Lessons from Cyber Breaches

By Gary R. Pannone, & July 6, 2018Cybersecurity

Ten years ago, the mention of a cyber security breach was a rarity. Today, reports of breach  incidents are almost commonplace. Every time a breach occurs in business the potential to cause significant harm and financial loss is mind-numbing. In addition, when the victim of a breach is a business, the owner is often held liable, especially if it is determined that the business owner did not take appropriate preventive steps to protect customer data. There are at least three high-profile cybersecurity breaches in recent memory that offer lessons for those struggling with cybersecurity issues.

In 2017 we learned of the Equifax breach, which stands out for several reasons:

  • First—while not the largest breach in history, it affected the Social Security information of more individual Americans than any other breach, compromising data for potentially half the population.
  • Second—the breach was against an agency focused specifically on safeguarding its customers’ personal information.
  • Third—the news continues to get worse. The latest reports from Business Insider indicate that the reported number of victims has risen from 143 million to 146.6 million, and more than 56,000 victims had specifically sensitive documents leaked—like driver’s license numbers and passport information.

From a personal standpoint, the Equifax leak reminded all Americans of the importance of protecting credit information, prompting millions to freeze their credit. From a business standpoint, it reminds us that no company doing business online is completely immune to hacking, and that businesses must be ever diligent in monitoring and guarding the personal information of others.

Another massive breach offering “teaching moments” occurred in 2016 to Uber, the world’s dominate on-demand rideshare taxi service. Hackers broke into Uber’s servers and stole the personal information of 57 million users and 600,000 drivers. To make matters worse, the company attempted to cover up the breach by paying $100,000 in ransom money to the hackers, which was reported by the New York Times. In addition, the hackers were able to lift the data from the company’s GitHub account, a development platform that should never have been used to store people’s personal information. Uber didn’t admit the breach for almost a year.

The Uber fiasco serves as a case study in what not to do for businesses entrusted with people’s personal information. First, keep the information in a safe place; and second, if the data is compromised, don’t try to cover it up.

Easily one of, if not the largest data breach event in history, is the Yahoo incident, which actually involved two separate hacks by different agencies (reportedly state-sponsored) in 2013 and 2014. Yahoo did not admit the incidents for several years. The initial report said 500 million users had been affected by the 2014 hack—already setting a record for its time. Later, the company revealed that an earlier breach had compromised the information of 1 billion users. By October 2017, Yahoo admitted the first breach had affected its entire user base—more than 3 billion people.

Since that time, Yahoo’s value has dropped considerably; once valued at more than $100 billion, the Internet part of the business was sold to Verizon for just under $4.5 billion. In April 2018, according to The Verge, the SEC fined Yahoo $35 million for the breach. Not only can a cybersecurity breach damage your customers—if you don’t manage the breach correctly, it can do serious damage to the value of your company, as well.


Disclaimer: This blog post is for informational purposes only. This blog is not legal advice and you should not use or rely on it as such. By reading this blog or our website, no attorney-client relationship is created. We do not provide legal advice to anyone except clients of the firm who have formally engaged us in writing to do so. This blog post may be considered attorney advertising in certain jurisdictions. The jurisdictions in which we practice license lawyers in the general practice of law, but do not license or certify any lawyer as an expert or specialist in any field of practice.

Back to Blog
Gary R. Pannone is the Managing Principal of Pannone Lopes Devereaux & O'Gara LLC and has been representing closely held business owners for thirty years. He is an experienced business lawyer specializing in the areas of business formations, corporate restructuring, mergers, acquisitions and corporate compliance. His practice includes the representation of nonprofit organizations with respect to consolidations, mergers and acquisitions. In addition to his role as Managing Principal of the firm, Attorney Pannone serves as the team leader for the Health Care Law, Corporate & Business Law and Nonprofit Organizations teams.

Attorney Pannone serves on several boards and governance committees of nonprofit organizations. He is a former Town Solicitor and has served as special counsel to several municipalities. He is also a frequent lecturer and author in the areas of health care law, corporate compliance, board governance and best practices.

Prior to the founding of Pannone Lopes Devereaux & O'Gara LLC, Attorney Pannone served as the managing partner of the Providence office of Holland & Knight LLP. He is a prominent member of the legal community, and was honored by his peers and judges with the AV Preeminent rating from Martindale Hubbell, which is the highest rating based on both legal ability and ethics. He has also been recognized by his peers as a leading lawyer in the areas of business law and corporate compliance by The Best Lawyers in America, Chambers USA, Super Lawyers and Corporate Counsel. For several years, including 2017 and 2018, Attorney Pannone was named Rhode Island's Lawyer of the Year by Best Lawyers in his practice areas. He is a Fellow of the American Bar Foundation, the nation's leading research institute for the study of law.

Attorney Pannone received his J.D. from Suffolk Law School after earning his undergraduate degree in Finance and Accounting from the University Of Notre Dame. He is admitted to practice law in Rhode Island and the U.S. District Court for the District of Rhode Island.

To contact Attorney Pannone, call 401-824-5100 or email gpannone@pldolaw.com.

Leave a Reply