The business impact of a data breach can materialize in a way that doesn’t immediately come to mind or seem obvious after an incident. For proof, look at potential fiscal fallout surrounding the recent Yahoo breach, which may have knocked $1 billion off the company’s value.
In September, Yahoo disclosed that attackers compromised the email accounts of 500,000 million users in an attack that began in 2012. The news broke a few months after Verizon had agreed to purchase the struggling Internet company for $4.8 billion.
But Verizon thinks the breach has hurt Yahoo’s value and now wants to pay $3.8 billion, according to an Oct. 6 story in the New York Post. Verizon and Yahoo both declined to comment at that time.
Last Thursday, however, Verizon’s chief lawyer said the data breach impacted Yahoo’s value and could allow the telecommunications giant to renegotiate the sales terms.
“I think we have a reasonable basis to believe right now that the impact is material, and we’re looking to Yahoo to demonstrate to us the full impact,” Craig Silliman, Verizon’s general counsel, told The New York Times. “If they believe that it’s not, then they’ll need to show us that.”
And the monetary damage could be even worse, according to an analyst the Time’s interviewed. While investors won’t fret over a minor price decrease, the greater concern is if Verizon abandons the deal, the analyst said. If Verizon scuttles the merger, Yahoo’s plan to sell its substantial stakes in Yahoo Japan and Alibaba would be impacted. In other words, the breach could jeopardize three major businesses deals for Yahoo, placing billions of dollars at stake.
Squandered business deals aren’t the only repercussions following a security incident. Breaches have cost executives their jobs (see Office of Personnel Management hack), resulted in extremely embarrassing, private emails being publicly shared (a la Sony) and caused the impartiality of the Democratic presidential primary to be questioned.
Information security professionals and executives can’t anticipate the outcome of a data breach. But they can prepare as best as possible for the impact. This starts by having an up-to-date incident response plan that includes input from key stakeholders in an organization. While incident response plans typically include the input of IT and security professionals, the insight of people who don’t handle remediation is sometime excluded. But these perspectives can help everyone in an organization to better understand a breach's possible impact and be better prepared for the aftermath.