On March 1, Marissa Mayer, Yahoo!’s Chief Executive Office, gave up millions of dollars. As she noted in a blog post on Tumblr, “I am the CEO of the company [Yahoo!] and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant.” All in, Mayer gave up upwards of 2 million in cash bonuses and millions more in terms of stock options, yet she has done something truly remarkable.
By shedding some blood for the irreversible damage done to user data and trust, Mayer sent a clear message that she gets it. All of this is about much more than money. In sending this message, Mayer may have just established a new norm around how private companies—and particularly chief executive officers—should handle data breaches.
Private companies aim to maximize profits, which means picking the lowest cost, highest revenue road. Too often, this philosophy means that IT security issues are relegated far from the corporate boardroom to some distant and dark corner of the basement offices. The persistent difficulty here is that these rather negligible costs of paying for the fallout of data breaches are often far less than the price tag that is attached to employing state-of-the-art IT security measures, including proper personnel training, up-to-date software, firmware and hardware, and properly vetted third-party vendors.
In this environment, breaches can and will continue to take place because they are not seen for what they are – breaches of trust. The net result is that billions of users are left vulnerable to having their private information, personal financial data, and other sensitive details of their lives stolen and potentially broadcasted online.
However, the fallout from Yahoo!’s recent announcement of a breach affecting upwards of one billion people suggests that times might finally be changing for the better.
If this practice of holding Chief Executives to account can become the norm, we all become a little bit safer. But it will take quite a bit to turn Mayer’s behavior into an industry standard.
Seventy million people had their identities and personal information compromised when Target was breached in 2014. Target, for its part, got caught up in an ongoing class action lawsuit, paid the banks 39 million, and doled out to Visa some 67 million. Other expenses and those behind the scenes likely ranged higher still, but for companies that make billions, (Target generated 71.28 billion dollars in revenue in 2014.) a few million here and there is nothing.
What is more, in contrast to Mayer’s personal loses due to the Yahoo! breach, Target’s CEO at the time of the breach, Gregg Steinhafel, reportedly stood to gain some 55 million dollars in compensation at the time he left the company.
Mayer may have preferred Steinhafel’s route, but the Yahoo! breach is a near-perfect storm. The Yahoo! breaches, with one in 2013 affecting 500 million users and a separate breach affecting one billion users in 2014, involved many factors needed to put real pressure on an executive like Mayer, including scale and a pending sale.
When measured separately, the two Yahoo! breaches are the biggest that we have seen. Collectively, they surpass their nearest competitor. With scale comes notoriety and with notoriety comes public pressure.
Indeed, Yahoo! was set to be sold to Verizon for what was initially 4.83 billion dollars. But as a result of the bad press and inevitable lawsuits that follow the breaches, the sale price was dropped to 4.48 billion. A loss of 350 million dollars in potentially realized gains will get the spotlight put on any CEO.
For those whose details were compromise and for Mayer, too, the Yahoo! breaches were a very bad dream. But for the rest of us and for all of us over the longer term, the perfect storm of the Yahoo! breaches and the effect of holding to account the Yahoo! CEO could set a great precedent. Other future data breaches, and there will be many, will not have this same combination of scale and external business pressures, so the next breach and the next one after that are far less likely to grab the attention of C-Suite executives.
But perhaps Marissa Mayer’s example can become a precedent. Perhaps holding one CEO accountable will be enough to get the ball rolling down the hill. If it can, then we will all be a little bit safer.
About the Author: Eric Jardine is a fellow at the Centre for International Governance Innovation and assistant professor of political science at Virginia Polytechnic Institute and State University, in Blacksburg, Virginia. Most recently Eric co-authored Look Who’s Watching: Surveillance, Treachery and Trust Online with the director of CIGI’s Global Security & Politics Program, Fen Hampson.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.