” Please see above about counterfeit cookies, assuming this is, in fact, how one of the breaches took place, Yahoo’s source code has been profoundly compromised. Please feel free to ask any IP attorney you know how material this might be.

The analysis then continues by comparing Yahoo to Target. Wrong again. Yahoo is not a retail organization that experienced a POS intrusion due to a third party HVAC contractor (or who knows, maybe they also have problems with 3rd party contractors, but that is not what has been recently alleged).


The writer closes by noting: “In the meantime, we should change our passwords.” Well, that is certainly true, if you even still use that service J 

Happy Holidays All & Here's to a wonderful New Year. 


(Post publish edit/postscript: OMG apologies, had no idea the writer was not in fact a layperson but a professor of law. No disrespect intended, the rest stands. Cheers!) 

3.25.2016

What Kind of Effect Does the Structure of a Law Firm Have on a Data Breach Incident at the Firm?



What kind of effect does the structure of a law firm have on a data breach incident at the firm?

Well, by now we know that though the details of such incidents remain cloaked in secrecy, a consensus is emerging that a data breach is a legal event. But how do and should we be thinking about these events when lawyers have carved out legal protections, such as the Red Flag Rules (https://en.wikipedia.org/wiki/Red_Flags_Rule) for ourselves? Okay, let’s forget about the law for a moment, how about ethics? Is it part of our ethical duty to understand and opine upon which legal organizational structures are a better fit for an eventual data breach incident response? Is this less or more important than understanding a firms’ financial disclosures or are they intertwined?

In Grand Illusion (http://www.klgates.com/files/tempFiles/4ee9900d-b476-42b5-9253-2b24a1615834/Am_Law_Swiss_verein.pdf) from May of 2011, Peter Kalis, K& L Gates Chairman, attacks the Swiss verein structure, noting: “When law firms avoid financial integration and common ownership even where permitted by local law, you’re dealing with firms that wish to simulate rather than to combine as a global law firm.”

Yet we recently learned that FTC Commissioner Julie Brill is heading to Hogan & Lovells, another firm using the verein structure (http://www.hoganlovells.com/newsmedia/newspubs/detail.aspx?news=1573), to lead their Privacy and Cybersecurity practice (http://www.hldataprotection.com/2016/03/articles/news-events/ftc-commissioner-julie-brill-to-co-lead-hogan-lovells-privacy-and-cybersecurity-practice-as-of-1-april/).
Surely in the area of data breaches and ensuing legal issues, Ms.Brill is more prepared than most of us.

In the domain of data transfers and cybersecurity generally, precisely at a time when many have called for greater harmonization of the rules, we face what looks like an increasingly balkanized set of laws, globally. It has been noted that though many of these laws look different, some are essentially equivalent (http://www.sidley.com/publications/essentially-equivalent), by thought leaders at Sidley Austin, a limited liability partnership.

As the globalization of law firms continues to wax and wane (http://www.americanlawyer.com/top-stories/id=1202749529592/Skadden-To-Close-Sydney-Office-Amid-Australia-Jitters?mcode=1202615731542&curindex=2&slreturn=20160225131953), and as long as different continents have different customs and regulations about data incidents, it is possible that these questions will continue to intrigue counselors and insurance underwriters alike. Happy Spring to you all.