Investigating the so-called Yahoo privacy apocalypse
Yahoo is now under the microscope of two EU data protection authorities. The British data protection authority ICO, which described the scale of the latest attack as "shocking", announced that it would investigate the case more closely. In addition to Ireland, where Yahoo's headquarters are located, the American FBI is also getting involved because a state (probably Russia) may be behind the attack on Yahoo.
Recalculated: Penalties according to DSGVO
If the GDPR were already applicable - which it won't be until May 25, 2018 - and Yahoo hadn't reported the theft of 500 million users' personal data to a data protection authority within 72 hours, the company would face massive penalties.
A breach of the notification obligation enshrined in Article 33 of the GDPR can result in penalties of two percent of annual global turnover. Yahoo's turnover has been beyond the 4.5 billion US dollar mark in recent years.
Under the applicability of the GDPR, Yahoo would therefore have to transfer at least $90 million to the EU.
And then Verizon, with annual sales of more than 130 billion US dollars, is in the process of buying Yahoo. If the takeover had already been completed, Verizon would have to face a penalty of two percent of the 134 billion, or about 268 million US dollars.
What do we learn from this? Large multinational and U.S. companies with a global Internet presence should take precautions now in case of a Yahoo-like security incident after May 25, 2018.
Here another link to important points concerning the DSGVO
(Source: Varonis)
Among many other inconsistencies in this incident, it is quite surprising that Yahoo already knew about this security incident in the summer. After all, the user data was already offered for sale on the Darknet. The stolen data seems to go back to an attack that happened back in 2014. This is therefore an obvious breach of the reporting obligation.
Natural persons affected?
The only U.S. federal law that imposes a strict reporting requirement applies only to personal medical information held by "entities covered by the Act," such as insurance companies, hospitals and health care providers. This law is the Health Insurance Portability and Accountability Act, or HIPAA.
So the US government has no way to sanction Yahoo for its extremely late reporting of the security incident. Forty-seven US states have laws requiring mandatory reporting. These would apply here, but the penalty usually depends on the respective damage to consumers, which is difficult to prove in concrete terms.
The only exception, as always, is California, where Yahoo's corporate headquarters are located. There, unauthorized data access must be reported immediately after it becomes known. Yahoo is therefore facing a visit from the Attorney General of California.
Control by the European Union?
One would think that the European Union would be stricter on data breaches than the US. But the currently valid EU Data Protection Directive does not stipulate any obligation to report security incidents. This was also one of the reasons for the drafting of the General Data Protection Regulation, which will apply from May 2018.
Legal consequences
It is possible, however, that Yahoo will not get off scot-free in the EU: The Data Protection Directive requires adequate security measures (Article 16). Yahoo could therefore theoretically be prosecuted for inadequate data protection measures.
However, Yahoo is a US company whose data collection servers are mainly located outside the EU. So it may well be that the long arm of the Data Protection Directive is not long enough after all. So the situation is far from clear.
If you want to know more about the extent to which the current Data Protection Directive applies to non-EU companies, this blog post provides a good analysis of the legal situation.
Overview of data protection rules in the EU, you can also find in the Whitepaper from Varonis.
