Corporate Directors\u27 and Officers\u27 Cybersecurity Standard of Care: The Yahoo Data Breach

On September 22, 2016, Yahoo! Inc. ( Yahoo ) announced that a data breach and theft of information from over 500 million user accounts had taken place during 2014, marking the largest data breach ever at the time. The information stolen likely included names, birthdays, telephone numbers, email addresses, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers. Yahoo further disclosed its belief that the stolen data did not include unprotected passwords, payment card data, or bank account information. Just two months before Yahoo disclosed its 2014 data breach, it announced a proposed sale of the company\u27s core business to Verizon Communications. Then, during mid-December 2016, Yahoo announced that another 1 billion customer accounts had been compromised during 2013, a new record for largest data breach. Social media and electronic commerce websites face significant risk factors, and an acquirer may inherit cyber liability and vulnerabilities. The fact pattern in this announced acquisition raises a number of important corporate governance issues: whether Yahoo\u27s conduct leading up to the data breaches and its subsequent conduct constituted a breach of the duty to shareholders to provide security, the duty to monitor, the duty to disclose, or some combination thereof the impact on Verizon shareholders of the acquisition price renegotiation and Verizon\u27s assumption of post-closing cyber liabilities; and whether more drastic compensation clawbacks for key Yahoo executives would be appropriate. Cybersecurity remains a threat to all enterprises, and this Article contributes to the corporate governance literature, particularly as it applies to mergers and acquisitions and the management of cyber liability risk

Understanding Cyber Risk: Unpacking and Responding to Cyber Threats Facing the Public and Private Sectors

Cyberattacks, data breaches, and ransomware continue to pose major threats to businesses, governments, and health and educational institutions worldwide. Ongoing successful instances of cybercrime involve sophisticated attacks from diverse sources such as organized crime syndicates, actors engaged in industrial espionage, nation-states, and even lone wolf actors having relatively few resources. Technological innovation continues to outpace the ability of U.S. law to keep pace, though other jurisdictions including the European Union have been more proactive. Nation-state and international criminal group ransomware attacks continue; Sony’s systems were hacked by a ransomware group; MGM Resorts disclosed that recovery from their September 2023 hack may ultimately cost more than $100 million; serious server software Log4j exploit became evident; U.S. embassy phones are hacked; cyberwarfare is deployed by Russia in their invasion of Ukraine; and theft of valuable intellectual property due to cybersecurity breaches are reported. This Article proceeds in seven parts. First, it provides an overview of the cyber threat environment. Second, it discusses the current cybersecurity legal landscape. Third, it introduces cybersecurity and corporate governance. Fourth, it discusses how corporate directors govern cybersecurity. Fifth, it explores the emerging cyber threat from nation-states and the impact of geopolitics on business. Sixth, it focuses on issues involved in identifying and responding to digital attacks. And last, it concludes. This Article adds to the important body of cybersecurity literature that explores the roles of government and business, particularly corporate directors, in the governance of data security

Determinants of treatment-related paradoxical reactions during anti-tuberculosis therapy: a case control study.

BACKGROUND: Inflammatory response following initial improvement with anti-tuberculosis (TB) treatment has been termed a paradoxical reaction (PR). HIV co-infection is a recognised risk, yet little is known about other predictors of PR, although some biochemical markers have appeared predictive. We report our findings in an ethnically diverse population of HIV-infected and uninfected adults. METHODS: Prospective and retrospective clinical and laboratory data were collected on TB patients seen between January 1999-December 2008 at four UK centres selected to represent a wide ethnic and socio-economic mix of TB patients. Data on ethnicity and HIV status were obtained for all individuals. The associations between other potential risk factors and PR were assessed in a nested case-control study. All PR cases were matched two-to-one to controls by calendar time and centre. RESULTS: Of 1817 TB patients, 82 (4.5 %, 95 % CI 3.6-5.5 %) were identified as having a PR event. The frequency of PR was 14.4 % (18/125; 95 % CI 8.2-20.6 %) and 3.8 % (64/1692; 2.9-4.7) for HIV-positive and HIV-negative individuals respectively. There were no differences observed in PR frequency according to ethnicity, although the site was more likely to be pulmonary in those of black and white ethnicity, and lymph node disease in those of Asian ethnicity. In multivariate analysis of the case-control cohort, HIV-positive patients had five times the odds of developing PR (aOR = 5.05; 95 % CI 1.28-19.85, p = 0.028), whilst other immunosuppression e.g. diabetes, significantly reduced the odds of PR (aOR = 0.01; 0.00-0.27, p = 0.002). Patients with positive TB culture had higher odds of developing PR (aOR = 6.87; 1.31-36.04, p = 0.045) compared to those with a negative culture or those in whom no material was sent for culture. Peripheral lymph node disease increased the odds of a PR over 60-fold 4(9.60-431.25, p < 0.001). CONCLUSION: HIV was strongly associated with PR. The increased potential for PR in people with culture positive TB suggests that host mycobacterial burden might be relevant. The increased risk with TB lymphadenitis may in part arise from the visibility of clinical signs at this site. Non-HIV immunosuppression may have a protective effect. This study highlights the difficulties in predicting PR using routinely available demographic details, clinical symptoms or biochemical markers

Corporate Directors\u27 and Officers\u27 Cybersecurity Standard of Care: The Yahoo Data Breach

On September 22, 2016, Yahoo! Inc. ( Yahoo ) announced that a data breach and theft of information from over 500 million user accounts had taken place during 2014, marking the largest data breach ever at the time. The information stolen likely included names, birthdays, telephone numbers, email addresses, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers. Yahoo further disclosed its belief that the stolen data did not include unprotected passwords, payment card data, or bank account information. Just two months before Yahoo disclosed its 2014 data breach, it announced a proposed sale of the company\u27s core business to Verizon Communications. Then, during mid-December 2016, Yahoo announced that another 1 billion customer accounts had been compromised during 2013, a new record for largest data breach. Social media and electronic commerce websites face significant risk factors, and an acquirer may inherit cyber liability and vulnerabilities. The fact pattern in this announced acquisition raises a number of important corporate governance issues: whether Yahoo\u27s conduct leading up to the data breaches and its subsequent conduct constituted a breach of the duty to shareholders to provide security, the duty to monitor, the duty to disclose, or some combination thereof the impact on Verizon shareholders of the acquisition price renegotiation and Verizon\u27s assumption of post-closing cyber liabilities; and whether more drastic compensation clawbacks for key Yahoo executives would be appropriate. Cybersecurity remains a threat to all enterprises, and this Article contributes to the corporate governance literature, particularly as it applies to mergers and acquisitions and the management of cyber liability risk

Industrial Cyber Vulnerabilities: Lessons from Stuxnet and the Internet of Things

Cyber breaches continue at an alarming pace with new vulnerability warnings an almost daily occurrence. Discovery of the industrial virus Stuxnet during 2010 introduced a global threat of malware focused toward disruption of industrial control devices. By the year 2020, it is estimated that over 30 billion Internet of Things (IoT) devices will exist. The IoT global market spend is estimated to grow from $591.7 billion in 2014 to$1.3 trillion in 2019 with a compound annual growth rate of 17%. The installed base of IoT endpoints will grow from 9.7 billion in 2014 to more than 25.6 billion in 2019. With this tremendous growth in both data and devices, a security nightmare appears more reasonable than not. The proliferation of novel consumer devices and increased Internet-dependent business and government data systems introduces vulnerabilities of unprecedented magnitude. This paper adds to our understanding of the development of cyber vulnerabilities resulting directly from: (1) the Stuxnet code and its progeny, and (2) widespread malware exposure associated with the IoT

WANNACRY, RANSOMWARE, AND THE EMERGING THREAT TO CORPORATIONS

The WannaCry ransomware attack began on May 12, 2017, and is unprecedented in scale-quickly impacting nearly a quarter-million computers in over 150 countries. The WannaCry virus exploits a vulnerability to Microsoft Windows that was originally developed by the U.S. National Security Agency and operates by encrypting a victim\u27s data and demanding payment of a ransom in exchange for data recovery. Security experts have indicated that a North Korea linked group of hackers-who have also been implicated in cyberattacks against Sony Pictures in 2014, the Bangladeshi Central Bank in 2016, and Polish banks in February 2017-is behind the attack. Ransomware threatens institutions worldwide, but the risks for businesses are starker-potentially catastrophic. This Article provides corporate executives with much of what they need to know about the evolving threats of malware and ransomware like Cryptolocker, Kelihos Botnet, Locky, Nymain, Petya, NotPetya, and WannaCry. First, we provide a brief definition and history of ransom ware. Second, we look at the history of hospitals as ransomware targets. Third, we offer a description of the WannaCry virus, what is known about its development, method of action, and those who are believed to have deployed it; in this section, we also discuss methods to defend against this particular virus. Fourth, we discuss the Petya and NotPetya attacks. Fifth is a discussion of municipal ransomware attacks. Sixth, we review the myriad and unique risks that ransomware poses for corporations-including expected refinements of the technique, such as to effect corporate sabotage. Seventh, we discuss the duties and responsibilities of corporate directors and the Ormerod-Trautman data security economic model. Eighth and finally, we review the current cybersecurity legal landscape with a particular focus on corporate best practices and how business executives protect themselves against cybersecurity-related liability. We believe this Article contributes to the sparse existing literature about ransomware and related cyber threats posed to corporate boards and management

Understanding Cyber Risk: Unpacking and Responding to Cyber Threats Facing the Public and Private Sectors

Cyberattacks, data breaches, and ransomware continue to pose major threats to businesses, governments, and health and educational institutions worldwide. Ongoing successful instances of cybercrime involve sophisticated attacks from diverse sources such as organized crime syndicates, actors engaged in industrial espionage, nation-states, and even lone wolf actors having relatively few resources. Technological innovation continues to outpace the ability of U.S. law to keep pace, though other jurisdictions including the European Union have been more proactive. Nation-state and international criminal group ransomware attacks continue; Sony’s systems were hacked by a ransomware group; MGM Resorts disclosed that recovery from their September 2023 hack may ultimately cost more than $100 million; serious server software Log4j exploit became evident; U.S. embassy phones are hacked; cyberwarfare is deployed by Russia in their invasion of Ukraine; and theft of valuable intellectual property due to cybersecurity breaches are reported. This Article proceeds in seven parts. First, it provides an overview of the cyber threat environment. Second, it discusses the current cybersecurity legal landscape. Third, it introduces cybersecurity and corporate governance. Fourth, it discusses how corporate directors govern cybersecurity. Fifth, it explores the emerging cyber threat from nation-states and the impact of geopolitics on business. Sixth, it focuses on issues involved in identifying and responding to digital attacks. And last, it concludes. This Article adds to the important body of cybersecurity literature that explores the roles of government and business, particularly corporate directors, in the governance of data security