66 Am. U. L. Rev. 1231 (2017)

*Assistant Professor of Business Law and Ethics, Western Carolina University.  JD, Oklahoma City University School of Law; MBA, The George Washington University; BA, American University.  Mr. Trautman may be contacted at Lawrence.J.Trautman@gmail.com.

**Professor of Constitutional Law and Business Law, Western Carolina University.  JD, The George Washington University Law School; BA, The George Washington University, magna cum laude.  Mr. Ormerod may be contacted at ormerod.peter@gmail.com.

Download PDF

On September 22, 2016, Yahoo! Inc. (“Yahoo”) announced that a data breach and theft of information from over 500 million user accounts had taken place during 2014, marking the largest data breach ever at the time.  The information stolen likely included names, birthdays, telephone numbers, email addresses, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers.  Yahoo further disclosed its belief that the stolen data “did not include unprotected passwords, payment card data, or bank account information.”  Just two months before Yahoo disclosed its 2014 data breach, it announced a proposed sale of the company’s core business to Verizon Communications.  Then, during mid-December 2016, Yahoo announced that another 1 billion customer accounts had been compromised during 2013, a new record for largest data breach.

Social media and electronic commerce websites face significant risk factors, and an acquirer may inherit cyber liability and vulnerabilities.  The fact pattern in this announced acquisition raises a number of important corporate governance issues:  whether Yahoo’s conduct leading up to the data breaches and its subsequent conduct constituted a breach of the duty to shareholders to provide security, the duty to monitor, the duty to disclose, or some combination thereof; the impact on Verizon shareholders of the acquisition price renegotiation and Verizon’s assumption of post-closing cyber liabilities; and whether more drastic compensation clawbacks for key Yahoo executives would be appropriate.

Cybersecurity remains a threat to all enterprises, and this Article contributes to the corporate governance literature, particularly as it applies to mergers and acquisitions and the management of cyber liability risk.

Introduction

Yahoo! Inc. (“Yahoo” or the “Company”) announced on September 22, 2016, that a state-sponsored hacker had breached the Company’s digital systems in 2014 and had stolen personal information from over 500 million user accounts.[1]  The information stolen likely included names, birthdays, telephone numbers, email addresses, “hashed passwords (the vast majority with bcrypt), and, in some cases, encrypted or unencrypted security questions and answers.”[2]  At the time it was announced, this 2014 theft represented the largest data breach ever.[3]  This record would only later be surpassed by another Yahoo breach:  a 2013 breach affecting 1 billion user accounts that the Company announced in December 2016.[4]  Yahoo further disclosed its belief that the stolen data “did not include unprotected passwords, payment card data, or bank account information.”[5]  Just two months before Yahoo disclosed its 2014 data breach, it announced a proposed sale of the Company’s core business to Verizon Communications, Inc. (“Verizon”).[6]  During mid-December 2016, Yahoo announced that another 1 billion customer accounts had been compromised during 2013, establishing a new record for the largest data breach ever.

Almost all corporations—from technology companies like Yahoo to brick-and-mortar sales companies that use electronic commerce services—face a significant risk from data breaches, and mergers and acquisitions may result in cyber liability and vulnerabilities for the acquirer.[7]  This announced acquisition raises a number of important corporate governance issues:  whether Yahoo breached its duty to provide data security, its duty to monitor, its duty to disclose, or some combination thereof; the impact on Verizon shareholders of a renegotiated deal for the two companies to share the cost of liability; and whether more severe and wide-ranging compensation clawbacks would be appropriate.

This Article proceeds in three parts. Part I discusses corporate governance and the director’s duty of care, including the duty to secure data and the duties to monitor and disclose. Part II presents a brief description of Yahoo; outlines Verizon’s proposed acquisition; describes the Yahoo data breaches and their known impact to date; and looks at Yahoo’s executive compensation, code of ethics, and duty to disclose material events. Part III examines the important corporate governance issues raised by the proposed Yahoo/Verizon transaction.  The Article concludes with some thoughts on the evolution of corporate liability as it relates to data security and what the future may hold for this important and fast-developing area of the law.

I.  Corporate Governance and the Director’s Duty of Care

A.  The Duty to Provide Data Security

Corporate directors and officers have a duty to behave reasonably.  This duty of care applies across directors’ and officers’ myriad responsibilities, including handling the corporation’s digital data.  There is, therefore, an emerging specific application of the duty of care as related to information technology:  the duty to secure data.  The applicable standard of care requires directors “to provide ‘reasonable’ or ‘appropriate’ physical, technical, and administrative security measures to ensure the confidentiality, integrity, and availability of corporate data.”[8]

There is not, however, a single source—such as a comprehensive federal statute or regulation—that imposes a duty to provide data security.  Rather, corporate legal obligations to implement data security systems are “set forth in an ever-expanding patchwork of state, federal, and international laws, regulations, and enforcement actions, as well as in common law duties, contractual commitments, and other expressed and implied obligations to provide ‘reasonable’ or ‘appropriate’ security for corporate data.”[9]

1.  Sources of the duty

a.  Statutes and regulations

The primary statutory and regulatory sources of corporate data security obligations are diverse:  privacy laws, data security laws, electronic transaction laws, corporate governance laws, unfair and deceptive business practice and consumer protection laws, and breach notification laws.[10]

There are several federal privacy statutes—paired with implementing regulations—that require corporations to create and maintain information security systems to protect specific types of personal data about individuals.  Particularly important examples include the Financial Services Modernization Act of 1999,[11] which concerns the financial sector; the Health Insurance Portability and Accountability Act of 1996,[12] which concerns healthcare information; the Privacy Act of 1974,[13] which establishes governmental record-keeping requirements; and the Children’s Online Privacy Protection Act,[14] which applies to all businesses that collect personal information on the Internet from children.

Additionally, several states—including Arkansas, California, Maryland, Massachusetts, Nevada, Oregon, Rhode Island, Texas, and Utah—have enacted data security statutes that impose “a general obligation on all companies to ensure the security of personal information.”[15]  For example, California, which was the first state to enact this type of legislation in 2004, requires all businesses to “implement and maintain reasonable security procedures and practices” to protect California residents’ personal information against “unauthorized access, destruction, use, modification, or disclosure.”[16]  Further, several federal regulations impose a duty to protect specific types of information, such as IRS revenue procedures requiring security measures to protect electronic tax records[17] and SEC regulations requiring the protection of corporate financial data.[18]

Some electronic transactions laws and implementing regulations intended to maintain the fidelity, accuracy, and enforceability of electronic documents also require data security for electronic record-keeping.  The Electronic Signatures in Global and National Commerce Act is the guiding federal statute, whereas the Uniform Electronic Transactions Act applies at the state level.[19]  Both mandate companies secure electronic records that relate to online transactions, primarily through requirements concerning the data’s accessibility, integrity, and accuracy.[20]

From a corporate governance perspective, several statutes and implementing regulations are designed to protect public companies’ shareholders, investors, and business partners.  The two chief sources of authority from which corporate governance data security obligations flow are the Sarbanes-Oxley Act[21] and the SEC’s 2011 guidance.[22]  The Sarbanes-Oxley Act requires public companies to implement appropriate information security controls regarding companies’ financial information.[23]  The SEC’s 2011 guidance identifies risks to cybersecurity as potential material information that companies must disclose under pre-existing securities law disclosure requirements and accounting standards.[24]

Among unfair and deceptive business practice and consumer protection laws, section 5 of the Federal Trade Commission Act (FTC Act),[25] associated Federal Trade Commission (FTC) enforcement actions, and equivalent state statutes are the chief sources for the imposition of data security obligations.  Between 2002 and 2005, the FTC and equivalent state entities brought cybersecurity-related enforcement actions premised on a deceptive trade practice theory of liability:  companies were liable for failing to provide adequate information security, contrary to the representations they made to consumers.[26]  The parties resolved these actions by entering into consent decrees wherein corporations agreed to take affirmative steps to better protect information in their systems.[27]

But after 2005, the FTC significantly broadened the scope of its cybersecurity-related enforcement actions by contending that a company’s failure to provide appropriate data security for consumers’ personal information was, alone, an unfair trade practice; that is, a company could be liable without ever having misrepresented the extent of its data security practices to consumers.[28]  Subsequently, in August 2015, the Third Circuit ratified the FTC’s broader theory of liability.[29]

To date, forty-seven states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have also enacted cybersecurity breach notification laws, which impose an obligation to disclose security breaches to those affected.[30]  Myriad federal banking regulations also impose an obligation on financial institutions to disclose security breaches.[31]

b.  Federal executive branch action

Federal executive action also serves a function in data security.  In February 2013, President Obama issued an executive order that, in part, “expanded public-private information sharing and tasked the [National Institute for Standards and Technology (‘NIST’)] with establishing a voluntary ‘Cybersecurity Framework’ comprised partly of private-sector best practices that companies could adopt to better secure critical infrastructure.”[32]  While there have been critics on both sides of the new NIST Cybersecurity Framework—some argue it does not go far enough, while others contend the framework is hardly “voluntary”—it nonetheless “has the potential to shape a standard of care for domestic critical infrastructure organizations.”[33]  Not only that, but some commentators are hopeful that, particularly for corporations like Yahoo that operate across jurisdictions, “a global standard of cybersecurity care could eventually emerge [organically] that would promote consistency and contribute to ‘cyber peace’ even absent regulatory action.”[34]

On May 11, 2017, President Trump signed an executive order intended to improve the federal government’s cybersecurity and protect critical infrastructure from digital attacks.[35]  The most notable changes include requiring “heads of federal agencies [to] use a framework developed by the National Institute of Standards and Technology to assess and manage cyber risk, and prepare a report within 90 days documenting how they will implement it.”[36]

c.  Common law

Scholars and commentators have long contended there is a common law duty to provide adequate security for corporate data.[37]  While at least one court has explicitly held there is no corporate duty to provide security,[38] several courts have concluded just the opposite.  In 2005, for instance, a state appellate court in Bell v. Michigan Council 25[39] held that the “defendant did owe plaintiffs a duty to protect them from identity theft by providing some safeguards to ensure the security of their most essential confidential identifying information.”[40]

And, more recently, a federal district court held,

Although neither party provided the Court with case law to support or reject the existence of a legal duty to safeguard a consumer’s confidential information entrusted to a commercial entity, the Court finds the legal duty well supported by both common sense and California and Massachusetts law. . . .  As a result, because Plaintiffs allege that they provided their Personal Information to Sony as part of a commercial transaction, and that Sony failed to employ reasonable security measures to protect their Personal Information, including the utilization of industry-standard encryption, the Court finds Plaintiffs have sufficiently alleged a legal duty and a corresponding breach.[41]

d.  Contractual obligations

In situations where third parties have possession of, control over, or access to corporate data, companies that entrust third parties to manage their data are increasingly trying to satisfy their duty to protect the security of their data by contract.[42]  For example, some companies contract for “cloud computing” services, in which a third party is charged with storing and processing a company’s data.[43]  These contracts shift the data security duty from the contracting company to the cloud computing company through cyber liability indemnification provisions.

e.  Self-imposed obligations

Finally, companies increasingly impose security obligations on themselves.  As noted above, the FTC has aggressively pursued deceptive trade practice enforcement actions against companies that make representations in privacy policies, on websites, or in advertising materials that are inconsistent with the entity’s actual data security practices.[44]

2.  The standard of care for the duty

Of the authorities discussed above that impose a data security duty, most simply state that there is “an obligation to implement ‘reasonable’ or ‘appropriate’ security measures,” but they “provide little or no guidance as to what is required for legal compliance.”[45]  While there is little question that the legal standard for what constitutes reasonable security is still emerging, much progress has been made in recent years.

Thomas J. Smedinghoff, a leading expert on this emerging cybersecurity standard, explains that the emerging digital security standard is particularized and case specific.[46]  Unlike prior specific requirements, such as passwords or firewalls, the new corporate security obligation is fact-specific, requiring companies to go through a “process” and determine what security measures are most appropriate for the company’s security needs.[47]  The emerging legal standard follows suit by allowing companies to create their own specific security measures so long as the companies conduct ongoing reviews of their security mechanisms.[48]  This repetitive review process includes detecting and evaluating risks, implementing specific security responses to those risks, verifying the effective implementation of those security responses, and updating the measures as needed in reaction to developing security concerns.[49]

Specifically, Mr. Smedinghoff’s process-oriented approach to satisfying a “reasonable” or “appropriate” standard of care for a duty to provide security is composed of the following seven provisions[50]:

Assign Responsibility:  A corporation should expressly designate one or more employees to be responsible for maintaining the data security program.

Identify Information Assets:  A corporation should identify its information assets that require protection, which include both the data itself (i.e., records containing personal information) and the computing systems that store the personal information (e.g., servers, laptops, and portable devices).

Conduct Risk Assessment:  A corporation should perform a risk assessment to identify both internal and external risks to its data security, and it should evaluate the effectiveness of the company’s current practices for safeguarding and minimizing the risks identified.

Select and Implement Responsive Security Controls:  A corporation should implement physical, administrative, and technical security controls it considers appropriate to minimize the risks it identified in its risk assessment.

Monitor Effectiveness:  A corporation should regularly monitor, test, and reassess the security controls it has chosen to implement in order to ensure its security program is operating in a manner reasonably calculated to protect personal information.  Relatedly, a corporation should regularly upgrade its security controls as necessary to limit emerging risks.

Regularly Review the Security Program:  A corporation should review and adjust its data security program no less than once per year.  A corporation should also perform security program reviews whenever there is a material change in business practices that could affect personal information or after any incident involving a breach of its data security.

Address Third Party Issues:  A corporation should take all reasonable steps to verify that every third-party service provider that has access to the company’s data assets and personal information has the capacity to protect that information.[51]

An ever-increasing number of authorities are expressly adopting this process-oriented approach to data security, which is referred to as a Written Information Security Program (“WISP”).[52]  The FTC is the most important of the authorities that have adopted the WISP standard.  According to the FTC, businesses in all industries should comply with the process-oriented approach to information security as it demonstrates the “best practice” for legal compliance.[53]  The FTC has demonstrated this view by requiring any company resolving FTC complaints about failure to provide adequate information security through consent decrees to implement and comply with this process-oriented approach.[54]  The FTC’s adherence to the WISP standard is particularly important in light of the agency’s post-2005 theory of liability that sanctions a duty to protect data.[55]

3.  The FTC’s cybersecurity unfair trade practices theory of liability

As noted briefly above, since 2005, the FTC has pursued administrative actions against companies “with allegedly deficient cybersecurity that failed to protect consumer data against hackers”[56] under the FTC Act’s provision that prohibits “unfair . . . acts or practices in or affecting commerce.”[57]  Commentators have analogized the jurisprudence that these FTC actions has spawned to an authoritative body of common law that operates in lieu of comprehensive cybersecurity legislation.[58]  Professors Daniel J. Solove and Woodrow Hartzog explain,

[A] deeper look at the principles that emerge from FTC privacy “common law” demonstrates that the FTC’s privacy jurisprudence is quite thick.  The FTC has codified certain norms and best practices and has developed some baseline privacy protections.  Standards have become so specific they resemble rules.  The FTC has thus developed a surprisingly rich jurisprudence.  We contend that the foundations exist to develop this “common law” into a robust privacy regulatory regime, one that focuses on consumer expectations of privacy, extends far beyond privacy policies, and involves a full suite of substantive rules that exist independently from a company’s privacy representations.[59]

An additional contributor to this body of law’s scant level of scholarly analysis is the fact that “[t]he vast majority of [FTC cyber liability] cases have ended in settlement.”[60]  But this may be changing:  the U.S. Court of Appeals for the Third Circuit specifically affirmed the FTC’s theory of liability under the unfairness prong in August 2015.[61]  The Third Circuit’s FTC v. Wyndham Worldwide Corp. case was a rare exception where a court opined on the FTC’s cybersecurity liability strategy.[62]  Because it is inevitable the FTC will bring an administrative action against Yahoo for the 2014 data breach, a closer examination of the Third Circuit’s decision in Wyndham follows.

In 2008 and 2009, hackers breached Wyndham Worldwide Corporation’s computer systems three times, stealing hundreds of thousands of customers’ personal and financial information, which resulted in over $10.6 million in fraudulent charges.[63]  As a result, the FTC filed suit in U.S. district court under 15 U.S.C § 45(a), alleging, inter alia, that Wyndham’s failure to provide adequate protection for private customer information was an unfair trade practice.[64]  After the district court denied Wyndham’s motion to dismiss the complaint, the Third Circuit granted an interlocutory appeal to address “whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a); and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.”[65]  The Third Circuit affirmed the district court and ruled in the FTC’s favor on both questions.[66]

Addressing the first issue, the Third Circuit reviewed in detail the FTC Act’s legislative history and the FTC’s past practices, and it noted that both flexibility and ambiguity were purposefully built into the Act.[67]  Accordingly, the court dismissed Wyndham’s argument that its cybersecurity practices “[fell] outside the plain meaning of ‘unfair.’”[68]  Among other arguments Wyndham raised, it asserted that the corporation could not treat its customers in an unfair manner when criminal hackers victimize the corporation too.[69]  The court rejected the argument, pointedly noting that “[a]lthough unfairness claims ‘usually involve actual and completed harms,’ ‘they may also be brought on the basis of likely rather than actual injury,’”[70] particularly because the FTC Act “expressly contemplates the possibility that conduct can be unfair before actual injury occurs.”[71]

B.  The Duty to Monitor

Among other duties, corporate directors and officers owe the corporation and its shareholders a duty of care.  The duty of care is a concept adapted from tort law, and it requires an actor to behave reasonably.[72]  Director liability for a breach of the duty of care may arise in two distinct contexts.[73]  First, liability may “follow from a board decision that results in a loss because that decision was ill advised or ‘negligent.’”[74]  Second, liability may “arise from an unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.”[75]

In In re Caremark International Inc. Derivative Litigation,[76] a seminal 1996 Delaware Chancery Court decision on the duty of care, the court took pains to emphasize that judicial inquiries into a director’s affirmative actions center on the adequacy of the process that gave rise to the shareholders’ derivative action, not the content of the decision itself.[77]  Therefore, a director will not be found liable for a decision after-the-fact if the decision making process used was in good faith or rational in promoting the corporation’s interest.[78]  The overwhelming majority of a director’s affirmative acts are evaluated under the deferential business judgment rule.  But the business judgment rule applies differently in situations where a director’s lax oversight—a failure to monitor and be informed—results in corporate losses.[79]

At its core, a breach of the duty to monitor arises when “a loss eventuates not from a decision but, from unconsidered inaction.”[80]  Noting that “[m]ost of the decisions that a corporation, acting through its human agents, makes are . . . not the subject of director attention,” the Caremark court nonetheless recognized that “ordinary business decisions that are made by officers and employees deeper in the interior of the organization can . . . vitally affect the welfare of the corporation and its ability to achieve its various strategic and financial goals.”[81]

At a minimum, corporate boards fail to satisfy their obligation to be reasonably informed about the corporation if they do not “assur[e] themselves that information and reporting systems exist in the organization that are reasonably designed to provide . . . timely, accurate information sufficient to allow management and the board . . . to reach informed judgments concerning . . . the corporation’s compliance with law.”[82]  This is not to say, however, that there is a universal, one-size-fits-all solution to the duty to monitor—“the level of detail that is appropriate for such an information system is a question of business judgment.”[83]  Nor does the existence of an adequate monitoring system eliminate the risk “that the corporation will violate laws or regulations, or that senior officers or directors may nevertheless sometimes be misled or otherwise fail reasonably to detect acts material to the corporation’s compliance with the law.”[84]

Thus, the duty to monitor requires “the board [to] exercise a good faith judgment that the corporation’s information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner.”[85]  To avoid liability and conform to relevant legal norms, a director should attempt in good faith to ensure the company has a “corporate information and reporting system” that the board finds satisfactory.[86]  Accordingly, the corporate law duty of care centers on whether corporate directors and officers employed a “good faith effort” to remain reasonably informed sufficient to “exercise good judgment.”[87]

C.  The Duty to Disclose

A publicly traded corporation’s duty to disclose the existence of a data breach stems from at least two distinct authorities:  Delaware state corporate common law and the SEC’s 2011 corporate finance disclosure guidance, which identifies material data security risks that companies must disclose under securities law disclosure requirements and accounting standards.[88]  Companies that know about a data breach but fail to disclose it to shareholders, regulators, and consumers risk liability under potentially corporate, breach notification, and securities laws.

Directors’ and officers’ fiduciary duty to shareholders and the corporation imposes a duty to disclose—sometimes referred to as a duty of complete candor—that is well established in Delaware common law.[89]

Two decades ago, Professor Lawrence A. Hamermesh noted that Delaware courts have recognized “that a fiduciary duty to disclose all material information arises when directors approve any public statement, such as a press release, regardless of whether any specific stockholder action is sought.”[90]  Director negligence is irrelevant in assessing the duty to disclose.[91]  The duty serves two purposes:  (1) to “afford stockholders a remedy,” regardless of whether they relied upon a misstatement or omission, and (2) “to afford a ‘virtual per se rule’ of damages,” awarding stockholders a monetary award “without having to establish actual loss.”[92]

The Delaware Supreme Court later confirmed Professor Hamermesh’s interpretation.  In Malone v. Brincat,[93] the Delaware Supreme Court clarified that directors and officers owe a duty of honesty to shareholders in both communications seeking shareholder action and “[w]henever directors communicate publicly or directly with shareholders about the corporation’s affairs, with or without a request for shareholder action.”[94]  The court held that “directors who knowingly disseminate false information that results in corporate injury or damage to an individual stockholder violate their fiduciary duty, and may be held accountable in a manner appropriate to the circumstances.”[95]  In sum, the duty to disclose in Delaware requires that directors provide shareholders with “all material information” about the corporation whenever they communicate with the shareholder or market, even if the shareholder did not request it.[96]

Additionally, the SEC’s 2011 Guidance notes that “federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.”[97]  Although the Guidance acknowledges that “no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents,” the SEC nonetheless required the disclosure of “material information regarding cybersecurity risks and cyber incidents” to prevent misleading the public.[98]

The Guidance provides examples of situations in which disclosure is mandatory—several of which are likely implicated here.  First, the Guidance provides that the SEC “expect[s] registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents.”[99]  Second, the Guidance advises that

[r]egistrants should address cybersecurity risks and cyber incidents . . . if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition.[100]

Consequently, some commentators—like Jacob Olcott, former Senate Commerce Committee counsel—believe that the “Yahoo hack could become a test case of the SEC’s [2011] guidelines . . . due to the size of the breach, intense public scrutiny and uncertainty over the timing of Yahoo’s discovery.”[101]

II.  Yahoo

A.  Background

Founded in 1994 as Jerry and Dave’s Guide to the World Wide Web by Stanford graduate students Jerry Yang and David Filo, Yahoo was incorporated under the laws of the State of Delaware in 1995.[102]  Headquartered in Sunnyvale, California, milestones in Yahoo’s corporate growth include completion of an initial public offering on April 12, 1996, and subsequent listing under the ticker symbol “YHOO” on the NASDAQ Global Market.[103]  Yahoo describes itself as “a guide to digital information discovery, focused on informing, connecting, and entertaining [its] users through [its] search, communications, and digital content products.  By creating highly personalized experiences, [Yahoo] help[s] users discover the information that matters most to them around the world—on mobile or desktop.”[104]

For the fiscal year that ended December 31, 2015, Yahoo’s revenue reached $4.96 billion, with search and display advertising accounting for 84 percent.[105]  Accordingly, Yahoo articulates its value proposition for advertisers as consisting of “a streamlined, simple advertising technology stack that leverages Yahoo’s data, content, and technology to connect advertisers with their target audiences,” where “[a]dvertisers can build their businesses through advertisements targeted to audiences on [Yahoo’s] online properties and services . . . and a distribution network of third-party entities.”[106]

Social media and electronic commerce websites face significant competition and other risk factors.[107]  Yahoo’s significant competition includes that from “search engines, sites offering integrated internet products and services, social media and networking sites, ecommerce sites, companies providing analytics, monetization and marketing tools for mobile and desktop developers, and digital, broadcast and print media.”[108]  Yahoo also experiences substantial international competition from local service providers in the Latin America, Middle East, Asia, and European markets.[109]

Yahoo’s approximate thirty-six percent ownership position in Yahoo Japan resulted from a 1996 joint venture agreement with SoftBank Group Corp. (“SoftBank”).[110]  In addition, on October 23, 2005, Yahoo acquired an approximate forty percent equity position (on a fully-diluted basis) in Alibaba, a Chinese e-commerce business, common stock in exchange for Yahoo’s China-based businesses—a cash investment of $1 billion and $8 million in transaction costs.[111]  Alibaba’s core commerce enterprise in the People’s Republic of China consists of two distinct marketplace operations:  wholesale commerce and retail commerce.[112]  Alibaba’s third area of core commerce business consists of cross-border and international commerce.[113]  Other significant Alibaba businesses include cloud computing, entertainment, mobile media, and other innovation initiatives.[114]  A series of Alibaba transactions have been significant to Yahoo’s fortunes during recent years:  In 2012, Alibaba repurchased 523 million shares from Yahoo in exchange for $7.1 billion.[115]  And in 2014, Yahoo sold 140 million shares during Alibaba’s initial public offering for approximately $9.4 billion.[116]  As of September 13, 2016, Yahoo retains an approximate fifteen percent interest in Alibaba outstanding ordinary shares,[117] valued at approximately $36.7 billion.[118]

Third quarter 2016 results for Yahoo showed continued deterioration in core advertising revenues, constituting the seventh decline in this key business metric during the past eight quarters.[119]  Table 1 illustrates certain financial results for Yahoo during the fiscal years that ended December 31 for the periods 2013 through 2015, and it displays the following key financial metrics:

[R]evenue; revenue less traffic acquisition costs (“TAC”), or revenue ex-TAC; income (loss) from operations; adjusted earnings before interest, tax, depreciation, and amortization (“EBITDA”); net income (loss) attributable to Yahoo! Inc.; net cash provided by (used in) operating activities; and free cash flow.  Revenue ex-TAC, adjusted EBITDA, and free cash flow are financial measures that are not defined in accordance with U.S. generally accepted accounting principles (“GAAP”).  These non-GAAP financial measures are helpful for internal managerial purposes and to facilitate period-to-period comparisons.[120]

Table 1:  Yahoo Key Financial Metrics[121]

Financial Metric Amount (in thousands of dollars) for Years Ended December 31
2013 2014 2015
Revenue  4,680,380 4,618,133 4,968,301
Revenue ex-TAC  4,425,938 4,400,602 4,090,787
Income (loss) from operations     589,926    142,942 (4,748,494)
Adjusted EBITDA 1,564,245 1,361,548    951,740
Net income (loss) attributable to Yahoo! Inc. 1,366,281 7,521,731 (4,359,082)
Net cash provided by (used in) operating activities 1,195,247    916,350 (2,383,422)
Free cash flow[122]   786,465    586,632 (3,010,172)
Includes:
Stock-based compensation expense 278,220 420,174    457,153
Restructuring charges, net    3766 103,450    104,019
Asset impairment charge  —     44,381
Goodwill impairment charge   63,555  88,414 4,460,837
Intangibles impairment charge  —     15,423

 

Table 2 provides selected consolidated financial operations data and the consolidated balance sheets data for 2011, 2012, 2013, 2014, and 2015.

Table 2:  Yahoo Selected Financial Data[123]

Item Amount (in thousands of dollars, except per share amount) for Years Ended December 31
2011 2012 2013 2014 2015
Revenue 4,984,199 4,986,566 4,680,380 4,618,133  4,968,301
Total Operating Expenses 4,183,858 4,420,198 4,090,454 4,475,191 9,716,795
Income (Loss) from Operations 800,341 566,368 589,926 142,942 (4,748,494)
Other Income (Expense), Net†† 27,175 4,647,839 43,357 10,369,439 (75,782)
(Provision) Benefit for Income Taxes (241,767) (1,940,043) (153,392) (4,038,102) 89,598
Earnings in Equity Interests 476,920 676,438 896,675 1,057,863 383,571
Net Income (Loss) Attributable to Yahoo! Inc. 1,048,827 3,945,479 1,366,281 7,521,731 (4,359,082)
Net Income (Loss) Attributable to Yahoo! Inc. Common Stockholders Per Share—Basic 0.82 3.31 1.30    7.61 (4.64)
Net Income (Loss) Attributable to Yahoo! Inc. Common Stockholders Per Share—Diluted 0.82   3.28         1.26           7.45      (4.64)
Shares Used in Per Share Calculation—Basic 1,274,240 1,192,775 1,052,705 987,819 939,141
Shares Used in Per Share Calculation—Diluted 1,282,282 1,202,906 1,070,811 1,004,108 939,141
Includes:
Stock-Based Compensation Expense    203,958     224,365   278,220      420,174     457,153
Restructuring Charges, Net     24,420     236,170      3766      103,450      104,019
††Includes:
Gain on Sale of Alibaba Group Shares  —   4,603,322  —  —  —
Gain on Sale of Alibaba Group ADSs  —  —  — 10,319,437  —

 

As shown in Table 2, when Yahoo’s sale of Alibaba stock for $10.369 billion during 2014 is removed, ongoing operating results appear even more severe.  When highlighting Consolidated Statements of Operations Data for just Net Income (loss) attributable to Yahoo, note the substantial decline in income from operations during the fiscal year that ended December 31, 2015.  The downward trend in results from operations during years 2013, 2014, and 2015 likely resulted in the Board’s decision to offer the Company for sale.

With a goal of maximizing shareholder value, for many years the Yahoo board of directors and management examined various alternatives to optimizing the value of its equity positions in both Alibaba and Yahoo Japan.  Given the market value of Yahoo’s component parts—Yahoo and its net cash position, Alibaba, and Yahoo Japan—the Yahoo board considered Yahoo’s stock price to be significantly undervalued and believed

at that time that separating Yahoo’s equity stakes in Alibaba and Yahoo Japan from its core operating business would create value by, among other things:  providing the investor community with greater clarity and focus with respect to the value of Yahoo’s operating business; enabling the management of Yahoo to focus exclusively on its operating business; enhancing Yahoo’s ability to attract, retain, and incentivize management and employees by creating equity-based compensation that more accurately and efficiently reflects the performance of Yahoo’s operating business; and enhancing Yahoo’s ability to pursue strategic acquisitions by creating a more efficient equity currency.[124]

This complex analysis explored both taxable and tax-efficient scenarios for monetizing these equity interests and involved the expertise of a number of internationally recognized investment banks, accounting firms, and law firms.[125]

As Yahoo’s board continued to explore how best to separate its equity position in Alibaba from Yahoo’s operating business, it announced plans to spin-off the remaining holdings in Alibaba on January 27, 2015.[126]  Approximately nine months later, the IRS informed Yahoo’s legal counsel, Skadden, Arps, Slate, Meagher & Flom LLP (“Skadden Arps”), that a favorable tax ruling for the proposed spin-off would not be forthcoming.[127]  As a result, the Yahoo board announced on December 9, 2015, that work on the proposed spin-off had been suspended.[128]  Subsequently, the Yahoo board considered the feasibility, timing, and potential tax implications of alternatives, including the sale of Yahoo’s operating business.[129]

Yahoo’s telephonic board meeting on January 31, 2016, was attended by representatives of investment banks Goldman Sachs and J.P. Morgan, and counsel from law firms Skadden Arps and Wilson Sonsini Goodrich & Rosati (“Wilson Sonsini”).[130]  At the meeting, the Yahoo board authorized formation of a special committee of independent directors to consider and evaluate possible strategic transactions involving Yahoo’s operating businesses.[131]  This initial Strategic Review Committee (“SRC”) consisted of Maynard G. Webb, serving as Chairman; H. Scott Lee, Jr.; and Thomas J. McInerney.[132]  Also at this time, the Yahoo board authorized the SRC to retain, at Yahoo’s expense, “such outside counsel, financial advisors, and other outside advisors” as deemed necessary to carry out its prescribed duties.[133]  Moreover, Yahoo’s board determined that it would not approve “any strategic transaction related to Yahoo’s operating business” unless the SRC recommended such a transaction.[134]

Along with its quarterly and year-end 2015 annual financial results on February 2, 2016, Yahoo announced that its board would explore “strategic alternatives for separating Yahoo’s operating business from its Alibaba shares,” including a reverse spin-off transaction.[135]  Subsequently, the Company’s financial advisors contacted fifty-one parties to explore their potential interest in a viable transaction, executing confidentiality agreements with thirty-two of these parties between February 19 and April 6, 2016.[136]  Yahoo provided interested parties access to a virtual data room along with management presentations and three years of forecasted financial information previously reviewed by Yahoo’s board.[137]  Over time, potential investors continued analysis activities, and the Yahoo board and its SRC continued to meet.[138]  However, the composition of the SRC changed, with Mr. Scott resigning and Catherine J. Friedman and Eric K. Brandt being appointed as independent Yahoo directors “to fill vacancies.”[139]

During the last two weeks of March 2016, Yahoo management conducted half-day presentations to seven potentially interested parties, including Verizon.[140]  Also during this period, the Company communicated proper guidelines for non-binding indications of interest with a deadline of April 11, 2016.[141]  Fourteen parties indicated interest on April 18, 2016, so the Company and its financial advisors reviewed and compared these first-round proposals.[142]  On April 20 and 21, 2016, the SRC held meetings to review first-round proposals and determine which of these bidders it should encourage to participate in the next-round.[143]  Yahoo reported that, following these discussions, the SRC concluded the board should pursue selling Yahoo’s entire operating business “through a competitive auction process,” which could maximize value for Yahoo’s stockholders while also noting that alternative deal structures could still be considered later on.[144]

At this point in the bid process, on April 26, 2016, Yahoo reached a proxy fight settlement with activist investors Starboard Value LP and some of their affiliates, which involved Yahoo’s 2016 annual meeting election of directors.[145]  In the settlement, Yahoo not only agreed to name several new members to its Board and to the SRC but also “to submit to a stockholder vote any decision recommended by the SRC and approved by the board to sell Yahoo’s operating business or any similar transactions.”[146]

Given what we now know about the massive 2014 data breach, May 12, 2016, may undertake particular significance depending on how much the Yahoo Board and senior management knew about the breach.[147]  Via the virtual data room, Yahoo disclosed to potential bidders initial drafts of proposed purchase and reorganization agreements.[148]  Given its potential importance, Yahoo’s disclosure states the following:

To minimize the liabilities that would be retained by Yahoo post-closing, the initial draft purchase agreement was structured similar to a typical purchase agreement in a public company acquisition, with no post-closing indemnity by Yahoo and limited closing conditions.  In addition, the initial draft purchase agreement provided, in the case of a strategic buyer, that Yahoo’s unvested employee equity awards would be assumed or substituted for comparable buyer equity awards, and, in the case of a financial sponsor buyer, that these awards would be accelerated at closing.  The draft purchase agreement also provided that Yahoo would be required to pay the buyer a termination fee equal to 2.5 percent of the base purchase price if, among other reasons, the purchase agreement was terminated by the purchaser after the Board changed its recommendation for the transaction or by Yahoo to accept a superior proposal (the “Yahoo termination fee”), and, in the case of a financial sponsor buyer, that Yahoo would be entitled to a reverse termination fee equal to 7.5 percent of the base purchase price if the buyer did not consummate the transaction as a result of its debt financing not being available (the “reverse termination fee”), and to specific performance if the buyer’s debt financing was available.[149]

Given what we know now about the extent of knowledge within Yahoo about the data breaches, this language appears to be a clear attempt to shift the cost of cyber liability onto an acquiring entity.  In any event, Yahoo’s attempts to minimize post-closing liabilities has only partially worked as evidenced by Verizon’s renegotiated acquisition announcement that includes cyber liability cost sharing between the two companies.

As of May 13, 2016, nine active bidders remained, and Yahoo notified them about the guidelines and process for submitting their interim non-binding proposals for acquisition of Yahoo’s operating business no later than June 6, 2016.[150]  It also instructed bidders to submit a list of key issues in their transaction agreement drafts.[151]  The remaining bidders conducted considerable due diligence activity during the end of May and the beginning of June, culminating in Yahoo’s receipt of six non-binding interim proposals on June 6, 2016.[152]  Numerous discussions between the six remaining bidders and Yahoo’s financial advisors continued thereafter in efforts to clarify terms and understand any changes in valuations from initial indications of interest.[153]  For instance, between J